I have a NiFi instance running on Docker, we use a Reverse-Proxy**(Traefik)** to send the requests to the NiFi docker instance.
When my NiFi instance is running on HTTP I am able to reach the NiFi UI from the internet. Considering we wanted to have login option, I was working to setup HTTPS as login auth is not possible on HTTP NiFi instance.The setup is all working when I apply a global level SSL verify skip in the Reverse-Proxy level using insecureSkipVerify, but I would not want to do that and when I am on the normal setup to verify the certificates that are generated by NiFi automatically which is a Self-Signed cert it fails with the following error
{"level":"debug","msg":"'500 Internal Server Error' caused by: x509: cannot validate certificate for 10.0.2.60 because it doesn't contain any IP SANs","time":"2022-10-21T10:29:18Z"}
Also checked the /etc/hosts file
root#mynifi:/opt/nifi/nifi-current/conf# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.2.60 mynifi
The issue is when Traefik is acting as the load-balancer it seems to be trying to access the service using IP address instead of Hostname
{
"ForwardURL": {
"Scheme": "https",
"Opaque": "",
"User": null,
"Host": "10.0.2.60:8443",
"Path": "",
"RawPath": "",
"OmitHost": false,
"ForceQuery": false,
"RawQuery": "",
"Fragment": "",
"RawFragment": ""
},
"Request": "{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/nifi/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Cookie\":[\"__Secure-Request-Token=00c9e232-fb30-44e0-a41e-fc0b5ba6b9b5\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"example.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"d9c0b0e2855e\"],\"X-Proxyhost\":[\"example.domain.com\"],\"X-Proxyport\":[\"443\"],\"X-Proxyscheme\":[\"https\"],\"X-Real-Ip\":[\"143.155.67.98\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.52.48:51731\",\"RequestURI\":\"/nifi/\",\"TLS\":null}",
"level": "debug",
"msg": "vulcand/oxy/roundrobin/rr: Forwarding this request to URL",
"time": "2022-10-21T15:23:35Z"
}
Is there an option to have the hostname defined within the docker-compose file to be used instead of the IP as my service is accessible using the hostname as I was able to confirm that via the curl command on the docker container.
As the docker containers IP keeps changing each time its redeployed I would really be difficult to generate a certificate with IP of the container.
I tried to use the below labels but I am not sure if its the right one to use in this case
- "traefik.http.middlewares.nifi-redirect.redirectregex.permanent=true"
- "traefik.http.middlewares.nifi-redirect.redirectregex.regex=^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):8443"
- "traefik.http.middlewares.nifi-redirect.redirectregex.replacement=mynifi:8443"
I wanted to know if I can someway instruct Traefik to make the request using the hostname defined instead of the IP
For example
Traefik calls my service using the IP of the container i.e https://10.0.2.90:8443/nifi
I would prefer to use the hostname and Traefik reaches the container using https://mynifi:8443/nifi
Please do let me know if any additional details are needed
Docker-Compose.yml file
version: "3.7"
services:
nifi:
user: root
hostname: mynifi
# container_name: nifi_container_persistent
image: apache/nifi:latest
restart: on-failure
# command:
# - "--serverstransport.insecureskipverify=true"
environment:
- NIFI_WEB_HTTPS_PORT=8443
- NIFI_WEB_HTTPS_HOST=0.0.0.0
# - NIFI_REMOTE_INPUT_HOST=$DOCKER_HOST_URL
- NIFI_WEB_PROXY_HOST=$DOCKER_HOST_URL:443
# - NIFI_WEB_PROXY_CONTEXT_PATH=/nifi,/nifi-docs,/nifi-api,/
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- SINGLE_USER_CREDENTIALS_USERNAME=admin
- SINGLE_USER_CREDENTIALS_PASSWORD=ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB
- NIFI_SECURITY.AUTORELOAD.ENABLED=true
