Hello!
When using haproxy It seems like I don’t get any responses from my traefik instance
I’ve really tried to figure it myself.
I had a suspicion that It might be because TLS Self-Signed certificate, because I was also using TLS within my Traefik instance back before but now I verify and use the my own certificate
EDIT:
I’ve double checked my traefik setup and search their documentation. But whenever I’m resolving the IP Address to the node where traefik is running I get the response.
When I’m using haproxy then I don’t see any traffic in traefik logs docker service logs <traefik_service>
Client : Uses "https://traefik.home"
|
(https / http)
|
V
HaProxy : Frontend is configured to receive https request on port 80, 8080, 443
Backend is configured to listen on all ports
|
(https / http)
|
V
Traefik Proxy : Receives http requests on port 80 and 443)
|
|
V
Docker Swarm Services
haproxy.conf:
global
maxconn 50000
maxpipes 50000
tune.maxaccept 500
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
log global
mode http
option dontlognull
option forwardfor
option httplog
timeout connect 5s
timeout client 5s
timeout server 5s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats uri /stats
stats realm Haproxy\ Statistics
stats auth {{haproxy_stats_user}}:{{haproxy_stats_password}}
frontend http-and-https-in
mode http
bind :80
bind 8080
bind :443 ssl crt /home/{{ansible_user}}/ssl/rootCA.pem # My generated rootCA certificate with server-cert.cert, server-key.key, rootCA.pem
# uncomment to redirect http connects to https
# http-request redirect scheme https unless { ssl_fc } # Some of my services listen on http protocol
# max-age is mandatory. 16000000 seconds is approximately 6 months. Use a low value during testing.
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
default_backend docker_swarm_layer7
backend docker_swarm_layer7
mode http
balance source
option tcp-check
option log-health-checks
server host01 {{groups['swarm_managers'][0]}} check port 80 check port 443 ssl verify required ca-file /home/{{ansible_user}}/ssl/rootCA.pem
# I didn't specify any port after the IP, so that the backend listens on both 80 and 443 port
server host02 {{groups['swarm_managers'][1]}} check port 80 check port 443 ssl verify required ca-file /home/{{ansible_user}}/ssl/rootCA.pem
server host03 {{groups['swarm_managers'][2]}} check port 80 check port 443 ssl verify required ca-file /home/{{ansible_user}}/ssl/rootCA.pem
# To verify the certificate `ssl verify required ca-file /home/{{ansible_user}}/ssl/rootCA.pem`
$ curl -vk https://traefik.home:
* Host traefik.home:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.135
* Trying 192.168.1.135:443...
* Connected to traefik.home (192.168.1.135) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: O=mkcert development certificate; OU=cloufish@carbs
* start date: May 17 17:35:34 2024 GMT
* expire date: Aug 17 17:35:34 2026 GMT
* issuer: O=mkcert development CA; OU=cloufish@carbs; CN=mkcert cloufish@carbs
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (3072/128 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET / HTTP/1.1
> Host: traefik.home
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< cache-control: no-cache
< content-type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* TLSv1.3 (IN), TLS alert, close notify (256):
* Closing connection
traefik.conf:
### Static Configuration
tls:
certificates:
# first certificate
- certFile: "/certs/server-cert.pem"
keyFile: "/certs/server-key.pem"
http:
routers:
dashboard:
rule: Host(`traefik.home`)
service: api@internal
tls: { }
middlewares:
my-sablier: # For Sablier to Work
plugin:
sablier:
group: non-essential
dynamic:
displayName: The service starts...
refreshFrequency: 5s
showDetails: "true"
theme: ghost
sablierUrl: https://sablier:10000
sessionDuration: 1m
log:
level: DEBUG
api:
dashboard: true
serversTransport:
insecureSkipVerify: true
rootCAs:
- /certs/rootCA.pem
certificatesResolvers:
rootCAs:
- /certs/rootCA.pem
entryPoints:
web:
address: ":80"
gitea-ssh:
address: ":222"
websecure:
address: ":443"
providers:
swarm:
exposedByDefault: false
file:
directory: /configuration/
watch: true
# For Sablier to work:
experimental:
plugins:
sablier:
moduleName: "github.com/acouvreur/sablier"
version: "v1.6.1"
The script I’m using to generate certificates:
#!/usr/bin/env bash
#set -euo pipefail
#IFS=$'\n\t'
#LIST=''
mkcert -key-file server-key.pem -cert-file server-cert.pem \
"traefik.home" "portainer.home" [more subdomains...]
May 19 14:49:21 haproxy systemd[1]: Started HAProxy Load Balancer.
░░ Subject: A start job for unit haproxy.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit haproxy.service has finished successfully.
░░
░░ The job identifier is 13670.
May 19 14:49:21 haproxy haproxy[21883]: [WARNING] (21883) : Health check for server docker_swarm_layer7/host01 succeeded, reason: Layer4 check passed, check duration: 6ms, >
May 19 14:49:22 haproxy haproxy[21883]: [WARNING] (21883) : Health check for server docker_swarm_layer7/host02 succeeded, reason: Layer4 check passed, check duration: 1ms, >
May 19 14:49:23 haproxy haproxy[21883]: [WARNING] (21883) : Health check for server docker_swarm_layer7/host03 succeeded, reason: Layer4 check passed, check duration: 1ms, >
$ sestatus
SELinux status: disabled