I installed the traefik v2 in the container, set it up, but when I go to the domain, I get "404 page not found" and not a dashboard.
This is my first time doing this so I'm asking the community for help.
Below are my settings files.
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.8
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./ssl:/ssl
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.DOMAIN.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
traefik.yml
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
letsEncrypt:
acme:
email: mail#example.com
storage: /ssl/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http
api:
dashboard: true
Related
I have found many similar questions online, but I am certainly lost in this topic which is new for me and I hope somebody can guide me through my problem. In my setup, I have a docker container which runs a secure version on port 8443 and a "read-only" version on port 8080. Now I want to use Traefik as a proxy to then reroute all requests to the secure version, ignoring the read-only. While the dashboard indicates routing to the service, I am just receiving an "Unable to connect" when trying to access the webpage.
As a compose file:
version: "3.7"
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: always
ports:
- "80:80"
- "433:433"
command: --api.insecure=false --providers.docker
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/cloud/traefik.yml:/etc/traefik/traefik.yml
networks:
- traefik-network
my-service:
image: my-image
env_file: variables.env
container_name: my-image
restart: always
ports:
- "8080:8080"
- "8443:8443"
networks:
- traefik-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-service.entryPoints=websecure"
- "traefik.http.routers.my-service.rule=Host(`domain.com`)"
- "traefik.http.services.my-service.loadbalancer.server.port=8443"
networks:
traefik-network:
name: traefik-network
And the traefik.yml:
################################################################
# Provider configuration
################################################################
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # default
exposedByDefault: true # default
network: traefik-network
################################################################
# Entrypoint
################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
Maybe somebody has an idea where I went in the wrong direction.
Best
I'm trying to set up Bookstack with traefik as a reverse proxy. traefik is already set up and running fine with Nextcloud and other services.
I'm using the image provide by linuxserver and am modifying the docker-compose file as follows:
version: "2"
services:
bookstack:
image: lscr.io/linuxserver/bookstack
container_name: bookstack
environment:
- PUID=1000
- PGID=1000
- APP_URL=my-sub.domain.com
- DB_HOST=bookstack_db
- DB_USER=dbusernamesetbyme
- DB_PASS=thedbpasswordichose
- DB_DATABASE=bookstackapp
volumes:
- /path/to/data:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- PUID=1000
- PGID=1000
- MYSQL_ROOT_PASSWORD=modifiedpassword
- TZ=Europe/Berlin
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- /path/to/data:/config
restart: unless-stopped
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
When I call my-sub.domain.com I get a Gateway Timeout. If I leave out the labels and the APP_URL, I can call bookstack via the host-ip and the port e. g. 101.101.101.101:6875 it works just fine.
Any ideas?
Best regards!
Try to move labels: from bookstack_db: to bookstack:. I set up Bookstack with Trefik locally and it worked.
You can use this docker-compose.yaml for reference:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=my-sub.domain.com
- TZ=Europe/Berlin
- DB_HOST=bookstack_db:3306
- DB_DATABASE=bookstackapp
- DB_USERNAME=dbusernamesetbyme
- DB_PASSWORD=thedbpasswordichose
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
# traefik.http.services.bookstack.loadbalancer.server.port: "80"
# traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
bookstack_db:
image: mariadb:10.9
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=modifiedpassword
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- ./bookstack/db:/var/lib/mysql
ports:
- 3306:3306
restart: unless-stopped
networks:
- nameofmyproxynetwork
networks:
nameofmyproxynetwork:
external: true
I attach also my original labels: config, just in case.
labels:
- traefik.enable=true
- traefik.http.routers.bookstack-http.entrypoints=web
- traefik.http.routers.bookstack-http.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-http.middlewares=bookstack-https
- traefik.http.middlewares.bookstack-https.redirectscheme.scheme=https
- traefik.http.routers.bookstack-https.entrypoints=websecure
- traefik.http.routers.bookstack-https.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-https.tls=true"
So, I've got some external help and got a .yml-file that worked:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=https://my-sub.domain.com
- TZ=Europe/Berlin
# - PUID= # = stat ./bookstack/app --format "%u"
# - PGID= # = stat ./bookstack/app --format "%g"
- DB_HOST=bookstack_db
- DB_DATABASE=bookstackdb
- DB_USERNAME=<dbuser>
- DB_PASSWORD=<dbpassword>
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.docker.network: "proxy"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.com`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
networks:
- default
- proxy
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=<dbrootpassword>
- MYSQL_DATABASE=bookstackdb
- MYSQL_USER=<dbuser>
- MYSQL_PASSWORD=<dbpassword>
volumes:
- ./bookstack/db:/var/lib/mysql
restart: unless-stopped
networks:
- default
networks:
default:
name: bookstack-default
proxy:
external: true
One issue of mine was, that I did not realize, that DB_USERNAME and MYSQL_USER, and DB_PASSWORD and MYSQL_PASSWORD had to contain the same variable.
