WebSocket issue accessing HomeAssistant via Traefik

1kdesert · July 16, 2025, 10:00am

Hello gents,

Description

I'm running Proxmox (Debian) with Traefik v3.4.4 in an LXC container and Home Assistant OS (HAOS) as a virtual machine. The Traefik container is on a VLAN designated as DMZ, while Home Assistant resides on a separate VLAN labeled Internal-Services.

Accessing Home Assistant directly via its internal IP address (bypassing the reverse proxy) works perfectly. However, when I try to access it externally via a domain name (proxied through Cloudflare, e.g., https://ha.example.com) that routes through Traefik, the connection fails (after the login form (!)). I get a page displaying a countdown and the message:

Unable to connect to Home Assistant. Retrying in XX seconds...

In the browser console, I see the following error:

WebSocket connection to 'wss://ha.example.com/api/websocket' failed

Setup of Traefik and HomeAssistant:

Static configuration of Traefik

providers:
  file:
    directory: /etc/traefik/conf.d/
entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: cloudflare
  traefik:
    address: ':8080'
serversTransport:
  insecureSkipVerify: true
certificatesResolvers:
  cloudflare:
    acme:
      email: <my-cloudflare-email>@gmail.com
      storage: /etc/traefik/ssl/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
api:
  dashboard: true
  insecure: true
log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: ERROR
accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

Dynamic configuration of Traefik

http:
  routers:
    traefik-dashboard:
      entryPoints:
        - "websecure"
      rule: "Host(`proxy.example.com`)"
      middlewares:
        - default-headers
      service: traefik-dashboard
      priority: 1
      tls: {}
    home-assistant:
      entryPoints:
        - "websecure"
      rule: "Host(`ha.example.com`)"
      middlewares:
        - default-headers
      service: home-assistant
      priority: 10
      tls: {}
  services:
    traefik-dashboard:
      loadBalancer:
        servers:
          - url: "http://proxy.local:8080"
        passHostHeader: true
    home-assistant:
      loadBalancer:
        servers:
          - url: "http://homeassistant.local:8123"
        passHostHeader: true
  middlewares:
    default-headers:
      headers:
        customResponseHeaders:
          X-Forwarded-Proto: "https"

HomeAssistant configuration

# Loads default set of integrations. Do not remove.
default_config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.0/28 # DMZ network -- this is where reverse proxy is located

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

Additional Notes:

I've observed that, on occasion, the external access works briefly - Home Assistant loads for a few seconds. But then, when I try to logout and login again - it does not work anymore.
Prior to switching to Traefik, I was using Nginx Proxy Manager. Everything worked out of the box with no special configuration - just enabling the "WebSocket" toggle was enough.
The proxy.example.com (traefik dashboard) works well (as well as other services that I did not include in this post)

Please let me know if there is any other information you may need in order to advice

bluepuma77 · July 16, 2025, 4:31pm

Why do you mess with the headers? Try to remove the middleware.

1kdesert · July 16, 2025, 9:04pm

Thank you for your reply.

I use Cloudflare proxy in order to hide my real ip. This middleware configuration is needed in order to handle the header added by the Cloudflare when it proxies the traffic.

Anyways, removed and it did not help - the same behavior. Any other suggestions?

bluepuma77 · July 20, 2025, 7:14am

Does it run correctly without Cloudflare? Usually WebSockets just work with Traefik, no special settings necessary.

Enable and check Traefik debug log (doc), are routers created correctly?

Enable and check Traefik access log in JSON format (doc), what’s the output during requests?

1kdesert · July 20, 2025, 11:29am

Thank you once again for your answer and suggestions!

Please find the answers to your questions below. I've split them into two messages - Cloudflare ON and OFF.

Also, please note that I've removed everything from my configuration and keep only Traefik Dashboard and HomeAssistant so that I can include the whole log file with all the details.

Cloudflare proxy OFF

Does it run correctly without Cloudflare? Usually WebSockets just work with Traefik, no special settings necessary.

If I turn off cloudflare proxy I start getting certificate related issue when I try to open HomeAssistant or any other service/app using public domain:

Attackers might be trying to steal your information from ha.example.com (for example, passwords, messages, or credit cards). Learn more about this warning
net::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT

Issuer: TRAEFIK DEFAULT CERT

Expires on: Jul 20, 2026

Current date: Jul 20, 2025

PEM encoded chain:
-----BEGIN CERTIFICATE-----
<key-was-here>
-----END CERTIFICATE-----

ha.example.com normally uses encryption to protect your information. When Chrome tried to connect to ha.example.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be ha.example.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit ha.example.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Enable and check Traefik debug log (doc), are routers created correctly?

