Bookstack with traefik as reverse proxy - docker

I'm trying to set up Bookstack with traefik as a reverse proxy. traefik is already set up and running fine with Nextcloud and other services.
I'm using the image provide by linuxserver and am modifying the docker-compose file as follows:
version: "2"
services:
bookstack:
image: lscr.io/linuxserver/bookstack
container_name: bookstack
environment:
- PUID=1000
- PGID=1000
- APP_URL=my-sub.domain.com
- DB_HOST=bookstack_db
- DB_USER=dbusernamesetbyme
- DB_PASS=thedbpasswordichose
- DB_DATABASE=bookstackapp
volumes:
- /path/to/data:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- PUID=1000
- PGID=1000
- MYSQL_ROOT_PASSWORD=modifiedpassword
- TZ=Europe/Berlin
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- /path/to/data:/config
restart: unless-stopped
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
When I call my-sub.domain.com I get a Gateway Timeout. If I leave out the labels and the APP_URL, I can call bookstack via the host-ip and the port e. g. 101.101.101.101:6875 it works just fine.
Any ideas?
Best regards!

Try to move labels: from bookstack_db: to bookstack:. I set up Bookstack with Trefik locally and it worked.
You can use this docker-compose.yaml for reference:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=my-sub.domain.com
- TZ=Europe/Berlin
- DB_HOST=bookstack_db:3306
- DB_DATABASE=bookstackapp
- DB_USERNAME=dbusernamesetbyme
- DB_PASSWORD=thedbpasswordichose
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
# traefik.http.services.bookstack.loadbalancer.server.port: "80"
# traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
bookstack_db:
image: mariadb:10.9
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=modifiedpassword
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- ./bookstack/db:/var/lib/mysql
ports:
- 3306:3306
restart: unless-stopped
networks:
- nameofmyproxynetwork
networks:
nameofmyproxynetwork:
external: true
I attach also my original labels: config, just in case.
labels:
- traefik.enable=true
- traefik.http.routers.bookstack-http.entrypoints=web
- traefik.http.routers.bookstack-http.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-http.middlewares=bookstack-https
- traefik.http.middlewares.bookstack-https.redirectscheme.scheme=https
- traefik.http.routers.bookstack-https.entrypoints=websecure
- traefik.http.routers.bookstack-https.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-https.tls=true"

So, I've got some external help and got a .yml-file that worked:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=https://my-sub.domain.com
- TZ=Europe/Berlin
# - PUID= # = stat ./bookstack/app --format "%u"
# - PGID= # = stat ./bookstack/app --format "%g"
- DB_HOST=bookstack_db
- DB_DATABASE=bookstackdb
- DB_USERNAME=<dbuser>
- DB_PASSWORD=<dbpassword>
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.docker.network: "proxy"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.com`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
networks:
- default
- proxy
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=<dbrootpassword>
- MYSQL_DATABASE=bookstackdb
- MYSQL_USER=<dbuser>
- MYSQL_PASSWORD=<dbpassword>
volumes:
- ./bookstack/db:/var/lib/mysql
restart: unless-stopped
networks:
- default
networks:
default:
name: bookstack-default
proxy:
external: true
One issue of mine was, that I did not realize, that DB_USERNAME and MYSQL_USER, and DB_PASSWORD and MYSQL_PASSWORD had to contain the same variable.
Furthermore I'm going to provide my traefik.yml, as it shows that I did not use the typical labelnames.
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "./dynamic_conf.yml"
certificatesResolvers:
http:
acme:
email: username#domain.com
storage: acme.json
httpChallenge:
entryPoint: http
Hope that helps somebody else!

Related

I want docker to listen to "http://localhost/user" and forward to "http://portal.local/user" using traefik

