Traefik always throws 404 for secure only connections. Docker only deployment. But why?

Traefik Traefik v2 (latest)
, ,
1

So I wanted to move from npm to traefik for security reasons. I found a good online blog for an initial setup of traefik. It works, but not really. and for the love of god, i cant figure out why.

Here is my docker-compose.yml:

services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: always
    networks:
      - proxy
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/configs:/configs:ro
      - ./data/acme.json:/acme.json:rw
      - ./data/logs:/logs:rw
    environment:
      - CF_DNS_API_TOKEN=${CFAPI}
    read_only: true
    security_opt:
      - no-new-privileges=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-https.entrypoints=websecure
      - traefik.http.routers.traefik-https.rule=Host(`traefik.example.com`)
      - traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIKADMIN}
      - traefik.http.routers.traefik-https.middlewares=traefik-auth
      - traefik.http.routers.traefik-https.service=api@internal
      - traefik.http.routers.traefik-https.tls=true
      - traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik-https.tls.domains[0].main=example.com
      - traefik.http.routers.traefik-https.tls.domains[0].sans=*.example.com

  whoami:
    image: containous/whoami:latest
    container_name: whoami
    hostname: whoami
    restart: unless-stopped
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami-https.entrypoints=websecure
      - traefik.http.routers.whoami-https.rule=Host(`whoami.example.com`)
      #- traefik.http.routers.whoami-https.service=whoami
      - traefik.http.services.whoami-https.loadbalancer.server.port=80
      - traefik.http.routers.whoami-https.tls=true
      - traefik.http.routers.whoami-https.tls.certresolver=letsencrypt


networks:
  proxy:
    external: {}

and the static configuration file (traefik.yml) looks like:

api:
  dashboard: true
  insecure: true
  debug: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    http:
      tls: {}

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
    network: proxy
  file:
    directory: "/configs"
    watch: true

certificatesResolvers:
  http:
    acme:
      email: cert@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: web
  letsencrypt:
    acme:
      email: cert@example.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

#serversTransport:
#    insecureSkipVerify: false

accessLog:
  filePath: "/logs/access.log"
  fields:
    headers:
      names:
        User-Agent: keep

log:
  filePath: "/logs/traefik.log"
  level: INFO

Now when I get the stack up and running, I can never access the following:

  1. traefik example com --> 404
  2. serverip:443 --> 404
  3. serverip:80 --> 404
  4. whoami example com --> 404

But i can access the traefik dashboard only insecurely at http://serverip:8080 because i have set insecure=true. Is there no way to reach the dashboard securely?! what am i doing wrong? I dont see any error in the log files or in the dashboard.

Now to the services themselves, when i remove the line

traefik.http.routers.whoami-https.entrypoints=websecure

, I can access both:

  1. http://whoami.example.com
  2. https://whoami.example.com/

I simply want to reach both traefik dashboard and my services only with websecure. But it just doesnt seem to work. I am pulling my hairout as to what is traefik doing and what am i doing wrong?

Any help is very much appreciated! Thanks!

2

Okay, with some advice, i setup a redirect middleware to redirect http to https. then everything seems to work.

3

Hi, could you please share the what you did? I'm pulling my hair for two days now because of this. I have included the middleware, but it doesn't work. Only the https works, http doesn't for some reason.

4

Hmm, for me the problem was, I wasn't able to reach my services when I specified the entry point to be https. But when I didn't specify any entrypoint, basically things worked.

So, I didn't specify any entry points, basically both the entry points (https and http) were used for all the services but since I used a redirect middleware my services were only accessible securely.

So maybe try commenting out the entrypoint label?

5

Check and compare to simple Traefik example.

To make it clean when using Traefik v2, add .entrypoints=websecure to each router dynamic config.

In Traefik v3 you can set that as default:

--entrypoints.websecure.asDefault=true

If you leave both out, your router will listen to all available entrypoints.

And http-to-https and TLS can be assigned globally to the entrypoint, so no repetition on dynamic router labels is necessary.