The logs after restarting the proxy and attempting to open ha.example.com (HomeAssistant):

root@traefik:~# cat /var/log/traefik/traefik.log
{"level":"info","version":"3.4.4","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:105","message":"Traefik version 3.4.4 built on 2025-07-11T08:31:57Z"}
{"level":"debug","staticConfiguration":{"global":{"checkNewVersion":true},"serversTransport":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"},"entryPoints":{"traefik":{"address":":8080","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"sanitizePath":true,"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}},"web":{"address":":80","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"to":"websecure","scheme":"https","permanent":true,"priority":9223372036854775806}},"sanitizePath":true,"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}},"websecure":{"address":":443","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"tls":{"certResolver":"cloudflare"},"sanitizePath":true,"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}}},"providers":{"providersThrottleDuration":"2s","file":{"directory":"/etc/traefik/conf.d/","watch":true}},"api":{"basePath":"/","insecure":true,"dashboard":true},"log":{"level":"DEBUG","format":"json","filePath":"/var/log/traefik/traefik.log"},"accessLog":{"filePath":"/var/log/traefik/traefik-access.log","format":"json","filters":{"statusCodes":["200","400-599"],"retryAttempts":true,"minDuration":"10ms"},"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop","names":{"User-Agent":"keep"}}}},"certificatesResolvers":{"cloudflare":{"acme":{"email":"<cloudflare-email>@mail.com","caServer":"https://acme-v02.api.letsencrypt.org/directory","storage":"/etc/traefik/ssl/acme.json","keyType":"RSA4096","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]}}}}},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:112","message":"Static configuration loaded [json]"}
{"level":"info","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:634","message":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"}
{"level":"info","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73","message":"Starting provider aggregator *aggregator.ProviderAggregator"}
{"level":"debug","entryPointName":"web","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"websecure","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"traefik","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222","message":"Starting TCP Server"}
{"level":"info","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *file.Provider"}
{"level":"debug","config":{"directory":"/etc/traefik/conf.d/","watch":true},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*file.Provider provider configuration"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.dev.resources.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.internal.resources.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.media.resources.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.personal.resources.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.security.resources.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.tools.resources.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.chain.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.headers.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.plugin.oidc.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.ratelimit.yaml"}
{"level":"debug","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.redirectscheme.yaml"}
{"level":"info","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *traefik.Provider"}
{"level":"debug","config":{},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*traefik.Provider provider configuration"}
{"level":"debug","providerName":"internal","config":{"http":{"routers":{"api":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","ruleSyntax":"default","priority":9223372036854775806},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","ruleSyntax":"default","priority":9223372036854775805},"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"service":"noop@internal","rule":"HostRegexp(`^.+$`)","ruleSyntax":"default","priority":9223372036854775806}},"services":{"api":{},"dashboard":{},"noop":{}},"middlewares":{"dashboard_redirect":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}},"redirect-web-to-websecure":{"redirectScheme":{"scheme":"https","port":"443","permanent":true}}},"models":{"websecure":{"tls":{"certResolver":"cloudflare"},"observability":{}}},"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"udp":{},"tls":{}},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"debug","providerName":"file","config":{"http":{"routers":{"home-assistant":{"entryPoints":["websecure","web"],"service":"home-assistant","rule":"Host(`ha.example.com`)","priority":10,"tls":{}},"traefik-dashboard":{"entryPoints":["websecure"],"middlewares":["default-https"],"service":"traefik-dashboard","rule":"Host(`proxy.example.com`)","priority":1,"tls":{}}},"services":{"home-assistant":{"loadBalancer":{"servers":[{"url":"http://homeassistant.local:8123"}],"strategy":"wrr","passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