Traefik is giving a 503 error when proxying a NextCloud instance

jdunlap · December 17, 2024, 2:18am

I have a Traefik instance that I am using as a reverse proxy to several services. The services work except for NextCloud. I have disabled SSL on the NextCloud apache instance, and I am able to connect to the NextCloud instance from within the network, but not using the domain name to go through Traefik.

I do not use Docker, so please keep that in mind when pointing to resources.

Here is my anonymized static (traefik.yaml) config:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

providers:
  file:
    directory: /etc/traefik/conf.d/
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main:"TLD"
          - sans:
            - "*.TLD"            
  tunnel:
    address: ":943"
  ssh:
    address: ":22"

certificatesResolvers:
  cloudflare:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: "MY_EMAIL"
      storage: /etc/traefik/ssl/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

  letsencrypt:
    acme:
      email: "MY_EMAIL"
      storage: /etc/traefik/ssl/acme.json
      tlschallenge: true

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: ERROR
#  level: DEBUG

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

And the two parts of my dynamic configuration:

core.yaml:

http:
  routers:
    catchall:
      entryPoints:
        - "websecure"
      rule: "PathPrefix(`/`)"
      service: unavailable
      priority: 1

  services:
    unavailable:
      loadBalancer:
        servers: {}

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: cloudflare
        domain:
          main: TLD
          sans:
            - "*.TLD"

dynamic.yaml

http:
  routers:

    cloud:
      rule: Host(`cloud.TLD`)
      entrypoints:
        - "websecure"
      service: cloud

    code:
      rule: Host(`code.TLD`)
      entrypoints:
        - "websecure"
      service: code

    coder:
      rule: Host(`coder.TLD`)
      entrypoints:
        - "websecure"
      service: coder
    
    gitea:
      rule: Host(`teacup.TLD`)
      entrypoints:
        - "websecure"
      service: gitea

    metube:
      rule: Host(`metube.TLD`)
      entrypoints:
        - "websecure"
      middlewares:
        - metube-auth
      service: metube

    plexsec:
      rule: Host(`plex.TLD`)
      entrypoints:
        - "websecure"
      service: plexsec
    
    tunnel:
      rule: Host(`tunnel.TLD`)
      entrypoints:
        - "websecure"
        - "tunnel"
      service: tunnel

  services:

    cloud:
      loadbalancer:
        servers:
          - url: http://192.168.0.31
            scheme: http
        passHostHeader: true

    code:
      loadbalancer:
        servers:
          - url: http://192.168.0.42
            scheme: http
        passHostHeader: true

    coder:
      loadbalancer:
        servers:
          - url: http://192.168.0.43:8080
            scheme: http
        passHostHeader: true
    
    gitea:
      loadbalancer:
        servers:
          - url: http://192.168.0.32:3000
            scheme: http
        passHostHeader: true

    metube:
      loadbalancer:
        servers:
          - url: http://192.168.0.41:8081
            scheme: http
        passHostHeader: true

    plexsec:
      loadbalancer:
        servers:
          - url: http://192.168.0.30:32400
            scheme: http
        passHostHeader: true

    tunnel:
      loadbalancer:
        servers:
          - url: http://192.168.0.33:943
            scheme: http
        passHostHeader: true
  
  middlewares:
    metube-auth:
      basicAuth:
        users:
          - james:$2y$05$D1QgSe8Axci8d8KO9APY9elgnEIUSrn.t7r26MtX.jSng8ff/SHjW

tcp:
  routers:
    gitea:
      rule: HostSNI(`*`)
      entrypoints:
        - "ssh"
      service: gitea
      tls:
        passthrough: true

  services:
    gitea:
      loadbalancer:
        servers:
          - address: '192.168.0.32:22'

Any ideas why this might be happening?

Thanks!

jdunlap · December 17, 2024, 2:31am

Okay, after finding a small error that had caused the file to fail, I now have a different behavior. Now, I am getting "Too Many Redirects." I am using CloudFlare and have followed the steps there to set up the SSL as Full (Strict), etc. Any other ideas?

jdunlap · December 17, 2024, 3:56am

Found it! After digging through Traefik configuration and CloudFlare settings for hours, it ended up that I had a rewrite rule in my Apache configuration that was redirecting all http traffic to https, but I had disabled the https because I am using Traefik to terminate SSL. I will leave this here in case it helps someone in the future.

system · December 20, 2024, 3:57am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot get https to work through cloudflare? Traefik v2 docker , letsencrypt-acme	3	999	January 2, 2023
Help with Traefik and Cloudflare 521 "Web server is down" Traefik v2 docker , dashboard-api , letsencrypt-acme	3	2696	September 10, 2020
Nextcloud / Traefik uncooperative (redirecting to https://_/) Traefik v1 docker	2	2814	July 1, 2021
Https requests not working for docker/nextcloud (plain http request sent to https port) Traefik v2 docker	3	5893	November 8, 2019
Can't connect to Nextcloud \| Gateway Timeout Traefik v2 docker	5	2609	November 20, 2022

Traefik is giving a 503 error when proxying a NextCloud instance

Related topics