Furthermore I'm going to provide my traefik.yml, as it shows that I did not use the typical labelnames.
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "./dynamic_conf.yml"
certificatesResolvers:
http:
acme:
email: username#domain.com
storage: acme.json
httpChallenge:
entryPoint: http
Hope that helps somebody else!
My problem is self assigned cert instead of lets-encrypt cert
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik
command:
- --api
- --providers.docker
- --providers.docker.exposedbydefault=false
ports:
- 8080:8080
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
networks:
- public
- private
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.dashboard.service=api#internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:admin"
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
service labels
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.registry.tls.domains[0].main=example.com"
- "traefik.http.routers.registry.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.gites.tls.certresolver=resolver"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"
traefik.yml:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
resolver:
acme:
email: mail#example.com
storage: acme.json
tlsChallenge: {}
This is what I get in my Firefox:
This is happend, because browser takes traefik default cert, but there is must be lets-encrypt cert With log level debug I get
level=debug msg="http: TLS handshake error from 192.168.80.1:53932: remote error: tls: bad certificate"
I solve my problem
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik:v2.2.11
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
- /etc/data/letsencrypt:/letsencrypt
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=web"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=resolver"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
gitea:
image: gitea/gitea:latest
environment:
- APP_NAME=Gitea
- USER_UID=1000
- USER_GID=1000
- ROOT_URL=https://gitea.example.com
- SSH_DOMAIN=gitea.example.com
- SSH_PORT=2222
- HTTP_PORT=3000
- DB_TYPE=postgres
- DB_HOST=gitea-db:5432
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
volumes:
- gitea_app:/data
ports:
- 2222:2222
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.entrypoints=web"
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=websecure"
- "traefik.http.routers.gitea.middlewares=gitea-https-redirect"
- "traefik.http.routers.gitea-secure.entrypoints=websecure"
- "traefik.http.routers.gitea-secure.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea-secure.tls=true"
- "traefik.http.routers.gitea-secure.tls.certresolver=resolver"
- "traefik.http.routers.gitea-secure.service=gitea"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.docker.network=public"
gitea-db:
image: postgres:alpine
volumes:
- gitea_db:/var/lib/postgresql/data
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
networks:
- private
traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
api:
dashboard: true
log:
level: DEBUG
providers:
docker:
exposedbydefault: false
endpoint: "unix:///var/run/docker.sock"
swarmMode: true
certificatesResolvers:
resolver:
acme:
email: mail#example.com
storage: letsencrypt/acme.json
httpChallenge:
entryPoint: web
also I have a letsencrypt empty folder for acme.json file
I have traefik "traefik:v2.4.8" as a reverse proxy to docker container.
Everything works fine except the HTTPS request from server or Postman (request from frontend browser is fine)
The error is Unable to verify the first certificate
My workaround is to disable SSL verification on Postman and set NODE_TLS_REJECT_UNAUTHORIZED=0 in other Nodejs app that request to this app
I don't know where the issue is but my company wildcard certs works fine in other project using Nginx as reverse proxy, I think I might misconfigured something in Traefik
I have little knowledge about TLS, HTTPS so I not sure how to troubleshoot this problem
Here is my config
traefik.yml
log:
level: DEBUG
entryPoints:
web-secure:
address: ":443"
web:
address: ":80"
providers:
docker:
exposedByDefault: false
network: docker_network
endpoint: "unix:///var/run/docker.sock"
file:
filename: "dyn.yaml"
watch: true
api:
dashboard: false
accessLog: {}
dyn.yml
tls:
certificates:
- certFile: /etc/certs/certs.crt
keyFile: /etc/certs/certs.key
stores:
default:
defaultCertificate:
certFile: /etc/certs/certs.crt
keyFile: /etc/certs/certs.key
options:
myTLSOptions:
minVersion: VersionTLS12
docker-compose.yml
version: "3.0"
services:
traefik:
image: "traefik:v2.4.8"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- $PWD/traefik.yaml:/traefik.yaml
- $PWD/dyn.yaml:/dyn.yaml
- $PWD/certs/:/etc/certs/
networks:
default:
external:
name: docker_network
api docker-compose.yml
version: "3"
services:
backend:
build: .
