Cannot use the same Host rule on multiple entrypoints

[glitchcrab]

What did you do?

I have Traefik in front of the web UI on https://nvr.domain.com:443 for Unifi video and this works fine until I view a camera stream (which requires port 7446 to be open).

What did you expect to see?

I added a new entrypoint/frontend/backend to forward https://nvr.domain.com:7446 to the CCTV server. This should then proxy the stream over that port correctly.

What did you see instead?

Traefik fails to start.

Output of traefik version:

Version:      v1.4.1
Codename:     roquefort
Go version:   go1.9.1
Built:        2017-10-24_05:25:27PM
OS/Arch:      linux/arm

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Details

{
 "GraceTimeOut": 10000000000,
 "Debug": false,
 "CheckNewVersion": true,
 "AccessLogsFile": "",
 "AccessLog": null,
 "TraefikLogsFile": "",
 "LogLevel": "INFO",
 "EntryPoints": {
  "http": {
   "Network": "",
   "Address": ":80",
   "TLS": null,
   "Redirect": {
    "EntryPoint": "https",
    "Regex": "",
    "Replacement": ""
   },
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  },
  "https": {
   "Network": "",
   "Address": ":443",
   "TLS": {
    "MinVersion": "",
    "CipherSuites": null,
    "Certificates": null,
    "ClientCAFiles": null
   },
   "Redirect": null,
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  },
  "nvrstream": {
   "Network": "",
   "Address": ":7446",
   "TLS": {
    "MinVersion": "",
    "CipherSuites": null,
    "Certificates": null,
    "ClientCAFiles": null
   },
   "Redirect": null,
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  }
 },
 "Cluster": null,
 "Constraints": [],
 "ACME": {
  "Email": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "Domains": [
   {
    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "SANs": null
   },
   {
    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "SANs": null
   },
   {
    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "SANs": null
   },
   {
    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "SANs": null
   }
  ],
  "Storage": "acme.json",
  "StorageFile": "",
  "OnDemand": false,
  "OnHostRule": false,
  "CAServer": "",
  "EntryPoint": "https",
  "DNSProvider": "",
  "DelayDontCheckDNS": 0,
  "ACMELogging": true,
  "TLSConfig": null
 },
 "DefaultEntryPoints": [
  "http",
  "https"
 ],
 "ProvidersThrottleDuration": 2000000000,
 "MaxIdleConnsPerHost": 200,
 "IdleTimeout": 180000000000,
 "InsecureSkipVerify": false,
 "RootCAs": null,
 "Retry": null,
 "HealthCheck": {
  "Interval": 30000000000
 },
 "RespondingTimeouts": null,
 "ForwardingTimeouts": null,
 "Docker": null,
 "File": {
  "Watch": true,
  "Filename": "",
  "Constraints": null,
  "Trace": false,
  "DebugLogGeneratedTemplate": false,
  "Directory": ""
 },
 "Web": {
  "Address": ":8080",
  "CertFile": "",
  "KeyFile": "",
  "ReadOnly": false,
  "Statistics": null,
  "Metrics": null,
  "Path": "",
  "Auth": null,
  "Debug": false,
  "CurrentConfigurations": null,
  "Stats": null,
  "StatsRecorder": null
 },
 "Marathon": null,
 "Consul": null,
 "ConsulCatalog": null,
 "Etcd": null,
 "Zookeeper": null,
 "Boltdb": null,
 "Kubernetes": null,
 "Mesos": null,
 "Eureka": null,
 "ECS": null,
 "Rancher": null,
 "DynamoDB": null,
 "ConfigFile": "//traefik.toml"
}

traefik.toml

graceTimeOut = "10s"
debug = false
checkNewVersion = true
logLevel = "INFO"
ProvidersThrottleDuration = "2s"
IdleTimeout = "180s"
MaxIdleConnsPerHost = 200
InsecureSkipVerify = false
defaultEntryPoints = ["http", "https"]

[web]
address = ":8080"

[acme]
email = "user@domain.com"
storage = "acme.json"
entryPoint = "https"

[[acme.domains]]
   main = "nvr.domain.com"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
  [entryPoints.nvrstream]
  address = ":7446"
    [entryPoints.nvrstream.tls]

[file]
watch = true

[backends]
  [backends.nvr]
    [backends.nvr.servers.server1]
    url = "http://10.101.0.50:7080"
  [backends.nvrstream]
    [backends.nvrstream.servers.server1]
    url = "http://10.101.0.50:7446"