I've got my docker environment setup using traefik and I've got two services running at the moment.
I'm using Google OAuth for authentication which redirects to my web application with auth-code. The redirect URL isn't allowed anything but localhost or localhost:<any-port> or any CDN. I've setup my docker for http://portal.local.
I now want http://localhost/user/googleLogin?code=xxxxxxxxxx to be translated to http://portal.local/user/googleLogin?code=xxxxxxxx for further processing of authentication.
Right now, I'm having to manually change localhost to portal.local in browser URL after it gives site not found error, which then takes me to further processing.
Below is my docker-compose.yml file.
version: "3.9"
services:
portal-traefik:
container_name: portal-traefik
command:
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
# - --entrypoints.websecure.address=:443
# - --certificatesresolvers.myresolver.acme.httpchallenge=true
# - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
# - --certificatesresolvers.myresolver.acme.email=ssl#idealsalessolutions.com
# - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
image: traefik:latest
networks:
api_driven:
ports:
- "80:80"
- "8080:8080"
# - "443:443"
restart: unless-stopped
volumes:
- portal_acme:/acme
- /var/run/docker.sock:/var/run/docker.sock:ro
api-i4f:
container_name: api-i4f
depends_on:
- php-i4f
- portal-traefik
image: nginx:stable-alpine
labels:
- traefik.enable=true
- traefik.http.routers.api.rule=Host(`api.local`)
networks:
api_driven:
restart: unless-stopped
volumes:
- ../docker.sites/api.local:/usr/share/nginx/api.local
- ./conf/nginx/conf.d:/etc/nginx/conf.d:ro
command: [nginx, '-g', 'daemon off;']
hostname: api.local
portal-i4f:
container_name: portal-i4f
depends_on:
- php-i4f
- portal-traefik
image: nginx:stable-alpine
labels:
- traefik.enable=true
- traefik.http.routers.portal.rule=Host(`portal.local`)
networks:
api_driven:
restart: unless-stopped
volumes:
- ../docker.sites/portal.local:/usr/share/nginx/portal.local
- ./conf/nginx/conf.d:/etc/nginx/conf.d:ro
command: [nginx, '-g', 'daemon off;']
hostname: portal.local
php-i4f:
container_name: php-i4f
depends_on:
- portal-traefik
image: isshub/core:php7.4.30-fpm-alpine3.16-intl-mysql
networks:
api_driven:
restart: unless-stopped
volumes:
- ../docker.sites/api.local:/usr/share/nginx/api.local
- ../docker.sites/portal.local:/usr/share/nginx/portal.local
networks:
api_driven:
name: "api_driven"
volumes:
portal_acme:
I've tried to use multiple router rules to listen to both localhost and portal.local using regex/replacement middlewares as well but that stops the service at all and gives 404 error.

How do I configure Traefik with this?

I can't for the life of me figure out how this should be setup.
Here's the docker-compose.yml (heavily redacted)
version: '2'
services:
traefik:
container_name: traefik
image: traefik:latest
command:
- --entrypoints.web.address=:80
- --providers.docker
- --api.insecure
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
web:
transmission:
image: linuxserver/transmission
container_name: transmission
volumes:
- # bla bla bla
restart: unless-stopped
labels:
- traefik.http.routers.transmission.rule=Host(`transmission.foo.lan`)
- traefik.http.services.transmission.loadbalancer.server.port=9091
- traefik.docker.network=web
environment:
- TZ=Europe/ahhdsa
- PUID=1234
- PGID=1234
ports:
- 9091:9091
dns:
# local dns
networks:
web:
extravlan:
ipv4_address: # local ip
networks:
web:
external: true
extravlan:
driver: macvlan
# plus configuration for interface
I have DNS working, traefik & transmission are on the same machine. But I can't visit transmission.foo.lan from my laptop (no firewall rules blocking this either), it just times out.
Any pointers?
I think you are missing - "traefik.enable=true" and entrypoint on the router label on the transmission container.
Try:
version: '2'
services:
traefik:
container_name: traefik
image: traefik:latest
command:
- --entrypoints.web.address=:80
- --providers.docker
- --api.insecure
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
web:
transmission:
image: linuxserver/transmission
container_name: transmission
volumes:
- # bla bla bla
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.transmission.rule=Host(`transmission.foo.lan`)
- traefik.http.services.transmission.loadbalancer.server.port=9091
- traefik.http.routers.transmission.entrypoint=web
# - traefik.docker.network=web
environment:
- TZ=Europe/ahhdsa
- PUID=1234
- PGID=1234
ports:
- 9091:9091
dns:
# local dns
networks:
web:
extravlan:
ipv4_address: # local ip

Proxy web interface with help traefik

I'm trying to proxy the pgAdmin web interface using segment URLs. But I have some problems with this.
When I'm accessing the browser with the following URL -> http://localhost/pgadmin, it redirects me to the following URL -> http://localhost/login?next=%2F. This is the internal routing of pgAdmin.
I want routing to be next http://localhost/pgadmin/login?next=%2F.
Could you tell me how can I achieve this.
Here is an example of my docker-compose configuration
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: always
networks:
applications_network:
ipv4_address: 172.20.1.1
ports:
- "80:80"
- "8080:8080"
command:
- "--api.insecure=true --providers.docker"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--log.level=debug"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
pgAdmin4:
image: dpage/pgadmin4:latest
container_name: pgAdmin4
restart: always
networks:
applications_network:
ipv4_address: 172.20.2.1
ports:
- "15432:80"
environment:
PGADMIN_DEFAULT_EMAIL: "admin#test.com"
PGADMIN_DEFAULT_PASSWORD: "postgres"
labels:
- "traefik.enable=true"
- "traefik.http.routers.pgAdmin4.rule=Host(`localhost`)"
- "traefik.http.middlewares.pgAdmin4-prefix.stripprefix.prefixes=/pgadmin"
- "traefik.http.routers.pgAdmin4.middlewares=pgAdmin4-prefix"
- "traefik.http.routers.pgAdmin4.entrypoints=web"
- "traefik.http.routers.pgAdmin4.service=pgAdmin4"
- "traefik.http.services.pgAdmin4.loadbalancer.server.port=80"
networks:
applications_network:
name: applications_network
ipam:
driver: default
config:
- subnet: 172.20.0.0/16
Thanks in advance.

