traefik: Traefik should not serve requests for hosts which do not have a configuration defined

Do you want to request a feature or report a bug?

Bug

What did you do?

I’m just getting started with Traefik, and am playing around with running it as a local server to handle various docker images I may or may not start up. As part of this, I am exploring having it handle traffic on ports 80 & 443, and am running into a bit of a snag.

Static Configuration

web:
  address: ":8080"

providers:
  docker: {}

api:
  insecure: true

log:
  level: DEBUG

entryPoints:
  web:
    address: ":80/tcp"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: "https"
  websecure:
    address: ":443/tcp"

Starting the container

docker run --rm \
    -p 80:80 \
    -p 443:443 \
    -p 8080:8080 \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v path/to/config.yml:/etc/traefik/traefik.yml:ro \
    --name traefik traefik:2.2.1

What did you expect to see?

Nothing, really, as I have not configured any routes or services (other than the WebUI and API). The issue, instead, surfaces when browsing the web.

What did you see instead?

While the above container is running, when browsing the web, I encounter many “invalid certificate” errors. These show up in Traefik’s logs, too:

<snip>
time="2020-05-25T17:12:56Z" level=debug msg="No default certificate, generating one"
time="2020-05-25T17:14:47Z" level=debug msg="Serving default certificate for request: \"localhost\""
time="2020-05-25T17:14:47Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58378: remote error: tls: unknown certificate"
time="2020-05-25T17:14:50Z" level=debug msg="Serving default certificate for request: \"localhost\""
time="2020-05-25T17:16:15Z" level=debug msg="Serving default certificate for request: \"www.googletagservices.com\""
time="2020-05-25T17:16:15Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58392: remote error: tls: unknown certificate"
time="2020-05-25T17:16:20Z" level=debug msg="Serving default certificate for request: \"www.google-analytics.com\""
time="2020-05-25T17:16:20Z" level=debug msg="Serving default certificate for request: \"sb.scorecardresearch.com\""
time="2020-05-25T17:16:20Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58396: remote error: tls: unknown certificate"
time="2020-05-25T17:16:20Z" level=debug msg="Serving default certificate for request: \"secure.quantserve.com\""
time="2020-05-25T17:16:20Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58400: remote error: tls: unknown certificate"
time="2020-05-25T17:16:20Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58404: remote error: tls: unknown certificate"
time="2020-05-25T17:17:03Z" level=debug msg="Serving default certificate for request: \"collector.githubapp.com\""
time="2020-05-25T17:17:03Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58438: remote error: tls: unknown certificate"
time="2020-05-25T17:17:13Z" level=debug msg="Serving default certificate for request: \"collector.githubapp.com\""
time="2020-05-25T17:17:13Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58448: remote error: tls: unknown certificate"
time="2020-05-25T17:17:16Z" level=debug msg="Serving default certificate for request: \"collector.githubapp.com\""
time="2020-05-25T17:17:16Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58470: remote error: tls: unknown certificate"
time="2020-05-25T17:17:19Z" level=debug msg="Serving default certificate for request: \"collector.githubapp.com\""
time="2020-05-25T17:17:19Z" level=debug msg="http: TLS handshake error from 172.17.0.1:58478: remote error: tls: unknown certificate"

The reason that this occurs is because I block various tracker and ad domains via /etc/hosts, by pointing them to 0.0.0.0 (this uses various adblock lists and is managed via the excellent pigmonkey/hostsctl project). This causes requests to those domains to be redirected to my local machine, which Traefik then picks up (because it’s listening on port 443 on all interfaces).

Traefik tries to serve https://some-blocked-domain.com, which there is no configuration for; in doing this it serves the default certificate created on startup which of course isn’t valid for the domain. My browser then throws warnings stating that the certificate is invalid.

I would expect Traefik to do the same thing that other servers do, and simply fail the request. I’m surprised to see that it instead serves the default certificate.

Output of `traefik version`: (What version of Traefik are you using?)

Version:      2.2.1
Codename:     chevrotin
Go version:   go1.14.2
Built:        2020-04-29T18:02:09Z
OS/Arch:      linux/amd64

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 15 (2 by maintainers)

Most upvoted comments

Hello,

I would also support such option, besides the original issue described above the current behavior allows to identify traefik on a remote host just by connecting directly to the ip:

% curl -vk https://163.172.xx.yy
*   Trying 163.172.xx.yy...
* TCP_NODELAY set
* Connected to 163.172.xx.yy (163.172.xx.yy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Jun 25 20:20:44 2020 GMT
*  expire date: Jun 25 20:20:44 2021 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa6fb008600)
> GET / HTTP/2
> Host: 163.172.xx.yy
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Thu, 25 Jun 2020 20:21:51 GMT
<
404 page not found
* Connection #0 to host 163.172.xx.yy left intact
* Closing connection 0

lpefferkorn on Jun 25, 2020

I agree with having an option to disable the default cert for unknown sites.

As others have mentioned, it’s very easy to determine what kind of web server is running when the TRAEFIK DEFAULT CERT is shown.

It also responds to TLSv1 requests, even with minVersion: VersionTLS12 set as a TLS Option.

cookandy on Jul 30, 2020