Traefik 502 Error Routing to SSL Port of Another Container

Traefik Traefik v2
, ,
1

Hello,

I'm trying to get Pterodactyl working through Traefik through Podman on Fedora 36. I should preface that Traefik works great on Podman with File as I have about 35-40 services running through it currently. I'm having an issue with Pterodactyl and the Wings server however and can't figure out the issue.

The Panel server is running on the same host as Traefik and has the following ports mapped (82:80, 445:443). I can get the Panel working with the following Entrypoint, Service and Router configuration below:

websecure:
    address: :443
    http:
      tls:
        options: default
        certResolver: letsEncrypt
        domains:
          - main: "mydomain.com"
            sans:
              - "*.mydomain.com"

    panel:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:82

    panel:
      rule: (Host(`panel.mydomain.com`))
      service: panel
      entryPoints:
        - "websecure"

My issue occurs once I try to add a Wing server into the configuration which wants to talk over port 443. I've spun up a stand-alone Debian server and have the Wing agent installed via docker and is working accordingly.

I've added the wing server using the same entrypoint above (like all my other services) but I keep getting 500 and 502 errors. I know it is set up through the proxy correctly though because prior to the 500 and 502 errors I was getting CORS errors on the Panel page. Adding the appropriate Middleware fixes this error.

Further reading on the Pterodactyl configuration mentions that both Panel and Wing server want to talk over SSL exclusively, so I tried changing my service to match against https://192.168.10.200:445 which has worked for other devices in my network that have SSL matched to a different port. But this does not work and results in a 500 or 502 error. I assume this is because the container is on the same host as the proxy but am not certain.

I then though perhaps it was the entrypoint causing an issue as it's mapped to 445 instead of 443, so I changed my configuration to the following Entrypoint, Service and Router below:

  panel:
    address: :445
    http:
      tls:
        options: default
        certResolver: letsEncrypt
        domains:
          - main: "mydomain.com"
            sans:
              - "*.mydomain.com"
    panel:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:445
    panel:
      rule: (Host(`panel.mydomain.com`))
      service: panel
      entryPoints:
        - "panel"

This however leads to a 404 error due to the change of entrypoint. I'm running podman in root mode (yes, shame on me), and the network for my containers on the host is bridged mode. I've created the proper DNS entries on my DNS servers internally, I've created the proper public A records in Cloudflare. I'm not certain what the hiccup is here and need some assistance!

I'm happy to pull logs if needed but will need some direction in providing the proper lines as needed. I'm running Jaeger tracing but I can't seem to pull anymore meaningful information from it that the web console log doesn't already show.

2

Sorry to bring this old topic up, but this is the only topic i've seen with the same exact problem. Were you ever able to figure this out? I have this exact problem down to changing the middleware and getting only a 502 error. I'm so stumped...

3

Not sure if the config of the original post was correct, you need to use separate static config (entrypoints, certresolver, etc) and dynamic config (routers, services, etc) with Traefik.

4

Forgive me, but I’m not sure I understand. Which part was not correct? I’m stuck where I essentially fixed the CORS issue with middleware headers but all I get is a 502 bad gateway error no matter what I do between the panel and wings.

5

Can you post your Traefik static and dynamic config, and docker-compose.yml if used?

entrypoint and lodbalancer do not go into the same config file, that does not work.

6 
http:
 #region routers 
  routers:
    proxmox:
      entryPoints:
        - "https"
      rule: "Host(`pve1.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: proxmox
    jellyfin:
      entryPoints:
        - "https"
      rule: "Host(`jellyfin.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: jellyfin
    homebridge:
      entryPoints:
        - "https"
      rule: "Host(`homebridge.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: homebridge
    pterodactyl:
      entryPoints:
        - "https"
      rule: "Host(`gameserver.local.example.com`)"
      middlewares:
        - wings-headers
        - https-redirectscheme
      tls: {}
      service: pterodactyl
    wings:
      entryPoints:
        - "https"
      rule: "Host(`wings.local.example.com`)"
middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: wings
    minecraft:
      entryPoints:
        - "http"
      rule: "Host(`minecraft.local.example.com`)"
      middlewares:
        - default-headers
   #     - https-redirectscheme
      tls: {}
      service: minecraft

  services:
    proxmox:
      loadBalancer:
        servers:
          - url: "https://192.168.10.182:8006"
        passHostHeader: true
    jellyfin:
     loadBalancer:
        servers:
          - url: "http://192.168.10.14:8096"
        passHostHeader: true
    homebridge:
      loadBalancer:
        servers:
          - url: "http://192.168.10.90:8581"
        passHostHeader: true
    pterodactyl:
      loadBalancer:
        servers:
          - url: "http://192.168.10.206:80"
        passHostHeader: true
    wings:
      loadBalancer:
        servers:
          - url: "http://192.168.10.75"
        passHostHeader: true
    minecraft:
      loadBalancer:
        servers:
          - url: "http://192.168.10.190:25565"
        passHostHeader: true

  middlewares:
    #addprefix-pihole:
    #  addPrefix:
    #    prefix: "/admin"
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

   wings-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
#       customResponseHeaders:
        accessControlAllowHeaders:
          - Authorization
        accessControlAllowOriginList:
          - https://wings.local.example.com
          - https://gameserver.local.example.com
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers

a lot of this stuff is leftover from trying things. and yes i did not separate them because i know it's refrenced in the documentation but i'm not sure what get's separated. i had just assumed you use what's applicable to each application. as well here's docker compose.yml:

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=example@email.com
      - CF_DNS_API_TOKEN=****************************
      # - CF_API_KEY=YOUR_API_KEY
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik/data/traefik.yml:/traefik.yml:ro
      - /root/traefik/data/acme.json:/acme.json
      - /root/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard-internal.local.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=*******:$$apr1$$tQljh1mW$$q1MVz$
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard-internal.local.example.com`$
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true
7

Did you ever fix this?