}},"traefik-dashboard":{"loadBalancer":{"servers":[{"url":"http://proxy.local:8080"}],"strategy":"wrr","passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}}},"middlewares":{"default-headers":{"headers":{"customResponseHeaders":{"Server":"","X-Forwarded-Proto":"https","X-Powered-By":"","customFrameOptionsValue":"SAMEORIGIN","hostsProxyHeaders":"║24║X-Forwarded-Host","sslProxyHeaders.X-Forwarded-Proto":"https"}}},"default-https":{"chain":{"middlewares":["default-headers"]}},"default-ratelimit":{"rateLimit":{"average":100,"period":"1s","burst":50}},"default-redirectscheme":{"redirectScheme":{"scheme":"https","permanent":true}}}},"tcp":{},"udp":{},"tls":{}},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"info","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.ChallengeTLSALPN"}
{"level":"debug","config":{},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.ChallengeTLSALPN provider configuration"}
{"level":"info","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.Provider"}
{"level":"debug","config":{"email":"<cloudflare-email>@mail.com","caServer":"https://acme-v02.api.letsencrypt.org/directory","storage":"/etc/traefik/ssl/acme.json","keyType":"RSA4096","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"ResolverName":"cloudflare","store":{},"TLSChallengeProvider":{},"HTTPChallengeProvider":{}},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.Provider provider configuration"}
{"level":"debug","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:234","message":"Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\""}
{"level":"info","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:890","message":"Testing certificate renew..."}
{"level":"debug","providerName":"cloudflare.acme","config":{"http":{},"tcp":{},"udp":{},"tls":{}},"time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"debug","tlsStoreName":"default","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321","message":"No default certificate, fallback to the internal generated certificate"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","tlsStoreName":"default","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321","message":"No default certificate, fallback to the internal generated certificate"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"websecure-home-assistant@file","serviceName":"home-assistant@file","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:320","message":"Creating load-balancer"}
{"level":"debug","entryPointName":"websecure","routerName":"websecure-home-assistant@file","serviceName":"home-assistant@file","serverIndex":0,"URL":"http://homeassistant.local:8123","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:363","message":"Creating server"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","serviceName":"traefik-dashboard@file","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:320","message":"Creating load-balancer"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","serviceName":"traefik-dashboard@file","serverIndex":0,"URL":"http://proxy.local:8080","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:363","message":"Creating server"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-https@file","middlewareType":"Chain","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/chain/chain.go:22","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-headers@file","middlewareType":"Headers","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:27","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-headers@file","middlewareType":"Headers","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:47","message":"Setting up customHeaders/Cors from {map[] map[Server: X-Forwarded-Proto:https X-Powered-By: customFrameOptionsValue:SAMEORIGIN hostsProxyHeaders:║24║X-Forwarded-Host sslProxyHeaders.X-Forwarded-Proto:https] false [] [] [] [] [] 0 false [] [] map[] 0 false false false false  false false       false <nil> <nil> <nil> <nil> <nil>}"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-headers@file","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"websecure","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for ha.example.com with TLS options default"}
{"level":"debug","entryPointName":"websecure","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for proxy.example.com with TLS options default"}
{"level":"debug","entryPointName":"websecure","time":"2025-07-20T12:36:51+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for ha.example.com with TLS options default"}
{"level":"debug","time":"2025-07-20T12:37:31+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228","message":"Serving default certificate for request: \"ha.example.com\""}
{"time":"2025-07-20T12:37:31+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 10.1.1.10:60948: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-07-20T12:37:31+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228","message":"Serving default certificate for request: \"ha.example.com\""}
{"time":"2025-07-20T12:37:31+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 10.1.1.10:60949: remote error: tls: unknown certificate"}

