Traefik does not work with .me domains

Traefik Traefik v2
,
1

Hello,

I was battling a 404 message on a page when I stumbled upon this problem. To be honest, it didn't occur to me at first that it would be possible, yet it is.
I have a test JS application running in a docker container, the traffic to which is being forwarded by Traefik.
I have several other services set up absolutely identically and they work as expected. This one, however, is not.
I have made the conclusion that the problem is with the domain name itself when I successfully accessed the app via a different domain by adding the Host() mask to the rule of the router.
The snippet of the config is below. app.eliminyro.com is working while viceartur.me does not. Both domains are pointing to the same IP address, btw.

Note: I have also tested it with a different .me domain - the result is the same: 404 error despite the configuration being identical.

I would really appreciate if you could help me out with this. The issue seems bizarre (at least to me), and I am not sure it can be solved on my side.

I have tested with 2.4.14 and latest (2.5.3)

http:
  routers:
    viceartur:
      entryPoints: https
      rule: "Host(`app.eliminyro.com`) || Host(`viceartur.me`)"
      service: viceartur
      tls: {}
      middlewares: chain-no-auth@file
  services:
   viceartur:
      loadBalancer:
        servers:
          - url: 'http://viceartur'
2

Something else is up with your configuration. Posting all of your configuration will help.

It is possible your http://viceartur is also returning the 404. Access log can help determine this(treafik_router_name is present if matched to a router), I like to use json format for this as lots of useful information is included by default.

Yes, .me domains do work.

docker-compose.yaml 
version: "3.8"

services:
  traefik:
    image: "traefik:v2.5"
    command:
    - --entrypoints.web.address=:80
#    - --entrypoints.web.http.redirections.entrypoint.to=websecure
#    - --entrypoints.web.http.redirections.entrypoint.permanent=true
    - --entrypoints.websecure.address=:443
    - --entrypoints.websecure.http.tls=true
    - --providers.docker=true
    - --providers.docker.exposedbydefault=false
    - --accesslog
    - --accesslog.format=json
    - --api
    - --log.level=INFO
    - --log.format=json
    labels:
      traefik.enable: "true"
      traefik.http.routers.api.rule: Host(`traefik.localhost`)
      traefik.http.routers.api.service: api@internal
      traefik.http.services.dummy.loadBalancer.server.port: 65535
      traefik.http.routers.api.entrypoints: websecure

    ports:
      - published: 80
        target: 80
      - published: 443
        target: 443
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
  whoami:
    image: traefik/whoami
    labels:
      traefik.enable: "true"
      traefik.http.routers.w.rule: Host(`example.com`) || Host (`example.me`)
curl example.com 
curl --resolve example.com:80:127.0.0.1 --resolve example.me:80:127.0.0.1 http://example.com
Hostname: 087957d0c991
IP: 127.0.0.1
IP: 172.27.0.3
RemoteAddr: 172.27.0.2:36850
GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.27.0.1
X-Forwarded-Host: example.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 5f69047612bf
X-Real-Ip: 172.27.0.1
curl example.me 
curl --resolve example.com:80:127.0.0.1 --resolve example.me:80:127.0.0.1 http://example.me
Hostname: 087957d0c991
IP: 127.0.0.1
IP: 172.27.0.3
RemoteAddr: 172.27.0.2:36850
GET / HTTP/1.1
Host: example.me
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.27.0.1
X-Forwarded-Host: example.me
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 5f69047612bf
X-Real-Ip: 172.27.0.1
3

Oh, also your router is https so using http to access it will indeed return a 404.

4

Have you been able to open app.eliminyro.com?
It's the same router, as you can see. And it does open.
How come the .me domain doesn't?

