I’m getting the following error when I visit my domain https://<mydomain>:
Warning: Potential Security Risk Ahead Firefox detected a potential security threat and did not **continue** **to** mydomain.com. **If** you visit this site, attackers could **try** **to** steal information like your passwords, emails, or credit card details.
This is my docker-compose.yaml:
version: '3'
services:
upload:
image: mydomain-upload:v3-staging
build:
context: .
dockerfile: src/services/upload/Dockerfile.upload
restart: always
ports:
- "8004:8004"
labels:
- "traefik.enable=true"
- "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
- "traefik.http.routers.upload.entrypoints=web"
- "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
- "traefik.http.services.upload.loadbalancer.server.port=8004"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
- "traefik.http.routers.upload.middlewares=upload-cors"
environment:
- MODE=staging
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
command:
- --provider=oidc
- --email-domain=*
- --oidc-issuer-url=https://accounts.google.com
- --cookie-secure=false
- --cookie-secret=COOKIE_SECRET
- --client-id=CLIENT_ID
- --client-secret=CLIENT_SECRET
- --upstream=http://traefik:80
- --pass-access-token=true
- --pass-authorization-header=true
- --set-authorization-header=true
labels:
- "traefik.enable=true"
nginx:
image: mydomain-nginx:v3-staging
build:
context: .
dockerfile: src/static/Dockerfile.nginx.development
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
- "traefik.http.routers.nginx.entrypoints=web"
traefik:
image: traefik:v3.0
restart: always
depends_on:
- oauth2-proxy
- nginx
ports:
- "80:80"
- "443:443"
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- letsencrypt:/letsencrypt
- /var/log:/var/log
command:
- --providers.docker.network=proxy
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/var/log/traefik.log
- --accesslog=true
- --accesslog.filepath=/var/log/traefik-access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$QWHGoM/N$$me9nau/f2g6O4W9Y2MqRH0"
networks:
proxy:
name: proxy
volumes:
letsencrypt:
name: letsencrypt
Here is part of my traefik.log:
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:49 > Setting up customHeaders/Cors from {map[] map[] true [*] [GET POST OPTIONS] [*] [] [] 0 false [] [] map[] 0 false false false false false false false} entryPointName=web middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=web middlewareName=upload-cors@docker routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=mydashboard@docker serviceName=api@internal
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for monitor.mydomain.com with TLS options default entryPointName=websecure
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [monitor.mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["monitor.mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:37062: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:23486: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:12Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:4290: remote error: tls: unknown certificate
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:51854: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:42874: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:28030: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Check this https://www.digitalocean.com/community/tutorials/how-to-secure-your-site-in-kubernetes-with-cert-manager-traefik-and-let-s-encrypt