# - NIFI_REMOTE_INPUT_SECURE=false
# - NIFI_WEB_REQUEST_IP_WHITELIST=$DOCKER_HOST_URL
# - NIFI_CLUSTER_NODE_PROTOCOL_PORT=8082
# - NIFI_ZK_CONNECT_STRING=myzookeeper:2181
# - NIFI_ELECTION_MAX_WAIT=30 sec
# - NIFI_SENSITIVE_PROPS_KEY='12345678901234567890A'
# - DOCKER_HEALTHCHECK_TEST=curl $DOCKER_HOST_URL/nifi/
# healthcheck:
# test: "${DOCKER_HEALTHCHECK_TEST:-curl $DOCKER_HOST_URL/nifi/}"
# interval: "60s"
# timeout: "3s"
# start_period: "5s"
# retries: 5
volumes:
- nifi_database_repository:/opt/nifi/nifi-current/database_repository
- nifi_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
- nifi_content_repository:/opt/nifi/nifi-current/content_repository
- nifi_provenance_repository:/opt/nifi/nifi-current/provenance_repository
- nifi_state:/opt/nifi/nifi-current/state
- nifi_logs:/opt/nifi/nifi-current/logs
- nifi_conf:/opt/nifi/nifi-current/conf
networks:
traefik_webgateway:
deploy:
labels:
# traefik
- traefik.enable=true
# service
- traefik.http.services.nifi-flow.loadbalancer.server.port=8443
- traefik.http.services.nifi-flow.loadbalancer.server.scheme=https
# - "traefik.http.services.nifi-flow.loadbalancer.serverstransports.insecureskipverify=true"
# middlewares
# - "traefik.http.middlewares.nifi-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyScheme=https"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyHost=$DOCKER_HOST_URL"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyPort=443"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyContextPath:/"
# - "traefik.http.middlewares.nifi-redirect.redirectregex.permanent=true"
# - "traefik.http.middlewares.nifi-redirect.redirectregex.regex=^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):8443"
# - "traefik.http.middlewares.nifi-redirect.redirectregex.replacement=mynifi:8443"
# - "traefik.http.middlewares.nifi-redirect.headers.sslforcehost=true"
# - "traefik.http.middlewares.nifi-redirect.headers.sslhost=mynifi"
# - "traefik.http.middlewares.nifi-tls.forwardauth.tls.insecureskipverify=true"
# Routers
- traefik.http.routers.nifi-flow.middlewares=nifi-headers
- traefik.http.routers.nifi-flow.service=nifi-flow
- traefik.http.routers.nifi-flow.entrypoints=$TRAEFIK_HTTPS_ENTRYPOINT
- traefik.http.routers.nifi-flow.tls=true
- traefik.http.routers.nifi-flow.rule=Host(`$DOCKER_HOST_URL`) && PathPrefix(`/nifi`)
restart_policy:
condition: on-failure
delay: 120s
max_attempts: 3
window: 60s
networks:
traefik_webgateway:
external: true
volumes:
nifi_conf: {external: true}
nifi_database_repository: {external: true}
nifi_flowfile_repository: {external: true}
nifi_content_repository: {external: true}
nifi_provenance_repository: {external: true}
nifi_state: {external: true}
nifi_logs: {external: true}
Traefik.toml file
#General
[api]
dashboard = true
[metrics]
[metrics.prometheus]
[ping]
[log]
level = "DEBUG"
filepath = "/traefik/logs/traefik/traefik.log"
format = "json"
[accessLog]
filePath = "/traefik/logs/access/access.log"
bufferingSize = 10
#ENTRYPOINTS
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = ["<IP_Address>"] # f5
[entryPoints.websecure.http.tls]
[entryPoints.apiDashboard]
address = ':70000'
#MIDDLEWARES
[http.middlewares]
[http.middlewares.test-retry.retry]
attempts = 4
[http.middlewares.https-redirectscheme.redirectScheme]
scheme = "https"
permanent = true
#TLS
[[tls.certificates]]
certFile = "/folder/cert"
keyFile = "/folder/key"
#PROVIDERS
[providers]
providersThrottleDuration = 2
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = true
swarmMode = true
swarmModeRefreshSeconds = 15
network = "traefik_webgateway"
[providers.file]
filename = "/etc/traefik/traefik.toml"
watch = true
Related
I spent the last 3 days trying to use traefik for HTTPS, load balancer, and to connect portainer and other docker containers in swarm mode. It is a home-server cluster made with 4 raspberrys, and what I want is the SSL auto-certificate function, and the HTTP to HTTPS redirection. For that purpose I've created a traefik.toml file:
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[web]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxx#xxx.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[docker]
domain = "traefik" #<---- WHAT SHOULD I WRITE HERE?