[frontends]
  [frontends.nvr]
  backend = "nvr"
  passHostHeader = true
    [frontends.nvr.routes.route1]
    rule = "Host:nvr.domain.com"
  [frontends.nvrstream]
  backend = "nvrstream"
  passHostHeader = true
  entrypoints = ["nvrstream"]  
  [frontends.nvrstream.routes.route1]
    rule = "Host:nvr.domain.com"

Debug log

docker run -it --rm -v /opt/docker/traefik/traefik.toml:/traefik.toml -v /opt/docker/traefik/acme.json:/acme.json traefik --debug
INFO[0000] Using TOML configuration file //traefik.toml 
INFO[2017-10-27T14:42:54Z] Traefik version v1.4.1 built on 2017-10-24_05:25:27PM 
DEBU[2017-10-27T14:42:54Z] Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","AccessLog":null,"TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":{"EntryPoint":"https","Regex":"","Replacement":""},"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":null,"ClientCAFiles":null},"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"nvrstream":{"Network":"","Address":":7446","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":null,"ClientCAFiles":null},"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":{"Email":"user@domain.com","Domains":[{"Main":"nvr.domain.com","SANs":null}],"Storage":"acme.json","StorageFile":"","OnDemand":false,"OnHostRule":false,"CAServer":"","EntryPoint":"https","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Docker":null,"File":{"Watch":true,"Filename":"//traefik.toml","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Directory":""},"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":false,"CurrentConfigurations":null,"Stats":null,"StatsRecorder":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null} 
WARN[2017-10-27T14:42:54Z] top-level idle timeout configuration has been deprecated -- please use responding timeouts 
INFO[2017-10-27T14:42:54Z] Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0x136fd740 Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x135cd940} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s 
WARN[2017-10-27T14:42:54Z] top-level idle timeout configuration has been deprecated -- please use responding timeouts 
INFO[2017-10-27T14:42:54Z] Preparing server https &{Network: Address::443 TLS:0x133d7590 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x135cd950} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s 
INFO[2017-10-27T14:42:54Z] Starting server on :80                       
INFO[2017-10-27T14:43:07Z] Loading ACME Account...                      
INFO[2017-10-27T14:43:07Z] Loaded ACME config from store acme.json      
DEBU[2017-10-27T14:43:07Z] Building ACME client...                      
DEBU[2017-10-27T14:43:08Z] AgreeToTOS...                                
INFO[2017-10-27T14:43:09Z] Retrieving ACME certificates...              
INFO[2017-10-27T14:43:09Z] Retrieved ACME certificates                  
DEBU[2017-10-27T14:43:09Z] Testing certificate renew...                 
WARN[2017-10-27T14:43:09Z] top-level idle timeout configuration has been deprecated -- please use responding timeouts 
INFO[2017-10-27T14:43:09Z] Preparing server nvrstream &{Network: Address::7446 TLS:0x133d7530 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x135cd960} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s 
INFO[2017-10-27T14:43:09Z] Starting server on :443                      
ERRO[2017-10-27T14:43:09Z] Error creating TLS config: No certificates found for TLS entrypoint nvrstream 
FATA[2017-10-27T14:43:09Z] Error preparing server: No certificates found for TLS entrypoint nvrstream

[dtomcej]

If you configure the nvrstream entrypoint as a TLS entrypoint with no certificates, traefik will fail to start.

You need to provide a certificate.

[nmengin]

@analbeard

As @dtomcej just said, you've got a problem because your nvrstream entrypoint has no TLS certificates.
Your ACME configuration is only vailable for the https entrypoint.

If you want to use ACME for both https and nvrstream entrypoints, you have to use DNS challenge.
Otherwise, you have to provide certificates for nvrstream because of LE uses the port 443 to do SNI challenge (by default in Træfik).

[glitchcrab]

Hi @dtomcej / @nmengin thanks for your help! That would certainly explain my issues. I have done as you suggested but as I don't use a supported DNS provider I need to take the manual route. I followed the guide, started in debug mode with acme logging enabled and awaited any instructions (as per the docs), but no joy. My config now is:

traefik.toml

graceTimeOut = "10s"
debug = true
checkNewVersion = true
logLevel = "INFO"
ProvidersThrottleDuration = "2s"
IdleTimeout = "180s"
MaxIdleConnsPerHost = 200
InsecureSkipVerify = false
defaultEntryPoints = ["http", "https"]

[web]
address = ":8080"

[acme]
email = "user@domain.com"
storage = "acme.json"
entryPoint = "https"
dnsProvider = "manual"
delayDontCheckDNS = 0
acmeLogging = true
OnHostRule = true

