My current setup;
Existing Windows home server using NGINX serving Organizr with a letsencrypt cert generated by winacme (manually). Using NGINX I have a reverse proxy set up with port forwarding for ports 80 and 443 to the local IP for the windows home server. The domain is from dynu and using ddns.
Currently looking to migrate everything I have (whilst keeping my original server up and running) to the following set up:
Proxmox with Linux LXC container on a totally separate machine. Attempting to get everything all up and running prior to fully migrating.
Due to already using ports 80 and 443 I used 8080 and 8443 and forwarded those on my router to the linux LXC IP.
When I have my ngnix service running on my windows server I hit the Organizr login page when using my new domain so its getting confused somewhere and why I presume its not pulling the cert.
I am following a guide from simplehomelabs and getting stuck and pulling a staging cert from letsencrypt using traefik. I obtained a brand new domain from cloudflare and set up a cloudflare API token; * * Zone:Read, DNS:Edit
two domain records > A > domain > public IP > no proxy auto ttl
and CNAME > wildcard/* > domain > no proxy auto ttl
Traefik logs;
2025-02-11T08:29:30Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:29:36Z DBG github.com/traefik/traefik/v3/pkg/collector/collector.go:52 > Anonymous stats sent to https://collect.traefik.io/yYaUej3P42cziRVzv6T5w2aYy9po2Mrn: {"global":{"checkNewVersion":true,"sendAnonymousUsage":true},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"},"entryPoints":{"traefik":{"address":"xxxx","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250}},"web":{"address":"xxxx","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"to":"websecure","scheme":"https","permanent":true,"priority":9223372036854775806}}},"http2":{"maxConcurrentStreams":250}},"websecure":{"address":"xxxx","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{"trustedIPs":["xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx","xxxx"]},"http":{"tls":{"options":"tls-opts@file","certResolver":"dns-cloudflare","domains":[{"main":"xxxx","sans":["xxxx"]}]}},"http2":{"maxConcurrentStreams":250}}},"providers":{"providersThrottleDuration":"2s","docker":{"network":"t3_proxy","watch":true,"defaultRule":"xxxx","endpoint":"xxxx"},"file":{"directory":"/rules","watch":true}},"api":{"dashboard":true},"log":{"level":"DEBUG","format":"common","filePath":"xxxx"},"accessLog":{"filePath":"xxxx","format":"common","filters":{"statusCodes":["204-299","400-499","500-599"]},"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"bufferingSize":100},"certificatesResolvers":{"dns-cloudflare":{"acme":{"caServer":"xxxx","storage":"/acme.json","keyType":"RSA4096","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","delayBeforeCheck":"1m30s","resolvers":["xxxx","xxxx"]}}}}}
2025-02-11T08:29:37Z WRN github.com/traefik/traefik/v3/pkg/version/version.go:103 > A new release has been found: 3.3.3. Please consider updating.
2025-02-11T08:30:14Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:30:19Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:30:26Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:30:37Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:31:53Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:36:15Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "my public IP"
2025-02-11T08:39:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "my public IP"
2025-02-11T08:46:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "my public IP"
2025-02-11T08:47:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:47:37Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:53:31Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:55:05Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-02-11T08:55:05Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "my public IP"
2025-02-11T08:55:05Z DBG log/log.go:245 > http: TLS handshake error from 195.178.110.163:42338: read tcp 192.168.91.2:8080->195.178.110.163:42338: read: connection reset by peer
after a restart of the lxc;
2025-02-11T10:07:13Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "hostmypublicip.rangexx-xxx.btcentralplus.com"
2025-02-11T10:07:13Z DBG log/log.go:245 > http: TLS handshake error from 167.94.145.102:39730: tls: client offered only unsupported versions: [302 301]
2025-02-11T10:07:14Z DBG log/log.go:245 > http: TLS handshake error from 152.32.245.196:46520: EOF
2025-02-11T10:07:14Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "hostmypublicip.rangexx-xxx.btcentralplus.com
2025-02-11T10:07:15Z DBG log/log.go:245 > http: TLS handshake error from 152.32.245.196:46532: EOF
2025-02-11T10:07:15Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "hostmypublicip.rangexx-xxx.btcentralplus.com
2025-02-11T10:07:15Z DBG log/log.go:245 > http: TLS handshake error from 167.94.145.102:39760: tls: client offered only unsupported versions: [301]
2025-02-11T10:07:15Z DBG log/log.go:245 > http: TLS handshake error from 152.32.245.196:46544: read tcp 192.168.91.2:8443->152.32.245.196:46544: read: connection reset by peer
2025-02-11T10:07:17Z DBG log/log.go:245 > http: TLS handshake error from 167.94.145.102:39828: tls: client offered only unsupported versions: []
2025-02-11T10:07:20Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
I'm presuming the random IPs I'm seeing are some form of port scanning?
Here is my traefik yml:
# Traefik 3 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:3.0
security_opt:
- no-new-privileges:true
restart: unless-stopped
# profiles: ["core", "all"]
networks:
t3_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
socket_proxy:
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entrypoints.web.address=:8080
- --entrypoints.websecure.address=:8443
- --entrypoints.traefik.address=:8081
- --entrypoints.websecure.http.tls=true
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --api=true
- --api.dashboard=true
# - --api.insecure=true
#- --serversTransport.insecureSkipVerify=true
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --log=true
- --log.filePath=/logs/traefik.log
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true
# - --providers.docker.endpoint=unix:///var/run/docker.sock # Disable for Socket Proxy. Enable otherwise.
- --providers.docker.endpoint=tcp://socket-proxy:2375 # Enable for Socket Proxy. Disable otherwise.
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t3_proxy
# - --providers.docker.swarmMode=false # Traefik v2 Swarm
# - --providers.swarm.endpoint=tcp://127.0.0.1:2377 # Traefik v3 Swarm
- --entrypoints.websecure.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.websecure.http.tls.certresolver=dns-cloudflare
- --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME_1
- --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME_1
# - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME_2 # Pulls main cert for second domain
# - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME_2 # Pulls wildcard cert for second domain
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
ports:
- target: 8080
published: 8080
protocol: tcp
mode: host
- target: 8443
published: 8443
protocol: tcp
mode: host
# - target: 8080 # need to enable --api.insecure=true
# published: 8085
# protocol: tcp
# mode: host
volumes:
- $DOCKERDIR/appdata/traefik3/rules/$HOSTNAME:/rules # Dynamic File Provider directory
# - /var/run/docker.sock:/var/run/docker.sock:ro # Enable if not using Socket Proxy
- $DOCKERDIR/appdata/traefik3/acme/acme.json:/acme.json # Certs File
- $DOCKERDIR/logs/$HOSTNAME/traefik:/logs # Traefik logs
environment:
- TZ=$TZ
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
- HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
- DOMAINNAME_1 # Passing the domain name to traefik container to be able to use the variable in rules.
secrets:
- cf_dns_api_token
- basic_auth_credentials
labels:
- "traefik.enable=true"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=websecure"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_1`)"
# Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
# Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file" # For Basic HTTP Authentication
any help much appreciated