watch = true
swarmmode = true
I don't know what should I write in the DOMAIN variable. I use NoIP as my dynamic DNS provider. Should I write the domain I get from them? and that should work inside my network? i.e. accesing from a computer inside my network with: 192.168.11.100
And I also have a docker-compose.yml file:
version: "3.4"
services:
proxy:
image: traefik:latest
command:
- "--api"
- "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
- "--entrypoints=Name:https Address::443 TLS"
- "--defaultentrypoints=http,https"
- "--acme"
- "--acme.storage=/etc/traefik/acme/acme.json"
- "--acme.entryPoint=https"
- "--acme.httpChallenge.entryPoint=http"
- "--acme.onHostRule=true"
- "--acme.onDemand=false"
- "--acme.email=xxx#xxx.com"
- "--docker"
- "--docker.swarmMode"
- "--docker.domain=traefik.localhost" <- WHAT SHOULD I PUT IN HERE??
- "--docker.watch"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/traefik/acme.json:/etc/traefik/acme/acme.json
networks:
- appnet
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 8080
published: 8080
mode: host
deploy:
mode: global
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
networks:
appnet:
external: true
Deploy the stack, then I write in firefox in another computer 192.168.11.100, and I can see the "Welcome to nginx page". No HTTPS by the way. Try 192.168.11.100:8080 for the traefik dashboard. It is there, but again only HTTP.
If I deploy portainer, looks like it connects with traefik (at least appear in the dashboard), but again only HTTP.
Here's the logs for the traefik container after deploying portainer:
time="2019-02-19T11:32:52Z" level=error msg="Unable to obtain ACME certificate for domains \"portainer.com\" detected thanks to rule \"Host:portainer.com\" : unable to generate a certificate for the domains [portainer.com]: acme: Error -> One or more domains had a problem:\n[portainer.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://portainer.com/.well-known/acme-challenge/eDN0Z2VJRzuZm9wiAbar1BOVHLPJ5qPYKBpwfuJOtdY: \"<!doctype html><html><head><meta charset=\\\"utf-8\\\"><meta http-equiv=\\\"x-ua-compatible\\\" content=\\\"ie=edge\\\"><meta name=\\\"viewport\\\" cont\", url: \n"
time="2019-02-19T11:33:15Z" level=error msg="Unable to obtain ACME certificate for domains \"portainer.com\" detected thanks to rule \"Host:portainer.com\" : unable to generate a certificate for the domains [portainer.com]: acme: Error -> One or more domains had a problem:\n[portainer.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://portainer.com/.well-known/acme-challenge/Of6CWm4zvCdPo0BFPTxapEVXPU-qf7hhl1f6NCUTmQw: \"<!doctype html><html><head><meta charset=\\\"utf-8\\\"><meta http-equiv=\\\"x-ua-compatible\\\" content=\\\"ie=edge\\\"><meta name=\\\"viewport\\\" cont\", url: \n"
Am I missing something?
