What does the TLS shield icon mean?

Traefik Traefik v2
,
1

I have a catch-all http-to-https router that has tls=true. Any of my containers that fall under this router don't have the TLS shield icon next to them on the HTTP routers section of the dashboard even though they should be inheriting that setting, correct?

Everything is working just fine. I can access my service, http->https works, etc. I just don't have the sheild icon.

labels on my traefik container:

      - "traefik.http.routers.traefik-base.middlewares=default"
      - "traefik.http.routers.traefik-base.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.traefik-base.tls=true"

      - "traefik.http.middlewares.default.chain.middlewares=https-only,custom-headers"
      - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"

and then labels on my service container:

      - "traefik.enable=true"
      - "traefik.http.services.nvr.loadbalancer.server.port=7080"

I have a default rule on my docker provider that results in servicename.domainname.com:

defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\" }}.domainname.com`)"
2

Hello,

your approach is interesting but It's not right:

  • The "catch-all" to redirect HTTP to HTTPS don't have to manage the TLS part
  • the router on the container must handle the TLS part.

As the configuration you provide is very partial it's hard to give you a fix for your configuration but I will try to provide something.


      - "traefik.http.routers.traefik-base.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.traefik-base.entrypoint=web"
      - "traefik.http.routers.traefik-base.middlewares=http2https"
      - "traefik.http.middlewares.http2https.redirectscheme.scheme=https"

      - "traefik.enable=true"
      - "traefik.http.routers.nvr.entrypoint=websecure"
      - "traefik.http.routers.nvr.tls=true"
      - "traefik.http.services.nvr.loadbalancer.server.port=7080"
3

So, you are correct that adding a router to my service container adds the TLS shield icon. But I don't notice any difference in functionality. Thus my question about what that shield icon actually represents.

One thing I noticed is that I don't even have an entrypoint defined on my traefik-base router. Yet, everything is seemingly working.

My goal is to have as few labels as possible on my services. Not for any specific reason. I just don't feel the need to define things when my definitions would be the same as the defaults. :woman_shrugging:

4

for completeness' sake, here are my configs:

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: true
serversTransport:
  insecureSkipVerify: true
entryPoints:
  http:
    address: :80
  https:
    address: :443
providers:
  providersThrottleDuration: 2s
  docker:
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\" }}.example.com`)"
    exposedByDefault: false
    network: traefik_proxy
    watch: true
    endpoint: unix:///var/run/docker.sock
api:
  insecure: true
  dashboard: true
log:
  level: INFO
certificatesResolvers:
  default:
    acme:
      email: email@example.com
      storage: /etc/traefik/acme/acme.json
      dnsChallenge:
        provider: duckdns
        delayBeforeCheck: 10s

docker-compose.yml

version: "3.7"
services:
  traefik:
    hostname: traefik
    image: traefik:latest
    container_name: traefik
    restart: always
    domainname: ${DOMAINNAME}
    networks:
      - default
      - traefik_proxy
    ports:
      - "80:80"
      - "443:443"
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.middlewares=traefik-basic-auth"
      - "traefik.http.routers.api.rule=Host(`traefik.${DOMAINNAME}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.middlewares.traefik-basic-auth.basicauth.usersfile=/shared/.htpasswd"
      - "traefik.http.middlewares.traefik-basic-auth.basicauth.removeheader=true"

      - "traefik.http.routers.traefik-base.middlewares=default"
      - "traefik.http.routers.traefik-base.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.traefik-base.tls=true"

      - "traefik.http.middlewares.default.chain.middlewares=https-only,custom-headers"
      - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
      - "traefik.http.middlewares.custom-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.custom-headers.headers.browserXssFilter=true"
      - "traefik.http.middlewares.custom-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.custom-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.custom-headers.headers.SSLHost=${DOMAINNAME}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${HOME}/traefik2:/etc/traefik
      - ${HOME}/shared:/shared

  nvr:
    hostname: nvr
    image: pducharme/unifi-video-controller:latest
    restart: always
    container_name: "nvr"
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    ports:
      - 7080:7080
      - 7447:7447
    volumes:
      - ${HOME}/nvr:/var/lib/unifi-video
      - /media/video:/var/lib/unifi-video/videos
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    networks:
      - traefik_proxy
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.nvr.loadbalancer.server.port=7080"
5

Could you provide your full configuration? Because it's to answer without context.

The TLS shield mean that TLS is configured on your router.

as you are using api@internal I recommend to set this option to false

You defined a certificatesResolvers but this resolver is never used.

You have to add on the routers:

- "traefik.http.routers.MYROUTER.tls.certresolver=default"

I recommend to use an explicit version, like traefik:v2.0.4, or at least traefik:v2.0

I'm not sure to understand why you are using insecureSkipVerify

6

I did. What part is missing?

But everything is currently working... I'm under the assumption that because it's named default it's chosen and used and doesn't need to be explicitly called out. Which would be evidenced by the fact that it's working.

I'll be using a container that does https with a self-signed cert. Without explicitly trusting the self-signed cert I'm under the assumption that this will allow it to work.

7

I coded this part and default is never used.

8

What does the resolver do then? My cert was generated two days ago when I started traefik up with my above configuration. Shouldn't things either not be working or shouldn't I not have a certificate if that was the case?

9

The resolver need to be "linked" to router, if you don't do that the resolver do nothing at all.

If you don't trust me, you can validate the behavior like that: stop your Traefik, remove (and backup) the acme.json file, set the caserver to use the LE stagging (to avoid rate limiting during the test) and start Traefik.

10

I'm really confused as to how this has been working up until now then. Where did my cert come from? My migrated acme.json? Why was that cert being served if I don't have the cert resolver defined on a router?

11

If you migrated your acme.json with the migration tool, the certificates come from the migration.

because the certificates from the acme.json are added to the "certificates store".
If certificates are available in the "certificates store" and if the domain of the request match the domain of the certificate, the certificate is served.

12

If I'm using a wildcard certificate, does that mean I get away with something like:

      - "traefik.http.routers.traefik-base.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.traefik-base.tls=true"
      - "traefik.http.routers.traefik-base.tls.certresolver=default"

or do I need to specify certresolver on a router for every individual service?