HTTPS error with traefik

mps · April 25, 2024, 10:08pm

I'm trying to put my own certificates on traefik, but it's not working.
The page is not load with https on backend or frontend.
Any idea?

---
version: '3.8'
name: intranet

services:
  traefik:
    image: traefik:v2.10

    ports:
      - 80:80
      - 443:443

    labels:
      - traefik.enable=true
      - traefik.constraint-label=public

      - traefik.http.routers.traefik-admin.rule=Host(`traefik.intranet.localhost`)
      - traefik.http.routers.traefik-admin.entrypoints=web
      - traefik.http.routers.traefik-admin.service=api@internal

      - traefik.http.services.traefik-public.loadbalancer.server.port=8000

      - traefik.http.middlewares.gzip.compress=true
      - traefik.http.middlewares.gzip.compress.excludedcontenttypes=image/png, image/jpeg, font/woff2

      - traefik.http.middlewares.testHeader.headers.contentTypeNosniff=true
      - traefik.http.middlewares.testHeader.headers.browserXssFilter=true

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./devops/certs-traefik.yaml:/etc/traefik/dynamic/certs-traefik.yaml
      - ./devops/certificates/:/etc/certs/

    command:
      - --providers.docker
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `public`)
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --accesslog
      - --log
      - --api
    
    networks:
      - traefik_public

  purger:
    image: ghcr.io/kitconcept/cluster-purger:latest
    platform: linux/amd64
    environment:
      PURGER_SERVICE_NAME: varnish
      PURGER_SERVICE_PORT: 80
      PURGER_MODE: "compose"
      PURGER_PUBLIC_SITES: "['intranet.localhost']"
    networks:
      - traefik_public

  varnish:
    build:
      context: devops/varnish
    labels:
      - traefik.enable=true
      - traefik.constraint-label=public
      - traefik.http.services.svc-varnish.loadbalancer.server.port=80
    depends_on:
      - backend
    networks:
      - traefik_public
  
  frontend:
    build:
      context: ./frontend
    environment:
      RAZZLE_INTERNAL_API_PATH: http://backend:8080/intranet
      TZ: "America/Sao_Paulo"
    depends_on:
      - backend
    ports:
      - "3000:3000"
    networks:
      - traefik_public
    labels:
      - traefik.enable=true
      - traefik.constraint-label=public

      - traefik.http.services.svc-frontend.loadbalancer.server.port=3000

      # Routers
      ## /
      # ### Router: Varnish Public
      # - traefik.http.routers.rt-frontend-public.rule=Host(`intranet.localhost`)
      # - traefik.http.routers.rt-frontend-public.entrypoints=web
      # - traefik.http.routers.rt-frontend-public.service=svc-varnish
      # - traefik.http.routers.rt-frontend-public.middlewares=gzip
      # ### Router: Internal
      # - traefik.http.routers.rt-frontend-internal.rule=Host(`intranet.localhost`) && Headers(`X-Varnish-Routed`, `1`)
      # - traefik.http.routers.rt-frontend-internal.entrypoints=web
      # - traefik.http.routers.rt-frontend-internal.service=svc-frontend

      # Routers - HTTPS
      ### Router: Varnish Public
      - traefik.http.routers.rt-frontend-sec.rule=Host(`intranet.localhost`)
      - traefik.http.routers.rt-frontend-sec.entrypoints=websecure
      - traefik.http.routers.rt-frontend-sec.tls=true
      - traefik.http.routers.rt-frontend-sec.service=svc-varnish
      - traefik.http.routers.rt-frontend-sec.middlewares=gzip
      ### Router: Internal
      - traefik.http.routers.rt-frontend-internal-sec.rule=Host(`intranet.localhost`) && Headers(`X-Varnish-Routed`, `1`)
      - traefik.http.routers.rt-frontend-internal-sec.entrypoints=websecure
      - traefik.http.routers.rt-frontend-internal-sec.tls=true
      - traefik.http.routers.rt-frontend-internal-sec.service=svc-frontend

