Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reverse proxy https to http backends fails #1180

Closed
creynders opened this issue Feb 22, 2017 · 3 comments
Closed

Reverse proxy https to http backends fails #1180

creynders opened this issue Feb 22, 2017 · 3 comments
Labels
status/5-frozen-due-to-age

Comments

@creynders
Copy link

What version of Traefik are you using (traefik version)?

v1.1.2

What is your environment & configuration (arguments, toml...)?

Bare bones exemplary traefik.toml

InsecureSkipVerify = true
defaultEntryPoints = ["https"]
[entryPoints]
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
[frontends]
  [frontends.bladerunner]
  backend="deckard"
  passHostHeader = true
    [frontends.bladerunner.routes.deckard]
    rule = "Host:deckard.example.com"
[backends]
  [backend.deckard]
    [backends.deckard.servers.harrison]
    url = "http://harrison.example.com/"
[acme]
  email = "silly@example.com"
  storage = "/etc/traefik/acme/acme.json"
  entryPoint = "https"
  OnHostRule = true
  [[acme.domains]]
    main="example.com"
    sans=["deckard.example.com"]

harrison.example.com is only accessible from the server running traefik (i.e. the one our A/AAAA records point deckard.example.com to)

What did you expect to see?

I'd expect to be able to connect to https://deckard.example.com, which would proxy pass the request to http://harrison.example.com while encrypting all communication to the client with automatic SSL

What did you see instead?

An error is thrown:

Error getting ACME certificate for domain [example.com deckard.example.com]: Cannot obtain certificates map[example.com:acme: Error 400 - urn:acme:error:malformed - Failed to connect to XXX.XXX.XXX.XXX:443 for TLS-SNI-01 challenge: Server only speaks HTTP, not TLS\nError Detail:\n\tValidation for example.com:443\n\tResolved to:\n\t\tXXX.XXX.XXX.XXX\n\tUsed: XXX.XXX.XXX.XXX\n\n]+v

Is this not possible, or am I missing something in my configuration?
@Berndinox
Copy link

i do use the following entrypoint and that does work:

[entryPoints]
 [entryPoints.http]
 address = ":80"
 compress = false
   [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

@errm
Copy link
Contributor

errm commented Feb 22, 2017

Yes I think you need to have port 80 open too for ACME to work...

@creynders
Copy link
Author

Thanks for the answers. Turns out that the A-record for harrison.example.com pointed to the correct server, but there was another one for example.com which pointed to yet another server, which was the culprit!

@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@errm @creynders @Berndinox @traefiker