Traefik behind tailscale subnet router

aditya333 · June 6, 2023, 5:08am

Tailscale version: latest
Your operating system & version: Ubuntu 20 (latest lts)
traefik: latest, docker

Apologies for not being specific on the above info. I am writing this with my mobile.

As the Topic mentions, i’ve a reverse proxy, Traefik behind a Tailscale subnet router. Traefik manages the certificates for all my services on different machines (VMs). Right now, when connected from outside home network using my phone (iOS), i can ping my servers. However, I cannot access my services behind traefik HTTPS on the browser. Other HTTP (non ssl) services behind subnet router I can access. Safari browser error reads out: “Cannot establish secure connection…” OR “Server stopped responding…”

Other info,

Using PiHole as dns resolver which has traefik address and is added using split dns to tailscale magic dns. This piHole is not used by anything else and is specifically used for Tailscale.
My PiHole is on a different VLAN than my servers. But tailscale and traefik are on same VLAN.
I see 3 entries on PiHole when doing HTTPS calls using my iPhone. 2 of them resolves locallly but one has dns type HTTPS which is resolved by upstream dns. Don’t understand Why.
I have DNS records and CNAMES for services on piHole.
I can ping using my iOS to those same servers using the same domain name for my service. I am using an app to ping on my phone.

Do you have any tips for me to debug this? Do I have to add some additional config when using reverse proxy?

Update: It intermittently works now. I see “Unable to establish secure connections” almost 50% of the time. And sometimes it works. I didn’t do any changes to above mentioned config.

I see lots of traefik errors:

http: TLS handshake error from <Tailscale subnet router local IP: some port>: tls: client offered only unsupported versions: [301]

Request has been aborted [<Tailscale subnet router local IP: some port> - /signalr/connect?transport=serverSentEvents&clientProtocol=2.1&apiKey=xxx&connectionToken=xxx>
Request has been aborted [<Tailscale subnet router local IP: some port> - /signalr/reconnect?transport=serverSentEvents&messageId=xxx&clientProtocol=2.1&apiKey=xxx>
Request has been aborted [<Tailscale subnet router local IP: some port> - /signalr/messages?access_token=XXX net/http: abort Handler" middlewareName=traefi>

499 Client Closed Request' caused by: context canceled

bluepuma77 · June 9, 2023, 8:26pm

When using multiple Docker networks, make sure you set docker.network.

When using Docker Swarm, make sure that you don’t use an underlaying network (like vSwitch) with smaller MTU.

For LE certs you usually need to expose you domains to the internet to receive a valid certificate.

Share you Traefik static and dynamic config, and docker-compose.yml if used.

Topic		Replies	Views
Routers->TLS->Certresolver & Routers->TLS=true result in 404, but no problem without them? Traefik v3 (latest) docker , letsencrypt-acme	6	50	September 17, 2024
Traefik v3.2 with Tailscale Traefik v3 (latest) docker	5	361	November 16, 2024
SSL secured HTTPS can't be proxied, TLS secured HTTPS or HTTP works Traefik v2 file	4	1018	July 6, 2023
Exploring the Tailscale-Traefik Integration \| Traefik Labs Blog	0	995	January 24, 2023
Traefik v3 tailscale specify socket path Traefik v3 (latest) docker	4	529	April 27, 2024

Traefik behind tailscale subnet router

Related topics