      - traefik.http.middlewares.testHeader.headers.contentTypeNosniff=true
      - traefik.http.middlewares.testHeader.headers.browserXssFilter=true

  backend:
    build:
      context: ./backend
    environment:
      RELSTORAGE_DSN: "dbname='${DB_NAME:-plone}' user='${DB_NAME:-plone}' host='${DB_HOST:-db}' password='${DB_PASSWORD:-passwd}' port='${DB_PORT:-5432}'"
      TZ: "America/Sao_Paulo"
    restart: on-failure
    depends_on:
      - db
    ports:
      - "8080:8080"
    labels:
      - traefik.enable=true
      - traefik.constraint-label=public
      # Services
      - traefik.http.services.svc-backend.loadbalancer.server.port=8080

      # Middlewares
      ## VHM rewrite /++api++/
      - "traefik.http.middlewares.mw-backend-vhm-api.replacepathregex.regex=^/\\+\\+api\\+\\+($$|/.*)"
      - "traefik.http.middlewares.mw-backend-vhm-api.replacepathregex.replacement=/VirtualHostBase/http/intranet.localhost/intranet/++api++/VirtualHostRoot$$1"

      ## VHM rewrite /ClassicUI/
      - "traefik.http.middlewares.mw-backend-vhm-classic.replacepathregex.regex=^/ClassicUI($$|/.*)"
      - "traefik.http.middlewares.mw-backend-vhm-classic.replacepathregex.replacement=/VirtualHostBase/http/intranet.localhost/intranet/VirtualHostRoot/_vh_ClassicUI$$1"

      ## /++api++/
      ### Router: Varnish Public
      - traefik.http.routers.rt-backend-api-public.rule=Host(`intranet.localhost`) && PathPrefix(`/++api++`)
      - traefik.http.routers.rt-backend-api-public.entrypoints=web
      - traefik.http.routers.rt-backend-api-public.service=svc-varnish
      - traefik.http.routers.rt-backend-api-public.middlewares=gzip, https-redirect

      ### Router: Internal
      - traefik.http.routers.rt-backend-api-internal.rule=Host(`intranet.localhost`) && PathPrefix(`/++api++`) && Headers(`X-Varnish-Routed`, `1`)
      - traefik.http.routers.rt-backend-api-internal.entrypoints=web
      - traefik.http.routers.rt-backend-api-internal.service=svc-backend
      - traefik.http.routers.rt-backend-api-internal.middlewares=gzip,mw-backend-vhm-api, https-redirect
      ## /ClassicUI
      - traefik.http.routers.rt-backend-classic.rule=Host(`intranet.localhost`) && PathPrefix(`/ClassicUI`)
      - traefik.http.routers.rt-backend-classic.entrypoints=web
      - traefik.http.routers.rt-backend-classic.service=svc-backend
      - traefik.http.routers.rt-backend-classic.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic, https-redirect

      # Routers - HTTPS
      ## /++api++/
      ### Router: Varnish Public
      - traefik.http.routers.rt-backend-api-sec.rule=Host(`intranet.localhost`) && PathPrefix(`/++api++`)
      - traefik.http.routers.rt-backend-api-sec.entrypoints=websecure
      - traefik.http.routers.rt-backend-api-sec.tls=true
      - traefik.http.routers.rt-backend-api-sec.service=svc-varnish
      - traefik.http.routers.rt-backend-api-sec.middlewares=gzip

      ### Router: Internal
      - traefik.http.routers.rt-backend-api-internal-sec.rule=Host(`intranet.localhost`) && PathPrefix(`/++api++`) && Headers(`X-Varnish-Routed`, `1`)
      - traefik.http.routers.rt-backend-api-internal-sec.entrypoints=websecure
      - traefik.http.routers.rt-backend-api-internal-sec.tls=true
      - traefik.http.routers.rt-backend-api-internal-sec.service=svc-backend
      - traefik.http.routers.rt-backend-api-internal-sec.middlewares=gzip,mw-backend-vhm-api
      ## /ClassicUI
      - traefik.http.routers.rt-backend-classic-sec.rule=Host(`intranet.localhost`) && PathPrefix(`/ClassicUI`)
      - traefik.http.routers.rt-backend-classic-sec.entrypoints=websecure
      - traefik.http.routers.rt-backend-classic-sec.tls=true
      - traefik.http.routers.rt-backend-classic-sec.service=svc-backend
      - traefik.http.routers.rt-backend-classic-sec.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic

