Fritzbox refuses request for custom domain with traefik / docker

0
votes

I have set up a simple web server for my custom domain with traefik and docker (based on an article in c't), just for testing if all works. However, my problem is my router Fritzbox, which prevents request to the web2 container (web2.mydomain.de), and, instead shows a login page of the router. My docker-compose file looks like:

version: "3.7"
services:
  traefik:
    image: traefik:v2.0
    command: --providers.docker
    restart: always
    ports:
     - 80:80
     - 443:443
    volumes:
     - /var/run/docker.sock:/var/run/docker.sock:rw
     - ./static.yml:/etc/traefik/traefik.yml
     - ./dynamic.yml:/etc/traefik/dynamic/dynamic.yml
     - ./acme.json:/etc/traefik/acme/acme.json

  web2:
    image: containous/whoami
    labels:
     - traefik.http.routers.web2.rule=Host(`web2.mydomain.de`) || ( Host(`mydomain.de`) && PathPrefix(`/web2`) )
     - "traefik.http.routers.web2.tls.certResolver=default"
     - "traefik.http.routers.web2.tls=true"

Things what I've also done:

  • CNAME-Record configured: CNAME * xxxxxxxyyyyy.myfritz.net -
  • DNS Rebind exception in fritzbox for my *.mydomain.de (for letting through incoming req./resp.)
  • Port 80/443 opened in Fritzbox
  • acme.sh is working (cert was generated)

So what is misconfigured?

1
dockerdnsroutertraefikfritzbox

1 Answers

0
votes

There might be a weird behaviour of your fritzbox. For mine, it even shows the router's login panel if I browse the external fritzbox IP from the internal 192.168.178.* network; and I haven't exposed the fritzbox itself to the Internet at all. IMO this is a wrong behaviour of new routers by AVM.

I fixed the issue by installing an internal DNS server. You want to have split DNS. This ensures that your domain name is resolved to your internal webserver's IP address for internal requests and not to your external IP address. If you try to access your webserver by a mobile LTE connection, you'll notice that it works flawlessly. It's just requests from the internal fritzbox network, which get stuck. So either install an internal DNS server for split DNS or do manual entries in your operating system's host file.

Nonetheless, I still get some random SSL certificate errors from time to time. The fritzbox will then present its self-signed certificate for the login panel instead of my Let's Encrypt cert for my domain.

tl;dr: You need split DNS since some Fritzbox routers cannot do proper NAT hairpinning.