Enable and check Traefik access log in JSON format (doc), what’s the output during requests?

root@traefik:~# cat /var/log/traefik/traefik-access.log
{"ClientAddr":"<ip>:47108","ClientHost":"<ip>","ClientPort":"47108","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":16906,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":16906,"RequestAddr":"<my-external-ip>","RequestContentSize":0,"RequestCount":1,"RequestHost":"<my-external-ip>","RequestMethod":"GET","RequestPath":"/owa/auth/logon.aspx","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-07-20T12:40:29.425841961+02:00","StartUTC":"2025-07-20T10:40:29.425841961Z","TLSCipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLSVersion":"1.2","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 zgrab/0.x","time":"2025-07-20T12:40:29+02:00"}

1kdesert · July 20, 2025, 11:31am

Cloudflare proxy ON

Enable and check Traefik debug log (doc), are routers created correctly?

The logs after restarting the proxy and attempting to open ha.example.com (HomeAssistant):

root@traefik:~# cat /var/log/traefik/traefik.log
{"level":"info","version":"3.4.4","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:105","message":"Traefik version 3.4.4 built on 2025-07-11T08:31:57Z"}
{"level":"debug","staticConfiguration":{"global":{"checkNewVersion":true},"serversTransport":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"},"entryPoints":{"traefik":{"address":":8080","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"sanitizePath":true,"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}},"web":{"address":":80","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"to":"websecure","scheme":"https","permanent":true,"priority":9223372036854775806}},"sanitizePath":true,"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}},"websecure":{"address":":443","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"tls":{"certResolver":"cloudflare"},"sanitizePath":true,"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}}},"providers":{"providersThrottleDuration":"2s","file":{"directory":"/etc/traefik/conf.d/","watch":true}},"api":{"basePath":"/","insecure":true,"dashboard":true},"log":{"level":"DEBUG","format":"json","filePath":"/var/log/traefik/traefik.log"},"accessLog":{"filePath":"/var/log/traefik/traefik-access.log","format":"json","filters":{"statusCodes":["200","400-599"],"retryAttempts":true,"minDuration":"10ms"},"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop","names":{"User-Agent":"keep"}}}},"certificatesResolvers":{"cloudflare":{"acme":{"email":"<cloudflare-email>@mail.com","caServer":"https://acme-v02.api.letsencrypt.org/directory","storage":"/etc/traefik/ssl/acme.json","keyType":"RSA4096","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]}}}}},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:112","message":"Static configuration loaded [json]"}
{"level":"info","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:634","message":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"}
{"level":"info","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73","message":"Starting provider aggregator *aggregator.ProviderAggregator"}
{"level":"debug","entryPointName":"traefik","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"web","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"websecure","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222","message":"Starting TCP Server"}
{"level":"info","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *file.Provider"}
{"level":"debug","config":{"directory":"/etc/traefik/conf.d/","watch":true},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*file.Provider provider configuration"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.dev.resources.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.internal.resources.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.media.resources.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.personal.resources.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.security.resources.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/http.tools.resources.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.chain.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.headers.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.plugin.oidc.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.ratelimit.yaml"}
{"level":"debug","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/middlewares.redirectscheme.yaml"}
{"level":"info","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *traefik.Provider"}
{"level":"debug","config":{},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*traefik.Provider provider configuration"}
{"level":"debug","providerName":"internal","config":{"http":{"routers":{"api":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","ruleSyntax":"default","priority":9223372036854775806},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","ruleSyntax":"default","priority":9223372036854775805},"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"service":"noop@internal","rule":"HostRegexp(`^.