Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik serves traffic on port 80 over https #10854

Open
2 tasks done
ghorio opened this issue Jun 27, 2024 · 1 comment
Open
2 tasks done

Traefik serves traffic on port 80 over https #10854

ghorio opened this issue Jun 27, 2024 · 1 comment
Labels
status/0-needs-triage

Comments

@ghorio
Copy link

ghorio commented Jun 27, 2024

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

Hello, I have inherited traefik deployment running on kubernetes, seems like installed using helm chart traefik-10.3.6, unfortunately I have no values file or anything, but I can view deployment and the args.

What did you see instead?

Everything has been running smooth until we noticed that port 80 is accessible using https, so basically accessing https://example.com:80/ opens up default 404 page not found

From traefik access.log -

{"ClientAddr":"10.10.39.11:55780","ClientHost":"10.10.39.11","ClientPort":"55780","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":203245,"OriginContentSize":19,"OriginDuration":28785,"OriginStatus":404,"Overhead":174460,"RequestAddr":"example.com:80","RequestContentSize":0,"RequestCount":795,"RequestHost":"example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"80","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2024-06-26T12:43:00.08648126Z","StartUTC":"2024-06-26T12:43:00.08648126Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"web","level":"info","msg":"","time":"2024-06-26T12:43:00Z"}

What version of Traefik are you using?

Docker image is traefik:2.5.3

What is your environment & configuration?

- --global.checknewversion
- --global.sendanonymoususage
- --entryPoints.metrics.address=:9100/tcp
- --entryPoints.traefik.address=:9000/tcp
- --entryPoints.web.address=:8000/tcp
- --entryPoints.websecure.address=:8443/tcp
- --api.dashboard=true
- --ping=true
- --accesslog
- --accesslog.filepath=/data/access.log
- --accesslog.fields.defaultmode=keep
- --accessLog.fields.names.RequestHost=keep
- --accesslog.format=json
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd
- --providers.kubernetesingress
- --api.dashboard=true
- --log.level=INFO
- --providers.kubernetesingress.ingressclass=traefik-internal
- --serversTransport.insecureSkipVerify=true
- --providers.file.filename=/traefik/traefik.yaml

The dynamic config file /traefik/traefik.yaml

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Those are the IngressRoutes for this specific host (but happens on all the hosts)

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    meta.helm.sh/release-name: example
    meta.helm.sh/release-namespace: example-test
  labels:
    app.kubernetes.io/instance: example
    app.kubernetes.io/managed-by: Helm
  name: example-http
  namespace: example-test
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`example.com`)
    middlewares:
    - name: example-redirect
    services:
    - name: nginx-app
      port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    meta.helm.sh/release-name: example
    meta.helm.sh/release-namespace: example-test
  labels:
    app.kubernetes.io/instance: example
    app.kubernetes.io/managed-by: Helm
  name: example
  namespace: example-test
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`)
    services:
    - name: nginx-app
      port: 80
  tls:
    options:
      name: tlsoptions

And here is the Middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  annotations:
    meta.helm.sh/release-name: example
    meta.helm.sh/release-namespace: example-test
  labels:
    app.kubernetes.io/managed-by: Helm
  name: example-redirect
  namespace: example-test
spec:
  redirectScheme:
    permanent: true
    scheme: https

But seems like it does not even get to my ingressroute rule or any router. I would like to understand why does it even serve https over port 80 and how could I disable this?
Thanks!

If applicable, please paste the log output in DEBUG level

When enabling --log.level=DEBUG nothing shows up at all when accessing https://example.com:80
@ghorio
Copy link
Author

ghorio commented Jun 27, 2024

Ok so when I edit example ingressroute and add - web to entryPoints, the https://example.com:80 now opens up my web app as it would when using just https://example.com

............
spec:
  entryPoints:
  - websecure
  - web
  routes:
,.........

What I still quite dont understand why would it think of https:// as a web entrypoint?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/0-needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@traefiker @ghorio