Also, it's not a problem of http/https protocol. There is a middleware that redirects from http to https, which does not work with .me domain either (even though the chain is specified [chain-no-auth@file]).
As I mentioned, other routers work just fine, routing the traffic to other containers with no issues. The only difference is that the routers for those services are set to work with .com domains. Everything else is identical.
For example:

  routers:
    plex:
      entryPoints: https
      rule: "Host(`plex.eliminyro.com`)"
      service: plex
      tls: {}
      middlewares: chain-no-auth@file
  services:
    plex:
      loadBalancer:
        servers:
          - url: 'https://plex:32400'
5 
curl http://app.eliminyro.com
404 page not found

No redirect.

curl http://app.eliminyro.com -i
HTTP/1.1 404 Not Found
Date: Mon, 04 Oct 2021 17:51:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 19
Connection: keep-alive
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wFbWJf%2FyJkcpghr%2F69dC1O51yEvEOZ5F%2BF9jA1DbLTSKN3HQ1EB9KkRD61s%2BxjLzuPolyJMZ7Wf5E0JT3jshfFMTwkfBfFYaqNVCBEFwwf8Rxk%2BWE6cDfx2n7xcQFHsIA227fA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 699042ab1fc15401-YYZ
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

404 page not found
6

Didn't see it previously. For you it shows that app.eliminyro doesn't work either. That is really strange. I'll have to take a look into that as well.

7

I'll refer you to my first reply to this post.

8

My apologies for my inattentiveness about http-to-https redirect. For whatever reason, that doesn't work. That's not really important at the moment.
Nevertheless, if you try viceartur with https, it'll show 404 while app.eliminyro shows a page. How is that possible?
I am not comfortable with providing the whole config. Feels like I've displayed more than I should've anyway.
Is there something specific I can look at?
In traefik settings, routers are responsible for routing traffic, aren't they? The yaml is formatted as expected, otherwise it would not work or error out.
As for logs: this router is not mentioned in the access log anywhere.
It is mentioned in the debug though, it is seen there:

time="2021-10-04T18:03:51Z" level=debug msg="Creating middleware" middlewareType=Pipelining entryPointName=https routerName=viceartur@file serviceName=viceartur middlewareName=pi
pelining
time="2021-10-04T18:03:51Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=viceartur@file serviceName=viceartur
time="2021-10-04T18:03:51Z" level=debug msg="Creating server 0 http://viceartur" serviceName=viceartur serverName=0 entryPointName=https routerName=viceartur@file
time="2021-10-04T18:03:51Z" level=debug msg="Added outgoing tracing middleware viceartur" entryPointName=https routerName=viceartur@file middlewareName=tracing middlewareType=Tra
cingForwarder
9

Okay, I have tested a couple of more domains with the same service, on different routers. .com work. .me, again, do not.
I am at my wit's end here.
This is absolutely mind-boggling. If anyone can suggest me something, I'd appreciate it.
Thanks in advance.

10

Hello,

The problem is NOT related to the TLD (as @cakiwi already explained)

Your 2 domains don't target the same IP:

$ drill app.eliminyro.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31124
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; app.eliminyro.com.	IN	A

;; ANSWER SECTION:
app.eliminyro.com.	300	IN	A	104.21.51.122
app.eliminyro.com.	300	IN	A	172.67.180.46

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 16 msec
;; SERVER: 192.168.1.1
;; WHEN: Tue Oct  5 18:42:39 2021
;; MSG SIZE  rcvd: 67

$ drill viceartur.me
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 39136
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; viceartur.me.	IN	A

;; ANSWER SECTION:
viceartur.me.	300	IN	A	5.142.251.174

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 40 msec
;; SERVER: 192.168.1.1
;; WHEN: Tue Oct  5 18:42:49 2021
;; MSG SIZE  rcvd: 46

I think that is the root of your problem.

1 Like
11

Hi, @ldez,

Thanks for your input.
The root of my problem isn't with the fact that domains point to different IPs, that was done on my side while I was trying to figure out the reasons behind the behavior.
The problem is in cloudflare processing .com and .me domains differently, for whatever reason. When I disabled its features for .me domain (the reason you see a different IP address), Traefik started routing the traffic properly to the app.

.com still has the SAME set of features ENABLED, yet the app is working just fine.

I have tried to troubleshoot cloudflare previously, but disabling its protection and other features yielded no results. That is why I was thinking Traefik is the root of this behavior.

This time it worked, so I am finally relieved of this headache.
Thanks to @cakiwi, I've learned that curl has a parameter --resolve, which helped me to look in the right direction.
I am not able to close the topic, so if you can do it, please go ahead and do so.

12

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.