New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traefik tries to use HTTP/2 with NTLM #6608
Comments
On a side note: This used to work with v1.7 |
@tfenster We will try to investigate, but if it turns out that it definitely is not a configuration problem, we might have a hard time reproducing anyway since we do not run on windows. |
@mpl I am happy to provide whatever environment you need because it is very easily reproducible |
I would also try to fix it myself, but I can't figure out how to build on or for Windows. Is there any documentation or something that I missed? |
@mpl did you make any progress with this or can I provide you with a Windows-based environment so that you can repro? |
@tfenster no progress, and it's pretty unlikely that we'll make any in the short term, sorry. |
@mpl obviously not the answer I was hoping for, but I appreciate your openness. I'll try to find some time to figure this |
This is not depending on Traefik running on Windows, you can reproduce the behavior with Traefik running on Linux while forwarding requests to an IIS using NTLM (or probably any endpoint not supporting HTTP2 while using HTTPS). |
I took some time to investigate the issue. This can definitely be reproduced and it's not windows specific. This is due to the backend returning a
Since Traefik does not handle this status code it just get interpreted as an internal error. |
Do you want to request a feature or report a bug?
Bug
What did you do?
I have a service behind Traefik that uses Windows Auth. As stated here https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported, Windows Auth is not supported with HTTP/2. Unfortunately it seems to me like Traefik always uses HTTP/2 when the service scheme is https. This leads to the following error in the Traefik debug log:
If I run the backend service with http instead of https, then Windows Auth succeeds.
What did you expect to see?
Windows Authentication goes through, even when the backend service is running https. It would be good to have an option to e.g. force http/1.1 between Traefik and backend when needed
What did you see instead?
Windows Authentication fails
Output of
traefik version
: (What version of Traefik are you using?)What is your environment & configuration (arguments, toml, provider, platform, ...)?
My docker-compose.yml looks like this when it works. Note that I disable SSL for the backend service and then use scheme http and port 80 on the service loadBalancer
If docker-compose.yml looks like this then it doesn't work. Note that I enable SSL for the backend service and then use scheme https and port 443 on the service loadBalancer
The traefik config itself looks like this, unchanged in both cases. I've set insecureSkipVerify to true as the backend service uses self-signed certificates:
If applicable, please paste the log output in DEBUG level (
--log.level=DEBUG
switch)see above
The text was updated successfully, but these errors were encountered: