Traefik not working with Cloudflare proxy enabled

Hi,
I’ve been trying to replace my NGINX Proxy Manager instance with Traefik (Most of my incoming traffic goes through proxy manager and then through Traefik anyways). I am able to set up all my sites and generate certificates for them. I can access the sites and they all work perfectly fine going directly through Traefik.
But as soon as I turn on the proxy feature all of my sites stop working and I get the error “Error 522, Connection timed out”. This only happens when I port forward Traefik, and not when I forward NGINX Proxy manager. I’ve already played around with the SSL/TLS options in the Cloudflare dashboard, but none of them seem to fix my issue.
I’ve already read some other posts on this issue, but most of the time it has something to do with incorrect packet routing and/or wrong port forwarding. I’ve already concluded that those causes have nothing to do with my issue.

Here are my config files:

traefik.yml

entrypoints:
    unsecure:
        address: :80
    secure:
        address: :443
        

providers:
    file:
        directory: /etc/traefik/services
        watch: true

certificatesResolvers:
    myresolver:
        acme:
            email: "---"
            storage: "/etc/traefik/acme.json"
            dnsChallenge:
                provider: cloudflare
                delayBeforeCheck: 0

onweerdetectie.yml (one of the sites config file)

http: 
    routers:
        onweerdetectieRouterHttp:
            rule: "Host(`onweerdetectie.jdekuijper.nl`)"
            service: "onweerdetectie"
            middlewares:
              - "redirecthttps"
        
        onweerdetectieRouterHttps:
            rule: "Host(`onweerdetectie.jdekuijper.nl`)"
            service: "onweerdetectie"
            tls:
                certResolver: myresolver
                options: tlsoptions
    
    services:
        onweerdetectie:
            loadBalancer:
                servers:
                    - url: "http://192.168.20.60:8080"
                    - url: "http://192.168.20.61:8080"
                    - url: "http://192.168.1.22:8080"

    middlewares:
        redirecthttps:
            redirectScheme:
                scheme: "https"
                permanent: true

tls:
    options:
        tlsoptions:
            minVersion: VersionTLS12

If anyone has any questions, please ask them and I’ll get back to you as soon as possible.

Kind regards,
Jeroen de Kuijper

There’s two criteria for a 522 as per https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error

Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 15 seconds of Cloudflare sending a SYN.

After a connection is established, the origin web server doesn’t acknowledge (ACK) Cloudflare’s resource request within 90 seconds.

Are you seeing Cloudflare’s requests at all when getting the 522 page?

Traefik is receiving requests from Cloudflare, if I comment out all of my site configurations (so Traefik will return a 404 page) it does load a 404 page from Traefik. As soon as I add any sort of site configuration or add a certificate resolver (With Cloudflare proxy already on) I get the timeout error again.

http: 
    routers:
        <snip>
        onweerdetectieRouterHttps:
            rule: "Host(`onweerdetectie.jdekuijper.nl`)"
            service: "onweerdetectie"
            tls:
                certResolver: myresolver
                options: tlsoptions # <-- this

Is this tlsoptions referring to a specific variable somewhere else or just the tlsoptions: block at the bottom of the YAML?

It is referring to the tlsoptions block at the bottom of the file

What’s your encryption mode set to in SSL/TLS for that zone?

https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls

I wouldn’t expect the minVersion: VersionTLS12 to cause any issues since the SSL/TLS handshake between Cloudflare and your origin will work it out anyways - https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/

It is currently set to Full
I’ve tried all the other options, but no luck

I am currently trying something with the way Traefik handles forwarded-for headers

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.