I'm using labels in a swarm service deployment of Gluetun. I just use the web proxy feature on port 8888
My label config is
labels:
- "traefik.enable=true"
- "traefik.http.routers.protun.rule=Host({{ protun_fqdn }})"
- "traefik.http.routers.protun.entrypoints=https"
- "traefik.http.routers.protun.service=protun-service"
- "traefik.http.routers.protun.tls=true"
- "traefik.http.services.protun-service.loadbalancer.server.port=8888"
And everything seems correct on the Traefik dashboard.
I see my service and I see it will redirect request to http://30.30.1.155:8888 internally
when I try the proxy with curl with a
curl -L -x http://tunnel.mydomain.net:80 --proxy-insecure -k -v https://bing.com
here what I get
- Trying 10.0.0.8:80...
- Connected to (nil) (10.0.0.8) port 80 (#0)
- allocate connect buffer!
- Establish HTTP proxy tunnel to bing.com:443
CONNECT bing.com:443 HTTP/1.1
Host: bing.com:443
User-Agent: curl/7.81.0
Proxy-Connection: Keep-Alive
< HTTP/1.1 308 Permanent Redirect
< Location: https://bing.combing.com:443
< Date: Tue, 22 Oct 2024 17:40:36 GMT
< Content-Length: 18
<
- Received HTTP code 308 from proxy after CONNECT
- CONNECT phase completed!
- Closing connection 0
curl: (56) Received HTTP code 308 from proxy after CONNECT
Notice the 308 Redirect and more interresting the location that follow ... Completly wrong
< Location: https://bing.combing.com:443
It write twice the name of the requested url
When I connect internaly to the swarm network used by traefik and do a
curl -L -x http://30.30.1.155:8888 --proxy-insecure -k -v https://bing.com
Everything works perfectly
Here are the lines of begining of the log
- Trying 30.30.1.155:8888...
- Connected to 30.30.1.155 (30.30.1.155) port 8888
- CONNECT tunnel: HTTP/1.1 negotiated
- allocate connect buffer
- Establish HTTP proxy tunnel to bing.com:443
CONNECT bing.com:443 HTTP/1.1
Host: bing.com:443
User-Agent: curl/8.7.1
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Tue, 22 Oct 2024 17:40:55 GMT
< Transfer-Encoding: chunked
- Ignoring Transfer-Encoding in CONNECT 200 response
< - CONNECT phase completed
- CONNECT tunnel established, response 200
- ALPN: curl offers h2,http/1.1
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp521r1 / RSASSA-PSS
- ALPN: server accepted h2
- Server certificate:
- subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=www.bing.com
- start date: Sep 16 23:16:19 2024 GMT
- expire date: Mar 15 23:16:19 2025 GMT
- issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure RSA TLS Issuing CA 03
- SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
- Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
- Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
- using HTTP/2
- [HTTP/2] [1] OPENED stream for https://bing.com/
... And so on until I get the full content of the bing.com page.
Is there a middleware I miss in my traefik config ?
Why I get a wrong location on the 308 redirect ?
I don't use a conf file for traefik but in place I use args at launch. Here they are if it can help to understand better my config
command:
- --accesslog=true
- --accesslog.filepath=/tmp/access.log
- --log=true
- --log.level=TRACE
- --log.maxBackups=7
- --log.maxAge=30
- --log.filepath=/tmp/traefik.log
- --api=true
- --api.dashboard=true
- --api.debug=true
- --api.disabledashboardad=true
- --api.insecure=true
- --providers.swarm=true
- --providers.swarm.endpoint=unix:///var/run/docker.sock
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=trf-{{ clustername }}
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.file.directory=/etc/traefik/dynamic_conf
- --entryPoints.http.address=:80
- --entrypoints.http.http.redirections.entryPoint.to=https
- --entrypoints.http.http.redirections.entryPoint.scheme=https
- --entrypoints.http.http.redirections.entrypoint.permanent=true
- --entrypoints.https.address=:443
- --entryPoints.traefik.address=:8081
- --serverstransport.insecureskipverify=true
I Hope it will make sens for someone ... I'm lost for now 
Regards
Stef