Hello, this is a bottle in the sea,
I'm using proxmox 8.2, which runs several vm.
On one of the vm, (192.168.1.102) I have a traefik which is in charge of routing docker services and managing ssl/tls.
Here's the docker compose config and config.yml for this traefik
```
version: "3.3"
services:
traefik:
image: "traefik:v3.0.4"
container_name: "traefik"
restart: unless-stopped
command:
- "--log.level=debug"
- "--api.insecure=false"
- "--api.dashboard=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.email=serveur@maildomain.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--providers.file.filename=/etc/traefik/config.yaml" # Using file for reading the config
- "--providers.file.watch=true"
networks:
- traefik-net
ports:
- "80:80"
- "443:443"
volumes:
- "./data/letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./data/config.yml:/etc/traefik/config.yaml:ro"
networks:
traefik-net:
name: traefik-net
```
```
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true
routers:
# Vault routers
router-vault-http:
entryPoints:
- "web"
service: vault
rule: "Host(`coffre.example1.com`)"
middlewares:
- redirect-to-https
router-vault:
entryPoints:
- "websecure"
service: vault
rule: "Host(`coffre.example1.com`)"
tls:
certResolver: "myresolver"
# main website routers
router-website-http:
entryPoints:
- "web"
service: website
rule: "Host(`example1.com`)"
middlewares:
- redirect-to-https
router-website:
entryPoints:
- "websecure"
service: website
rule: "Host(`example1.com`)"
tls:
certResolver: "myresolver"
# Wiki routers
router-wiki-http:
entryPoints:
- "web"
service: wiki
rule: "Host(`wiki.example1.com`)"
middlewares:
- redirect-to-https
router-wiki:
entryPoints:
- "websecure"
service: wiki
rule: "Host(`wiki.example1.com`)"
tls:
certResolver: "myresolver"
services:
vault:
loadBalancer:
servers:
- url: "http://vaultwarden:80"
website:
loadBalancer:
servers:
- url: "http://silicondays:3000"
wiki:
loadBalancer:
servers:
- url: "http://xwiki:8080"
```
The problem is as follows: the dns zone sends everything to the server's public ip, i.e. to the proxmox hypervisor. I have to route the domains to the right vm and then have traefik take over.
For example, for *.example1.com to be routed to vm1
and *.example2.com should be routed to vm2
for that, I installed nginx on the hypervisor with this config
```
upstream proxmox {
server "proxmox.example1.com";
}
server {
listen 80 default_server;
server_name proxmox.example1.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name proxmox.example1.com;
ssl_certificate /etc/pve/local/pveproxy-ssl.pem;
ssl_certificate_key /etc/pve/local/pveproxy-ssl.key;
#proxy_redirect off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://localhost:8006;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
}
server {
listen 80;
server_name *.example2.fr example2.fr;
location / {
proxy_pass http://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example2.fr example2.fr;
location / {
proxy_pass https://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name *.example1.com example1.com;
location / {
proxy_pass http://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example1.com example1.com;
location / {
proxy_pass https://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
With this configuration as is, when I go to a site such as coffre.example1.com, I get an SSL_ERROR_BAD_CERT_DOMAIN error.
And indeed, it's the proxmox.example1.com certificate that's given, not the hypervisor's. I don't understand why....
And if I remove the whole proxmox part of the nginx config, to do like this :
```
server {
listen 80;
server_name *.example2.fr example2.fr;
location / {
proxy_pass http://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example2.fr example2.fr;
location / {
proxy_pass https://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name *.example1.com example1.com;
location / {
proxy_pass http://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example1.com example1.com;
location / {
proxy_pass https://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
Well, this causes an SSL_ERROR_RX_RECORD_TOO_LONG error to appear.
i really need a hand please
thank you very much