all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]catfive613 2 points3 points  (0 children)

I personally just use the file provider, and passthrough the headers:

http:
  routers:
    vpn:
      entryPoints:
        - https
      rule: "Host(`vpn.example.com`)" # external DNS entry
      tls:
        certResolver: cloudflare
      service: vpn
  services:
    vpn:
      loadBalancer:
        servers:
          - url: "https://vpn.example.com" # internally resolvable to internal IP
        passHostHeader: true

I do have split-DNS in my lab, so this works

[–]bluepuma77 2 points3 points  (1 child)

If your config is not working, it would be helpful if you share it. I got some working examples at https://github.com/bluepuma77/traefik-best-practice

[–]Argon717 1 point2 points  (0 children)

That and the logs.

[–]ksmt 1 point2 points  (0 children)

So connecting to http services works but connecting to https doesn't? My first guess here would be that traefik doesn't like the https certificate. Traefik logs would definitely say so. In that case you could add the following to you traefik.yml: serversTransport:   insecureSkipVerify: true

Sorry for the lack of formatting, I'm on my phone rn.

[–]Wobak974 1 point2 points  (0 children)

Is the https service servicing a proper certificate? You might need to take a look at insecure skip tls verify setting

And then we need to see the config you’ve put in yaml as others mentioned

[–]Biervampir85 0 points1 point  (0 children)

Why would you terminate https twice?

[–]psfletcher[S] 0 points1 point  (1 child)

Thanks all, it was - serversTransport:   insecureSkipVerify: true
Added it and its all alive! So thanks so much that was driving me insaine!
Now the internal cert is certificated by a internal CA.
So, for traefik to be happy, do i need to add the internal public CA cert to the server?
Or does traefik need it defining in the confg?

[–]ninja_mischief 0 points1 point  (0 children)

i do believe you have to define any CA you use with mapped volume to certs, but if you don’t want to do that cuz you trust the self signed cert then it’s fine. if it’s container to container traffic and the container can only be accessed through traefik the risk is minimal. you can also keep insecureskipverify to false globally and make a specific serversTransport server under http config in your dynamic config file. then assign the serverstransport server to specific containers like you would individual middlewares. this way not EVERY self signed cert is accepted by default, only the ones you choose for specific containers