      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true

      - traefik.http.middlewares.testHeader.headers.contentTypeNosniff=true
      - traefik.http.middlewares.testHeader.headers.browserXssFilter=true

    networks:
      - traefik_public

  db:
    image: postgres:15
    container_name: db
    environment:
      POSTGRES_NAME: plone
      POSTGRES_USER: plone
      POSTGRES_PASSWORD: passwd
      POSTGRES_DB: plone
      PGDATA: /var/lib/postgresql/data/pgdata
      TZ: "America/Sao_Paulo"
    volumes:
      - vol-site-data:/var/lib/postgresql/data
    networks:
      - traefik_public

  plone_pgadmin:
    image: dpage/pgadmin4
    container_name: plone_pgadmin
    environment:
      USER_PASSWORD: "plone"
      PGADMIN_DEFAULT_EMAIL: "plone@mail.com"
      PGADMIN_DEFAULT_PASSWORD: "plone"
      PGADMIN_CONFIG_WTF_CSRF_CHECK_DEFAULT: "False"
      TZ: "America/Sao_Paulo"
    ports:
      - "8000:80"
    depends_on:
      - db
    networks:
      - traefik_public


volumes:
  vol-site-data: {}

networks:
  traefik_public:
    external: true

jensens · April 26, 2024, 10:18am

It looks like there are no certificateresolvers configured?

Here is my Traefik Docker Compose snippet for reference, Hope that helps (I use environment variables for the details to be able to use the same compose file in testing and live environments):

  traefik:
    # Use the latest Traefik image
    image: traefik:v2.10
    ports:
    - target: 80
      published: 80
      protocol: tcp
      mode: host
    - target: 443
      published: 443
      protocol: tcp
      mode: host
    deploy:
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label "traefik.constraint-label=traefik-public"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the environment variables USERNAME and HASHED_PASSWORD
        - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable USERNAME not set}:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}
        # traefik-http set up only to use the middleware to redirect to https
        # traefik-https the actual router using HTTPS
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable DOMAIN not set}`)
        - traefik.http.routers.traefik-public-https.entrypoints=https
        - traefik.http.routers.traefik-public-https.tls=true
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080

        # GENERIC MIDDLEWARES
        # A) https-redirect middleware to redirect HTTP to HTTPS
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true

        # B) redirect www to non or vice versa
        # B.1) "redirect-www-to-non-www"
        - traefik.http.middlewares.redirect-www-to-non-www.redirectregex.permanent=true
        - traefik.http.middlewares.redirect-www-to-non-www.redirectregex.regex=^https://www.(.*)/(.*)
        - traefik.http.middlewares.redirect-www-to-non-www.redirectregex.replacement=https://$${1}/$${2}
        # B.2) "redirect-www-to-non-www"
        - traefik.http.middlewares.redirect-non-www-to-www.redirectregex.permanent=true
        - traefik.http.middlewares.redirect-non-www-to-www.redirectregex.regex=^https://(.*)/(.*)
        - traefik.http.middlewares.redirect-non-www-to-www.redirectregex.replacement=https://www.$${1}/$${2}

        # C) compress
        - traefik.http.middlewares.gzip.compress=true
        - traefik.http.middlewares.gzip.compress.excludedcontenttypes=image/png, image/jpeg, font/woff2