+$`)","ruleSyntax":"default","priority":9223372036854775806}},"services":{"api":{},"dashboard":{},"noop":{}},"middlewares":{"dashboard_redirect":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}},"redirect-web-to-websecure":{"redirectScheme":{"scheme":"https","port":"443","permanent":true}}},"models":{"websecure":{"tls":{"certResolver":"cloudflare"},"observability":{}}},"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"udp":{},"tls":{}},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"debug","providerName":"file","config":{"http":{"routers":{"home-assistant":{"entryPoints":["websecure","web"],"service":"home-assistant","rule":"Host(`ha.example.com`)","priority":10,"tls":{}},"traefik-dashboard":{"entryPoints":["websecure"],"middlewares":["default-https"],"service":"traefik-dashboard","rule":"Host(`proxy.example.com`)","priority":1,"tls":{}}},"services":{"home-assistant":{"loadBalancer":{"servers":[{"url":"http://homeassistant.local:8123"}],"strategy":"wrr","passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}},"traefik-dashboard":{"loadBalancer":{"servers":[{"url":"http://proxy.local:8080"}],"strategy":"wrr","passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}}},"middlewares":{"default-headers":{"headers":{"customResponseHeaders":{"Server":"","X-Forwarded-Proto":"https","X-Powered-By":"","customFrameOptionsValue":"SAMEORIGIN","hostsProxyHeaders":"║24║X-Forwarded-Host","sslProxyHeaders.X-Forwarded-Proto":"https"}}},"default-https":{"chain":{"middlewares":["default-headers"]}},"default-ratelimit":{"rateLimit":{"average":100,"period":"1s","burst":50}},"default-redirectscheme":{"redirectScheme":{"scheme":"https","permanent":true}}}},"tcp":{},"udp":{},"tls":{}},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"info","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.ChallengeTLSALPN"}
{"level":"debug","config":{},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.ChallengeTLSALPN provider configuration"}
{"level":"info","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.Provider"}
{"level":"debug","config":{"email":"<cloudflare-email>@mail.com","caServer":"https://acme-v02.api.letsencrypt.org/directory","storage":"/etc/traefik/ssl/acme.json","keyType":"RSA4096","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"ResolverName":"cloudflare","store":{},"TLSChallengeProvider":{},"HTTPChallengeProvider":{}},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.Provider provider configuration"}
{"level":"debug","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:234","message":"Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\""}
{"level":"info","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:890","message":"Testing certificate renew..."}
{"level":"debug","providerName":"cloudflare.acme","config":{"http":{},"tcp":{},"udp":{},"tls":{}},"time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"debug","tlsStoreName":"default","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321","message":"No default certificate, fallback to the internal generated certificate"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T13:09:27+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","tlsStoreName":"default","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321","message":"No default certificate, fallback to the internal generated certificate"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"websecure-home-assistant@file","serviceName":"home-assistant@file","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:320","message":"Creating load-balancer"}
{"level":"debug","entryPointName":"websecure","routerName":"websecure-home-assistant@file","serviceName":"home-assistant@file","serverIndex":0,"URL":"http://homeassistant.local:8123","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:363","message":"Creating server"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","serviceName":"traefik-dashboard@file","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:320","message":"Creating load-balancer"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","serviceName":"traefik-dashboard@file","serverIndex":0,"URL":"http://proxy.local:8080","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:363","message":"Creating server"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-https@file","middlewareType":"Chain","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/chain/chain.go:22","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-headers@file","middlewareType":"Headers","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:27","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-headers@file","middlewareType":"Headers","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:47","message":"Setting up customHeaders/Cors from {map[] map[Server: X-Forwarded-Proto:https X-Powered-By: customFrameOptionsValue:SAMEORIGIN hostsProxyHeaders:║24║X-Forwarded-Host sslProxyHeaders.X-Forwarded-Proto:https] false [] [] [] [] [] 0 false [] [] map[] 0 false false false false  false false       false <nil> <nil> <nil> <nil> <nil>}"}
{"level":"debug","entryPointName":"websecure","routerName":"traefik-dashboard@file","middlewareName":"default-headers@file","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"websecure","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for ha.example.com with TLS options default"}
{"level":"debug","entryPointName":"websecure","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for proxy.example.com with TLS options default"}
{"level":"debug","entryPointName":"websecure","time":"2025-07-20T13:09:28+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for ha.example.com with TLS options default"}
{"level":"debug","time":"2025-07-20T13:09:36+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228","message":"Serving default certificate for request: \"ha.example.com\""}
{"level":"debug","time":"2025-07-20T13:09:36+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://homeassistant.local:8123"}
{"level":"debug","time":"2025-07-20T13:09:37+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://homeassistant.local:8123"}
{"level":"debug","time":"2025-07-20T13:09:37+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://homeassistant.local:8123"}