So, I'm trying to deploy my docker swarm with traefik into a cluster of digital ocean droplets. I'm using traefik as my reverse proxy and load balancer, so I must get SSL certificate using traefik. The documentation seems simple enough so I don't really understand what's going wrong with my config. I hoped you guys could shed some light on what I'm doing wrong. I'm using wildcard domain to have most of my services running as subdomains of my root domain.So here's my toml:
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint="unix:///var/run/docker.sock"
exposedByDefault=true
watch=true
swarmmode=true
domain="mouv.com"
[acme]
email = "leonardo#mouv.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
# caServer = "https://acme-v02.api.letsencrypt.org/directory"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.mouv.com"
sans = ["mouv.com"]
And here's my docker-stack.yml
version: '3.6'
services:
traefik:
image: traefik:latest
networks:
- mouv-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
ports:
- "80:80"
- "443:443"
- "8080:8080"
command: --api
environment:
DO_AUTH_TOKEN: "xxxxxxxxxxxxxxxx"
deploy:
placement:
constraints: [node.role==manager]
user:
image: hollarves/users-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8500"
- "traefik.backend=user"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:user.mouv.com"
balances:
image: hollarves/balances-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8010"
- "traefik.backend=balance"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:balance.mouv.com"
# this container is not part of traefik's network.
firebase:
image: hollarves/firebase-mouv:latest
networks:
- firebase-net
[ ..... more containers ..... ]
networks:
mouv-net:
driver: overlay
[ .... more networks .... ]
I also saw this error in the logs
mueve-stack_traefik.1.ndgfhj96lymx#node-1 | time="2019-02-19T13:15:46Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:50668: remote error: tls: unknown certificate authority"
And this:
mueve-stack_traefik.1.igy1ilch6wl1#node-1 | time="2019-02-19T13:22:00Z" level=info msg="legolog: [WARN] [mueve.com] acme: error cleaning up: digitalocean: unknown record ID for '_acme-challenge.mueve.com.' "
When I try to navigate to one of my subdomain services I get
subdomain.mouv.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for 9a11926d7857657613b65578dfebc69f.8066eec25224a58acabd968e285babdf.traefik.default.
In my digital ocean domain configuration I'm pretty much just adding an A record pointing to my manager node's IP and a CNAME record as *.mouv.com
The certificates provided by the Let's Encrypt staging (caServer = "https://acme-staging-v02.api.letsencrypt.org/directory") are not valid certificates, it's normal.
https://letsencrypt.org/docs/staging-environment/
The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.
To have valid certificates you have to use Let's Encrypt production endpoint (caServer = "https://acme-v02.api.letsencrypt.org/directory")
I'm trying to configure traefik + docker but I'm having troubles: the browser loads the URL forever.
This is my actual configuration:
traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
# https is the default
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "cloud.castignoli.it"
watch = true
exposedByDefault = false
[acme]
email = "marco.castignoli#gmail.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Then I have the acme.json, actually filled by treafik with the correct values.
I'm trying to activate https for the container foo, the domain is hello.cloud.castignoli.it
foo has only this label
traefik.frontend.rule=Host:hello.cloud.castignoli.it
These are traefik's logs
time="2018-10-11T08:04:50Z" level=error msg="Unable to obtain ACME certificate for domains \"reverse-proxy.traefik.\" detected thanks to rule \"Host:reverse-proxy.traefik.\" : unable to generate a certificate for the domains [reverse-proxy.traefik.]: acme: Error 400 - urn:ietf:params:acme:error:malformed - Error creating new order :: DNS name ends in a period"
This is the traefik dashboard
traefik's dashboard
The problem is with the domain for the traefik that is trying to generate a certificate for a non-existent domain.
In docker-compose.yml set labels with your domain or do not use --api. For example:
image: traefik
command: --api --docker
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.docker.network=web"
- "traefik.port=8081"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:your-awesome-host.com"
I'm trying to configure Traefik as a proxy for docker containers running on DigitalOcean servers.
Here's my Traefik container configuration:
version: '2'
services:
traefik:
image: traefik
restart: always
command: --docker
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
container_name: traefik
environment:
DO_AUTH_TOKEN: abcd
labels:
- traefik.frontend.rule=Host:monitor.example.com
- traefik.port=8080
networks:
proxy:
external: true
And traefik.toml,
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:secretpassword"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "lakshmi#example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
When I try to access https://monitor.example.com, I get this error:
traefik | time="2018-05-29T15:35:32Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.com\" detected thanks to rule \"Host:monitor.example.com\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[monitor.example.com] Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action.\n"
I have given a valid DO token and pointed monitor.example.com to the VM running Traefik. Am I missing any step?