        # D) middlewares to buffer incoming data and limit it
        # D.1) Normal Plone Site limits and buffers (request max 100MB, mem-buffered max 100k)
        - traefik.http.middlewares.limits-normal.buffering.maxRequestBodyBytes=104857600
        - traefik.http.middlewares.limits-normal.buffering.memRequestBodyBytes=102400
        # D.2) Large Plone Site limits and buffers (request max 1GB, mem-buffered max 500k)
        - traefik.http.middlewares.limits-large.buffering.maxRequestBodyBytes=1073741824
        - traefik.http.middlewares.limits-large.buffering.memRequestBodyBytes=512000

        # GENERIC ROUTERS
        # Catchall for http to https with prio match at end
        - traefik.http.routers.generic-https-redirect.entrypoints=http
        - traefik.http.routers.generic-https-redirect.rule=HostRegexp(`{host:.*}`)
        - traefik.http.routers.generic-https-redirect.priority=1
        - traefik.http.routers.generic-https-redirect.middlewares=https-redirect

    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store the certificates
      - traefik-public-certificates:/certificates
      # Mount the volume for logs
      - traefik-log:/accesslog
    command:
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # Enable Docker Swarm mode
      - --providers.docker.swarmmode
      # Create an entrypoint "http" listening on address 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on address 80
      - --entrypoints.https.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=${EMAIL?Variable EMAIL not set}
      # Use the staging acme server for initial testing
      # - "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true
      # Enable the access log, with HTTP requests
      - --accesslog=true
      - --accesslog.filepath=/accesslog/access.log
      # Enable the Traefik log, for configurations and errors
      # - --log
      # optional set to debug
      #- --log.Level=DEBUG
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public

To use this for a (Classic) Plone site I usually set labels at least like so:

      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.constraint-label=traefik-public
        # SERVICE
        - traefik.http.services.${PROJECT?Unset}.loadbalancer.server.port=8080
        # ZMI
        - traefik.http.routers.${PROJECT?Unset}-zmi.rule=Host(`${ZMI_URL?Unset}`)
        - traefik.http.routers.${PROJECT?Unset}-zmi.entrypoints=https
        - traefik.http.routers.${PROJECT?Unset}-zmi.tls=true
        - traefik.http.routers.${PROJECT?Unset}-zmi.tls.certresolver=le
        - traefik.http.routers.${PROJECT?Unset}-zmi.service=${PROJECT?Unset}
        - traefik.http.middlewares.${PROJECT?Unset}-zmi.addprefix.prefix=/VirtualHostBase/https/${ZMI_URL?Unset}/VirtualHostRoot
        - traefik.http.routers.${PROJECT?Unset}-zmi.middlewares=gzip, ${PROJECT?Unset}-zmi
        # Plone base
        - traefik.http.routers.${PROJECT?Unset}-plone.rule=Host(`${MAIN_URL?Unset}`)
        - traefik.http.routers.${PROJECT?Unset}-plone.entrypoints=https
        - traefik.http.routers.${PROJECT?Unset}-plone.tls=true
        - traefik.http.routers.${PROJECT?Unset}-plone.tls.certresolver=le
        - traefik.http.routers.${PROJECT?Unset}-plone.service=${PROJECT?Unset}
        - traefik.http.middlewares.${PROJECT?Unset}-plone.addprefix.prefix=/VirtualHostBase/https/${MAIN_URL?Unset}/Plone/VirtualHostRoot
        - traefik.http.routers.${PROJECT?Unset}-plone.middlewares=gzip, ${PROJECT?Unset}-plone

mps · April 26, 2024, 1:57pm

I'm not using let's encrypt.

I'm trying to put my own certificates. I'm following this doc: Traefik TLS Documentation - Traefik

I'm based in this tutorial: Use Your Own Certificates with Traefik | by Clint Colding | Medium

So, I've created a file "certs-traefik.yaml" to reference the certificates.

tls:
  certificates:
    - certFile: /etc/certs/cert.crt
      keyFile: /etc/certs/cert_key.pem

In docker compose, I've set this file and the certificastes on volumes.

      - ./devops/certs-traefik.yaml:/etc/traefik/dynamic/certs-traefik.yaml
      - ./devops/certificates/:/etc/certs/