#[[acme.domains]]
#   main = "nvr.domain.com"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
  [entryPoints.nvrstream]
  address = ":7446"
#    [entryPoints.nvrstream.tls]

[file]
watch = true

[backends]
  [backends.nvr]
    [backends.nvr.servers.server1]
    url = "http://10.101.0.50:7080"
  [backends.nvrstream]
    [backends.nvrstream.servers.server1]
    url = "http://10.101.0.50:7446"

[frontends]
  [frontends.nvr]
  backend = "nvr"
  passHostHeader = true
    [frontends.nvr.routes.route1]
    rule = "Host:nvr.domain.com"
  [frontends.nvrstream]
  backend = "nvrstream"
  passHostHeader = true
  entrypoints = ["nvrstream"]  
  [frontends.nvrstream.routes.route1]
    rule = "Host:nvr.domain.com"

logs

INFO[0000] Using TOML configuration file //traefik.toml 
INFO[2017-10-28T20:17:12Z] Traefik version v1.4.1 built on 2017-10-24_05:25:27PM 
DEBU[2017-10-28T20:17:12Z] Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","AccessLog":null,"TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":{"EntryPoint":"https","Regex":"","Replacement":""},"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":null,"ClientCAFiles":null},"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"nvrstream":{"Network":"","Address":":7446","TLS":null,"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":{"Email":"user@domain.com","Domains":null,"Storage":"acme.json","StorageFile":"","OnDemand":false,"OnHostRule":true,"CAServer":"","EntryPoint":"https","DNSProvider":"manual","DelayDontCheckDNS":0,"ACMELogging":true,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Docker":null,"File":{"Watch":true,"Filename":"//traefik.toml","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Directory":""},"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":false,"CurrentConfigurations":null,"Stats":null,"StatsRecorder":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null} 
WARN[2017-10-28T20:17:12Z] top-level idle timeout configuration has been deprecated -- please use responding timeouts 
INFO[2017-10-28T20:17:12Z] Preparing server https &{Network: Address::443 TLS:0x132192c0 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x1364cea0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s 
INFO[2017-10-28T20:17:23Z] Loading ACME Account...                      
INFO[2017-10-28T20:17:23Z] Loaded ACME config from store acme.json      
DEBU[2017-10-28T20:17:23Z] Building ACME client...                      
DEBU[2017-10-28T20:17:24Z] Using DNS Challenge provider: manual         
DEBU[2017-10-28T20:17:24Z] AgreeToTOS...                                
INFO[2017-10-28T20:17:25Z] Retrieving ACME certificates...              
WARN[2017-10-28T20:17:25Z] top-level idle timeout configuration has been deprecated -- please use responding timeouts 
INFO[2017-10-28T20:17:25Z] Starting server on :443                      
INFO[2017-10-28T20:17:25Z] Preparing server nvrstream &{Network: Address::7446 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x1364d030} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s 
INFO[2017-10-28T20:17:25Z] Retrieved ACME certificates                  
DEBU[2017-10-28T20:17:25Z] Testing certificate renew...                 
WARN[2017-10-28T20:17:25Z] top-level idle timeout configuration has been deprecated -- please use responding timeouts 
INFO[2017-10-28T20:17:25Z] Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0x13367280 Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x1364ce90} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s 
INFO[2017-10-28T20:17:25Z] Starting provider *file.Provider {"Watch":true,"Filename":"//traefik.toml","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Directory":""} 
INFO[2017-10-28T20:17:25Z] Starting provider *web.Provider {"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":true,"CurrentConfigurations":{},"Stats":{"Uptime":"2017-10-28T20:17:25.325472836Z","Pid":1,"ResponseCounts":{},"TotalResponseCounts":{},"TotalResponseTime":"0001-01-01T00:00:00Z"},"StatsRecorder":null} 
INFO[2017-10-28T20:17:25Z] Starting server on :7446                     
INFO[2017-10-28T20:17:25Z] Starting server on :80                       
DEBU[2017-10-28T20:17:25Z] Validation of load balancer method for backend nvr failed: invalid load-balancing method ''. Using default method wrr. 
DEBU[2017-10-28T20:17:25Z] Validation of load balancer method for backend nvrstream failed: invalid load-balancing method ''. Using default method wrr. 
DEBU[2017-10-28T20:17:25Z] Configuration received from provider file: {"backends":{"nvr":{"servers":{"server1":{"url":"http://10.101.0.50:7080","weight":0}},"loadBalancer":{"method":"wrr"}},"nvrstream":{"servers":{"server1":{"url":"http://10.101.0.50:7446","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"nvr":{"entryPoints":["http","https"],"backend":"nvr","routes":{"route1":{"rule":"Host:nvr.domain.com"}},"passHostHeader":true,"priority":0,"basicAuth":null,"headers":{}},"nvrstream":{"entryPoints":["nvrstream"],"backend":"nvrstream","routes":{"route1":{"rule":"Host:nvr.domain.com"}},"passHostHeader":true,"priority":0,"basicAuth":null,"headers":{}}}} 
DEBU[2017-10-28T20:17:25Z] Last file config received more than 2s, OK   
DEBU[2017-10-28T20:17:25Z] Creating frontend nvr                        
DEBU[2017-10-28T20:17:25Z] Wiring frontend nvr to entryPoint http       
DEBU[2017-10-28T20:17:25Z] Creating route route1 Host:nvr.domain.com 
DEBU[2017-10-28T20:17:25Z] Creating entryPoint redirect http -> https : ^(?:https?:\/\/)?([\w\._-]+)(?::\d+)?(.*)$ -> https://$1:443$2 
DEBU[2017-10-28T20:17:25Z] Creating backend nvr                         
DEBU[2017-10-28T20:17:25Z] Creating load-balancer wrr                   
DEBU[2017-10-28T20:17:25Z] Creating server server1 at http://10.101.0.50:7080 with weight 0 
DEBU[2017-10-28T20:17:25Z] Wiring frontend nvr to entryPoint https      
DEBU[2017-10-28T20:17:25Z] Creating route route1 Host:nvr.domain.com 
DEBU[2017-10-28T20:17:25Z] Creating backend nvr                         
DEBU[2017-10-28T20:17:25Z] Creating load-balancer wrr                   
DEBU[2017-10-28T20:17:25Z] Creating server server1 at http://10.101.0.50:7080 with weight 0 
DEBU[2017-10-28T20:17:25Z] Creating frontend nvrstream                  
DEBU[2017-10-28T20:17:25Z] Wiring frontend nvrstream to entryPoint nvrstream 
DEBU[2017-10-28T20:17:25Z] Creating route route1 Host:nvr.domain.com 
DEBU[2017-10-28T20:17:25Z] Creating backend nvrstream                   
DEBU[2017-10-28T20:17:25Z] Creating load-balancer wrr                   
DEBU[2017-10-28T20:17:25Z] Creating server server1 at http://10.101.0.50:7446 with weight 0 
INFO[2017-10-28T20:17:25Z] Server configuration reloaded on :443        
INFO[2017-10-28T20:17:25Z] Server configuration reloaded on :7446       
INFO[2017-10-28T20:17:25Z] Server configuration reloaded on :80         
DEBU[2017-10-28T20:17:25Z] LoadCertificateForDomains [nvr.domain.com]... 
DEBU[2017-10-28T20:17:25Z] Look for provided certificate to validate [nvr.domain.com]... 
DEBU[2017-10-28T20:17:25Z] No provided certificate found for domains [nvr.domain.com], get ACME certificate.