user: "node"
working_dir: /usr/src/app
command: "npm start"
expose:
- 8080
restart: always
labels:
- "traefik.enable=true"
- "traefik.docker.network=docker_network"
- "traefik.http.routers.backend-https.entrypoints=web-secure"
- "traefik.http.routers.backend-https.priority=2"
- "traefik.http.routers.backend-https.middlewares=backend-stripprefix"
- "traefik.http.services.backend.loadbalancer.server.port=8080"
- "traefik.http.routers.backend-https.tls=true"
- "traefik.http.routers.backend-https.tls.domains[0].main=myapp.com"
- "traefik.http.routers.backend-https.tls.domains[0].sans=*.myapp.com"
- "traefik.http.routers.backend-https.tls.options=myTLSOptions#file"
- "traefik.http.routers.backend-https.rule=Host(`myapp.com`) && PathPrefix(`/api`)"
- "traefik.http.middlewares.backend-stripprefix.stripprefix.prefixes=/api"
- "traefik.http.middlewares.backend-http-secured.chain.middlewares=backend-http-redirect-to-https, backend-stripprefix"
- "traefik.http.middlewares.backend-http-redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.backend-http.entrypoints=web"
- "traefik.http.routers.backend-http.rule=Host(`myapp.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.backend-http.priority=2"
- "traefik.http.routers.backend-http.middlewares=backend-http-secured"
networks:
default:
external:
name: docker_network
I'm trying to set up a private Docker registry behind reverse proxy (with Traefik v2).
I have a computer with two local domains in the internal network
The private docker registry could work without a password
I created self-signed certificates
Without traefik I can push and pull images to the domain "docker-registry.mydomain.de:443".
If I include traefik I get certificate errors, bad gadway or a 404 error.
What am I doing wrong ?I have attached my code.
cat /srv/docker-compose/docker-compose.yml
version: '3.6'
services:
docker-registry:
image: registry:2
#ports:
##- 5000:5000
# - 443:443
environment:
- REGISTRY_HTTP_SECRET="mysecret"
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
- REGISTRY_STORAGE_DELETE_ENABLED=true
- REGISTRY_HTTP_ADDR=0.0.0.0:443
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker-registry.mydomain.de.pem
- REGISTRY_HTTP_TLS_KEY=/certs/docker-registry.mydomain.de-key.pem
labels:
- traefik.enable=true
- traefik.http.routers.dr-http.entrypoints=http
- traefik.http.routers.dr-http.rule=Host(`docker-registry.mydomain.de`)
- traefik.http.routers.dr-http.middlewares=dr-https
- traefik.http.middlewares.dr-https.redirectscheme.scheme=https
- traefik.http.routers.dr.entrypoints=https
- traefik.http.routers.dr.rule=Host(`docker-registry.mydomain.de`)
- traefik.http.routers.dr.tls=true
- traefik.http.services.dr.loadbalancer.server.port=443
- traefik.docker.network=traefik-net
volumes:
- ./data:/data
- ./certs:/certs
networks:
- traefik-net
networks:
traefik-net:
external: true
cat /srv/traefik/docker-compose.yml
version: '3.6'
services:
reverse-proxy:
image: traefik:latest
networks:
- traefik-net
ports:
- 8080:8080
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./conf:/etc/traefik
- ./certs:/etc/ssl:ro
labels:
- traefik.enable=true
- traefik.http.routers.traefik-http.entrypoints=http
- traefik.http.routers.traefik-http.rule=Host(`traefik.mydomain.de`)
- traefik.http.routers.traefik-http.middlewares=traefik-https
- traefik.http.middlewares.traefik-https.redirectscheme.scheme=https
- traefik.http.routers.traefik.entrypoints=https
- traefik.http.routers.traefik.rule=Host(`traefik.mydomain.de`)
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.service=api#internal
networks:
traefik-net:
external: true
cat /srv/traefik/conf/traefik.yml
insecureSkipVerify: true
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
cat /srv/traefik/conf/dynamic.yml
tls:
certificates:
- certFile: /tools/certs/_wildcard.pem
keyFile: /tools/certs/_wildcard-key.pem
- certFile: /tools/certs/traefik.mydomain.de.crt
keyFile: /tools/certs/traefik.mydomain.de.key
- certFile: /tools/certs/docker-registry.mydomain.de.pem
keyFile: /tools/certs/docker-registry.mydomain.de.pem
all certifates are in the /srv/traefik/certs path.
Certificates are generated by mkcert and openssl tool.
The problem in code is docker registry accept only the intermediate.crt extension with crt not pem or csr. change that and you will succeed.