Search code examples
dockernginxhttpstraefik

Traefik and Nginx with HTTPS on Docker / 400 Bad Request

I'm trying to build stack with Traefik and Nginx based on Docker. Without HTTPS is everything fine, but I get an error as soon as I put on HTTPS configuration.

I'm getting this error from Nginx on example.com: 400 Bad Request / The plain HTTP request was sent to HTTPS port. In the address bar I can see the green lock saying connection is secure.

Certbot works fine so I have real SSL certificate inside the proper folder.

I can get to the Traefik dasboard when I visit traefik.example.com but I have to accept no SSL browser warning and dasboard is also working without HTTPS.

docker-compose.yml

version: '3.4'
services:
    traefik:
        image: traefik:latest
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./traefik/traefik.toml:/etc/traefik/traefik.toml
            - ../letsencrypt:/etc/letsencrypt
        labels:
            - traefik.backend=traefik
            - traefik.frontend.rule=Host:traefik.example.com
            - traefik.port=8080
        networks:
           - traefik
    nginx:
        image: nginx:latest
        volumes:
            - ../www:/var/www
            - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf
            - ../letsencrypt:/etc/letsencrypt
        labels:
            - traefik.backend=nginx
            - traefik.frontend.rule=Host:example.com
            - traefik.port=80
            - traefik.port=443
        networks:
            - traefik
networks:
    traefik:
        driver: overlay
        external: true
        attachable: true

traefik.toml

defaultEntryPoints = ["http", "https"]

[web]
    address = ":8080"

[entryPoints]
    [entryPoints.http]
        address = ":80"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
            [[entryPoints.https.tls.certificates]]
                certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
                keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"

[docker]
    domain="example.com"
    watch = true
    exposedByDefault = true
    swarmMode = false

nginx.conf

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://www.example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    return 301 https://www.example.com$request_uri;
}

server {
    listen 443 ssl http2;

    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    root /var/www/public;
    index index.html;
}

Thanks for your help.

Solution

  • First there is no need to have SSL redirection configured in both Traefik and Nginx. Also Traefik frontend is matching only non www variant but backend app expects www. Finally Traefik web provider is deprecated so there should be newer api provider.