If I uncomment [entryPoints.nvrstream.tls] then I get the following:

ERRO[2017-10-28T20:28:20Z] Error creating TLS config: No certificates found for TLS entrypoint nvrstream 
FATA[2017-10-28T20:28:20Z] Error preparing server: No certificates found for TLS entrypoint nvrstream

[nmengin]

@analbeard

Your configuration SGTM.
Thanks to it you can generate a LE certificate for the domain nvr.domain.com and access to your backends directly in HTTPS by the port 443.
If you do a HTTP request on the port 80, it will be redirect in HTTPS to the port 443.

Your entryPoint nvrstream can be access in HTTP.
If you have to use HTTPS protocol for this entryPoint without using DNS challenge, you have to provide TLS certificates manually as described in the documentation.

For the moment, Træfik does not allow defining a TLS entryPoint with no provided certificates or LE configuration.

[nmengin]

@analbeard Any news?

@AndrewBucklin

For the moment, Træfik does not allow defining a TLS entryPoint with no provided certificates or LE configuration.

This will be merged for the next major version #2233.

[glitchcrab]

@nmengin apologies, life got in the way.

Your entryPoint nvrstream can be access in HTTP.
If you have to use HTTPS protocol for this entryPoint without using DNS challenge, you have to provide TLS certificates manually as described in the documentation.

For the moment, Træfik does not allow defining a TLS entryPoint with no provided certificates or LE configuration.

Understood - in that case I'll need to work with DNS challenge instead. Thanks!

[nmengin]

OK @analbeard .

I close the issue