Enable and check Traefik access log in JSON format (doc), what’s the output during requests?

root@traefik:~# cat /var/log/traefik/traefik-access.log
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":2320,"DownstreamStatus":200,"Duration":5364489,"OriginContentSize":2320,"OriginDuration":5336031,"OriginStatus":200,"Overhead":28458,"RequestAddr":"ha.example.com","RequestContentSize":0,"RequestCount":1,"RequestHost":"ha.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:36.984546332+02:00","StartUTC":"2025-07-20T11:09:36.984546332Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:36+02:00"}
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":1105,"DownstreamStatus":200,"Duration":4296479,"OriginContentSize":1105,"OriginDuration":4268416,"OriginStatus":200,"Overhead":28063,"RequestAddr":"ha.example.com","RequestContentSize":0,"RequestCount":2,"RequestHost":"ha.example.com","RequestMethod":"GET","RequestPath":"/auth/authorize?response_type=code\u0026redirect_uri=https%3A%2F%2Fha.example.com%2F%3Fauth_callback%3D1\u0026client_id=https%3A%2F%2Fha.example.com%2F\u0026state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9oYS5oaWdoY2FzdGxlLmFwcCIsImNsaWVudElkIjoiaHR0cHM6Ly9oYS5oaWdoY2FzdGxlLmFwcC8ifQ%3D%3D","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:37.036130031+02:00","StartUTC":"2025-07-20T11:09:37.036130031Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:37+02:00"}
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":17561,"DownstreamStatus":200,"Duration":4021363,"OriginContentSize":17561,"OriginDuration":3993697,"OriginStatus":200,"Overhead":27666,"RequestAddr":"ha.example.com","RequestContentSize":0,"RequestCount":3,"RequestHost":"ha.example.com","RequestMethod":"GET","RequestPath":"/static/translations/en-3b3ca46faf933c4249afab132c25d973.json","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:37.047010148+02:00","StartUTC":"2025-07-20T11:09:37.047010148Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:37+02:00"}
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":115,"DownstreamStatus":200,"Duration":1089788,"OriginContentSize":115,"OriginDuration":1063852,"OriginStatus":200,"Overhead":25936,"RequestAddr":"ha.example.com","RequestContentSize":0,"RequestCount":4,"RequestHost":"ha.example.com","RequestMethod":"GET","RequestPath":"/auth/providers","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:37.108904308+02:00","StartUTC":"2025-07-20T11:09:37.108904308Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:37+02:00"}
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":712,"DownstreamStatus":200,"Duration":1407056,"OriginContentSize":712,"OriginDuration":1381994,"OriginStatus":200,"Overhead":25062,"RequestAddr":"ha.example.com","RequestContentSize":0,"RequestCount":5,"RequestHost":"ha.example.com","RequestMethod":"GET","RequestPath":"/static/translations/page-authorize/en-3b3ca46faf933c4249afab132c25d973.json","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:37.134946868+02:00","StartUTC":"2025-07-20T11:09:37.134946868Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:37+02:00"}
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":209,"DownstreamStatus":200,"Duration":941110,"OriginContentSize":209,"OriginDuration":919228,"OriginStatus":200,"Overhead":21882,"RequestAddr":"ha.example.com","RequestContentSize":135,"RequestCount":6,"RequestHost":"ha.example.com","RequestMethod":"POST","RequestPath":"/auth/login_flow","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:37.138826673+02:00","StartUTC":"2025-07-20T11:09:37.138826673Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:37+02:00"}
{"ClientAddr":"162.158.217.28:24920","ClientHost":"162.158.217.28","ClientPort":"24920","ClientUsername":"-","DownstreamContentSize":2320,"DownstreamStatus":200,"Duration":1084132,"OriginContentSize":2320,"OriginDuration":1047930,"OriginStatus":200,"Overhead":36202,"RequestAddr":"ha.example.com","RequestContentSize":0,"RequestCount":7,"RequestHost":"ha.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-home-assistant@file","ServiceAddr":"homeassistant.local:8123","ServiceName":"home-assistant@file","ServiceURL":"http://homeassistant.local:8123","StartLocal":"2025-07-20T13:09:37.158589143+02:00","StartUTC":"2025-07-20T11:09:37.158589143Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","time":"2025-07-20T13:09:37+02:00"}

I'm entering the credentials and then it redirects me to the lovelace page (dashboard page of HomeAssistant) where I see the following screen (instead of HA dashboard) that signals something is wrong with the connection:

When I open the browser console it starts with:
WebSocket connection to 'wss://ha.example.com/api/websocket' failed
and then after I click "Retry now" (see the screenshot above) it changes to the following error:
https://ha.example.com/auth/token 400 (Bad Request)

Important: Please note that after turning Cloudflare Proxy ON again and restarting traefik - I was able to access HA using public domain url. But after a few minutes, it started showing websocket issue again. Unfortunately, I was not able to capture the logs when it worked. If it happens again, I will try to do so, so we can compare them (if needed)

Topic		Replies	Views
Home Assistant, Websockets 404 Traefik v2 file	5	5107	October 22, 2019
HomeAssistant SmartThings not working as I can't GET api/webhook working with Cloudflare as a proxy Traefik v3 (latest) middleware	13	340	September 26, 2024
Traefik as frontend for Home Assistant gives error 400: Bad Request Traefik v2 docker	2	10094	September 21, 2022
Traefik - V2.2 configuration issues Traefik v2 letsencrypt-acme	16	17740	April 11, 2020
Traefik 2.2 + cloudflare Traefik v2 docker , dashboard-api	5	5695	April 15, 2020

WebSocket issue accessing HomeAssistant via Traefik

Related topics