17

With docker, I try to setup a traefik backend using HTTPS port 443, so communication between the traefik container and the app container (apache 2.4) will be encrypted.

I got an Internal Server Error if i activate traefik.protocol=https and traefik.port=443 on my docker container. This issue has been documented here: https://github.com/containous/traefik/issues/2770#issuecomment-374926137

Exactly same setup work great with jwidler/nginx-proxy (reverse proxy available on docker hub) for instance. Certificates on the container (apache 2.4 running inside) are real signed one (i installed them on traefik and on the apache of my container). If i request directly my apache container with https://... all browsers say certificate is valid (green). So the certificates in the container are ok.

The question is simple: Using InsecureSkipVerify = true is not safe. Is there any solution for production to be able to make work a container backend with label traefik.protocol=https and traefik.port=443, by using a certificate issued by a well-know authority (in my case Gandi or Comodo).

Thanks.

dirkj
  • 38
  • 4
Yivan
  • 191
  • 1
  • 1
  • 4

5 Answers5

15

I guess you may need to add 

InsecureSkipVerify = true

in the main/global section

Please refer to https://docs.traefik.io/configuration/commons/, which says:

InsecureSkipVerify : If set to true invalid SSL certificates are accepted for backends.
Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
chxzqw
  • 159
  • 1
  • 6
3

I only managed to expose the Kubernetes Dashboard with setting InsecureSkipVerify = true. Here is how I added it to the traefik deployment file (last line):

spec:
  serviceAccountName: traefik-ingress-controller
  terminationGracePeriodSeconds: 60
  containers:
  - image: traefik
    name: traefik-ingress-lb
    ports:
    - name: https
      containerPort: 443
    args:
    - --api
    - --kubernetes
    - --logLevel=INFO
    - --defaultentrypoints=https
    - --entrypoints=Name:https Address::443 TLS
    - --insecureSkipVerify=true
Newalp
  • 733
  • 1
  • 7
  • 11
1

The problem for me was traefik.protocol=https; this was not necessary to enable https and directly caused the 500.

Californian
  • 808
  • 1
  • 8
  • 15
0

As mentioned earlier:

That's specifically listed as not a good solution in the question. As of the writing of this comment, Traefik does not support SNI for backend connections, so there's no way to use any kind of certificate without an IP SAN for the backend's IP. – Rafael Fonseca Sep 23 '18 at 23:40

https://github.com/traefik/traefik/issues/3906 addresses this problem.

Traefik communicates with the backend internally in a node via IP addresses. For those the used certificate is not valid.

There are two options:

  1. Communicate via http between Traefik and the backend
  2. Use --insecureSkipVerify=true to ignore the certificate validation

The first solution is configured at the ingress:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: some-ingress
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
    spec:
      rules:
      - http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service-name
                port:
                  number: 80
      tls:
      - secretName: traefik-cert

The second solution is to set --serversTransport.insecureSkipVerify=true via arg.

Marcel Melzig
  • 363
  • 6
  • 13
0

To enable an Https-Backend-Connection on a certain container, you can use

- "traefik.http.services.service0.loadbalancer.server.scheme=https"

as a label on the Docker container.

Reference on Github

os_1
  • 105
  • 5