Trying dynamic config - only allow https to service

Traefik Traefik v2
1

Been fighting for a whole day now, Im obvioulsy missing something :slightly_frowning_face: ng:
My goal is to allow access to my load balanced service only through https.
Whenever I remove the non-https router I loose access to service through https. Keeping the non-https router enables access to the https-service ??

Traefik.yml

# API and dashboard configuration
api:
  insecure: true
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  #docker:
  #  endpoint: "unix:///var/run/docker.sock"
  #  exposedByDefault: false
  file:
    filename: /config.yml
    watch: true
certificatesResolvers:
  cloudflare:
    acme:
      email: foo@bar.dk
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

config.yml

http:
  #region routers
   routers:
    web1:
      entryPoints: web
      rule: "Host(`foo.dk`)"
      service: web1
    web1-secure:
      entryPoints: websecure
      rule: "Host(`foo.dk`)"
      tls: {}
      service: web2
 #endregion
 #region services
   services:
     web1:
       loadBalancer:
         servers:
           - url: "http://192.168.1.35:8082"
           - url: "http://192.168.1.35:8081"
         passHostHeader: true
     web2:
       loadBalancer:
         servers:
           - url: "http://192.168.1.35:8082"
           - url: "http://192.168.1.35:8081"
         passHostHeader: true
 #endregion
2

You should at least enable a http-to-https redirection on port 80.

You created a certresolver, but itโ€™s never assigned. I usually prefer to assign it centrally to websecure, see simple Traefik example.

tls=true is only needed when you load custom TLS certs from file and those should be used.

Finally make sure to place acme.json on a bind mount or volume to not re-create the cert on every re-create or update, LE has strict limits.

3

Thanks for the quick answer.
Newbie here. Just realised that cloudFlare has been playing tricks with me. It all works - but as you mentioned Im not actually using the certificates issued by LE - CloudFlare tricked me with their certificates :slight_smile:
Ill see if I can manage to use the LE certs instead of CF.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.