I was getting a 403 because Traefik was trying to write a TXT entry for ACME DNS challenge in my DigitalOcean domain using a read-only token. I changed it to a read-write token and it worked fine.
For anyone else having this issue, make sure acme.json has 600 permissions. Don't create or touch acme.json yourself. Let Traefik create it. After the pod is created, check permissions on acme.json.
The problem I found is Traefik creates acme.json and sets it to 600. After running upgrade, acme.json changed to 660 and starting giving the 'unknown resolver letsencrypt' error. The fix was having to uncomment the 'initContainers' lines in the values.yml in the Traefik Helm chart. Basically it sets permissions to 600 before startup. Hacky but works.
deployment:
enabled: true
# Can be either Deployment or DaemonSet
kind: Deployment
replicas: 1
annotations: {}
labels: {}
podAnnotations: {}
podLabels: {}
additionalContainers: []
volumeMounts:
- name: csi-pvc
initContainers:
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: csi-pvc
mountPath: /data
dnsPolicy: ClusterFirstWithHostNet
imagePullSecrets: []
I'm trying to deploy a private repository on my docker swarm.
I'm following the official docker repository guide to deploy it as a service. I want to be able to use it with https, from outside with a simple url as https://myregistry.mysite.com.
To do so I use following traefik labels in my stack yml file :
traefik.backend: "privateregistry"
traefik.docker.network: "webgateway" # docker overlay external
traefik.enable: "true"
traefik.frontend.entryPoint: "https"
traefik.frontend.redirect.entryPoint: "https"
traefik.frontend.rule: "Host:myregistry.mysite.com"
traefik.port: "5000"
I'm seeing my two frontend/backend in traefik UI but when I access to https://myregistry.mysite.com/v2/ (for example) I've a 500 fatal error. The service log output is
http: TLS handshake error from 10.0.0.68:47796: tls: first record does not look like a TLS handshake
I think I misunderstood something, certs side probably.
Any idea to do that without error ?
Thanks
I suppose you are missing the certificate of the (registry-) server on your client machine. I assume you have two certificate files (used on the server):
myregistry.mysite.com.crt
myregistry.mysite.com.key
Copy myregistry.mysite.com.crt on your client machine to /etc/docker/certs.d/myregistry.mysite.com/ca.crt on Linux or
~/.docker/certs.d/myregistry.mysite.com/ca.crt on Mac. Now you should be able to login from the client:
docker login myregistry.mysite.com
Appendix - Server Setup
Your server setup might look like this:
~/certs/myregistry.mysite.com.crt
~/certs/myregistry.mysite.com.key
~/docker-compose.yml
~/traefik.toml
docker-compose.yml
version: '3'
services:
frontproxy:
image: traefik
command: --api --docker --docker.swarmmode
ports:
- "80:80"
- "443:443"
volumes:
- ./certs:/etc/ssl:ro
- ./traefik.toml:/etc/traefik/traefik.toml:ro
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
docker-registry:
image: registry:2
deploy:
labels:
- traefik.port=5000 # default port exposed by the registry
- traefik.frontend.rule=Host:myregistry.mysite.com
traefik.toml
defaultEntryPoints = ["http", "https"]
# Redirect HTTP to HTTPS and use certificate, see https://docs.traefik.io/configuration/entrypoints/
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/myregistry.mysite.com.crt"
keyFile = "/etc/ssl/myregistry.mysite.com.key"
# Docker Swarm Mode Provider, see https://docs.traefik.io/configuration/backends/docker/#docker-swarm-mode
[docker]
endpoint = "tcp://127.0.0.1:2375"
domain = "docker.localhost"
watch = true
swarmMode = true
To deploy your registry run:
docker stack deploy myregistry -c ~/docker-compose.yml