Traefik Proxy return 404 error from https to http service in Swarm Mode

Traefik Traefik v3 (latest)
1

I'm using Traefik V3 and configure with Docker Swarm. I tried to access to https and let Traefik route to http service. It almost took 3 days but I can't get it work. Can someone point me out which was wrong?
Here my service config

version: '3'

networks:
  app-extranet:
    external: true

services:
  app-web:
    image: vue-app:development
    deploy:
      mode: replicated
      replicas: 2
      endpoint_mode: dnsrr
      restart_policy:
        condition: on-failure
        delay: 2s
      placement:
        constraints:
          - node.labels.frontend == true
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.fe-service.loadbalancer.server.scheme=http"
        - "traefik.http.services.fe-service.loadbalancer.server.port=80"
        - "traefik.http.routers.fe-route.entrypoints=websecure"
        - "traefik.http.routers.fe-route.service=fe-service"
        - "traefik.http.routers.fe-route.rule=PathPrefix(`/`)"
    networks:
      - app-extranet
    logging:
      driver: 'json-file'
      options:
        max-size: '200k'
        max-file: '10'

and this is traefik config:

version: '3'

networks:
  app-extranet:
    external: true

services:
  app-proxy:
    image: traefik:v3.0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8888
        protocol: tcp
        mode: host
    deploy:
      mode: replicated
      replicas: 1
      endpoint_mode: dnsrr
      restart_policy:
        condition: on-failure
        delay: 2s
      placement:
        constraints:
          - node.labels.proxy == true
    command:
      - --log.level=DEBUG
      - --api.insecure=true
      - --providers.swarm=true
      - --providers.swarm.exposedByDefault=false
      - --providers.swarm.network=app-extranet
      - --providers.http.tls.insecureSkipVerify=true
      - --entrypoints.traefik.address=:8080
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web.http.redirections.entryPoint.permanent=true
      - --entrypoints.websecure.address=:443
    networks:
      - app-extranet
    logging:
      driver: 'json-file'
      options:
        max-size: '200k'
        max-file: '10'

Additional information:

  1. I am using a local server, therefore I let Traefik auto generate certificate.
  2. It work perfect if i change front-end service route from websecure to web, the log show selected by WRR ...
  3. It seem Traefik cannot route if websecure, here is part of log
proxy_mdo-proxy.1.o36v8d3jpdal@datacenter    | 2024-07-02T09:08:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
proxy_mdo-proxy.1.o36v8d3jpdal@datacenter    | 2024-07-02T09:08:21Z DBG log/log.go:245 > http: TLS handshake error from 192.168.124.1:48576: remote error: tls: bad certificate
proxy_mdo-proxy.1.o36v8d3jpdal@datacenter    | 2024-07-02T09:08:24Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
1 Like
2

Traefik creates a default TLS cert when nothing else is available. Your client/browser doesn't accept it when connecting via https/443, therefor the TLS handshake error.

Compare to simple Traefik example with LetsEncrypt.

3

Thank @bluepuma77. It's seem not a case.
Btw, I solved the issue due missing 2 line of config.

  • First add the line - --entrypoints.websecure.http.tls=true in command start of traefik
  • Second add the line "traefik.http.routers.fe-route.tls=false" in label of frontend service.
    Now it works perfectly.
4

I ran into the same problem: http worked, https didn't work

5

Check simple Traefik Swarm example.

Note that you can only run a single Traefik instance for normal LetsEncrypt to work, as this is only cluster-enabled in paid Traefik EE.

You might be able to run multiple Traefik instances, each with their own TLS cert via dnsChallenge.

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.