I’d like to run the Rancher server behind Traefik so that Traefik is the HTTPS entrypoint with Let’s Encrypt certificate. Reading http://docs.rancher.com/rancher/v1.2/en/installing-rancher/installing-server/basic-ssl-config/ it looks like there is some additional configuration needed in terms of setting headers. So is it possible to run Rancher server behind Traefik?
I can’t think of any reason why not. I use HAProxy and it works without these seemingly redundant parts described on the page you reference:
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend rancher_servers if is_websocket
I do add this header and value (as detailed in the Apache config on that page):
X-Forwarded-Proto "https
But it’s pretty redundant as I make use of HSTS (Strict-Transport-Security header).
Should you care, I also add a number of other security related headers: X-Frame-Options, X-XSS-Protection and X-Content-Type-Options. I also delete the Server header.
I did add the secure and httponly flags to all cookies but had some issues - I’ve not revisited this yet.
I also do mutual TLS auth, TLS CN restriction, target FQDN restriction and source IP restriction.
I think Traefik lacks the support to add headers like the “Upgrade” header, but I’m not sure. At the end, I’m not sure if Traefik supports WebSocket or not, the documentation is not that helpful here.
Nevertheless, I tried to put Rancher behind Traefik with the following configuration:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[file]
# rules
[backends]
[backends.rancher]
[backends.rancher.servers.server1]
url = "http://myinternalrancher.example.com:8080"
[frontends]
[frontends.rancher]
backend = "rancher"
entrypoints = ["http", "https"]
[frontends.rancher.routes.default]
rule = "Host:rancher.example.com"
Rancher is now reachable through Traefik, but login is not possible. I’m always sent back to the Login page, even with the correct credentials.
I think I initially had the same issue with HAProxy now that you mention it. Most likely this issue is because the X-Forwarded-Proto header isn’t inserted by Traefik. You could test this by removing the redirect on the http entrypoint perhaps?
Also, I don’t see any TLS configuration for the cert and key?
I’ve tried your suggestion and tested it over plain HTTP, I still get redirect back to the login page. Certificates are coming from Let’s Encrypt, I omitted this in the example configuration. Here is my current complete configuration (changed hostnames).
[web]
address = ":8088"
[acme]
email = "mymail@example.com"
storageFile = "/etc/traefik/acme.json"
entryPoint = "https"
[[acme.domains]]
main = "rancher.example.com"
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[file]
# rules
[backends]
[backends.rancher]
[backends.rancher.servers.server1]
url = "http://rancherint.example.com:8080"
[frontends]
[frontends.rancher]
backend = "rancher"
entrypoints = ["http", "https"]
[frontends.rancher.routes.default]
rule = "Host:rancher.example.com"
X-Forwarded-Proto
is not redundant; the server needs enough information from the request it receives from the balancer to reconstruct the original request URL and doesn’t have it if you don’t tell it that the original request was https.
Randomly changing cookie settings is also not going to work. The only important cookie (token
) will already be secure
when everything else is setup correctly. Most of the cookies exist only for the UI, which is entirely client-side, to read, so making them httponly
makes them useless.
Apologies for the misinformed statements in my earlier post, I’d correct them if I could.
I am facing a similar problem. Have you come to a solution?
You have to add "passHostHeader = true"
Sample is here: https://docs.traefik.io/toml/#file-backend
Used: traefik 1.3.0 rc3 and rancher 1.6.0