Traefik 2.2 unable to get letsencrypt certificate

I am having an application with a MongoDB container, a python backend service, a portainer. Traefik is used for routing to portainer and the backend (one API endpoint). The routing works perfectly. However, I want to use SSL, but Traefik 2.2 doesn't fetch the LetsEncrypt certificate.
Dockerfile (I am packing a container, to do a chmod of acme.json)
FROM traefik:v2.2
COPY traefik /etc/traefik
RUN chmod 600 /etc/traefik/acme.json
docker-compose.yml:
version: "3.3"
services:
backend:
image: registry.gitlab.com/uuuu/backend:latest
container_name: backend
ports:
- 5000
environment:
- CONNECTOR=$CONNECTOR
- CONNECTOR_MAX_WORKERS=$CONNECTOR_MAX_WORKERS
- LOGLEVEL=$LOGLEVEL
- MONGODB_URI=mongodb://scraper-db/blubb
depends_on:
- db
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.backend.rule=Host(`app.mydomain.com`)'
- 'traefik.http.routers.backend.rule=PathPrefix(`/api/bla/`)'
- 'traefik.http.routers.backend.tls=true'
- 'traefik.http.routers.backend.tls.certresolver=lets-encrypt'
- "traefik.http.routers.backend.middlewares=autocompletionreplacer"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.regex=^/api/bla/(.*)"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.replacement=/$$1"
portainer:
image: portainer/portainer:latest
container_name: portainer
ports:
- 9000
volumes:
- /etc/localtime:/etc/localtime
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`app.mydomain.com`)"
- 'traefik.http.routers.portainer.rule=PathPrefix(`/portainer/`)'
- 'traefik.http.routers.portainer.tls=true'
- 'traefik.http.routers.portainer.tls.certresolver=lets-encrypt'
- "traefik.http.routers.portainer.middlewares=portainerreplacer"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.regex=^/portainer/(.*)"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.replacement=/$$1"
proxy:
image: my-proxy:latest
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./traefik:/etc/traefik:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
build: .
db:
image: mongo:3.7
container_name: db
ports:
- 27017
/etc/traefik/traefik.toml:
[log]
level = "DEBUG"
[providers]
[providers.docker]
exposedByDefault = false
[providers.file]
directory = "/etc/traefik/dynamic"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[certificatesResolvers.lets-encrypt.acme]
storage = "/etc/traefik/acme.json"
email = "bla#mydomain.com"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
/etc/traefik/dynamic/force-https.toml:
[http.routers]
[http.routers.force-https]
entryPoints = ["http"]
middlewares = ["force-https"]
rule = "HostRegexp(`{any:.+}`)"
service = "noop"
[http.middlewares]
[http.middlewares.force-https.redirectScheme]
scheme = "https"
[http.services]
[http.services.noop.loadBalancer]
I don't see any error in the logs. However I am getting this in the browser:
ea351828037eb97754d6ed00d36a2108.e645b5289e7388055e4ecd78af554f8.traefik.default.
Fehlercode: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
Is there anything I am missing?
I figured it out by myself. I had to add this to the docker-compose file for each service:
traefik.http.routers.fiverr-autocompletion.tls.domains[0].main=app.mydomain.com
The correct docker-compose looks like this then:
version: "3.3"
services:
backend:
image: registry.gitlab.com/uuuu/backend:latest
container_name: backend
ports:
- 5000
environment:
- CONNECTOR=$CONNECTOR
- CONNECTOR_MAX_WORKERS=$CONNECTOR_MAX_WORKERS
- LOGLEVEL=$LOGLEVEL
- MONGODB_URI=mongodb://scraper-db/blubb
depends_on:
- db
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.backend.rule=Host(`app.mydomain.com`)'
- 'traefik.http.routers.backend.rule=PathPrefix(`/api/bla/`)'
- 'traefik.http.routers.backend.tls.domains[0].main=app.mydomain.com'
- 'traefik.http.routers.backend.tls=true'
- 'traefik.http.routers.backend.tls.certresolver=lets-encrypt'
- "traefik.http.routers.backend.middlewares=autocompletionreplacer"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.regex=^/api/bla/(.*)"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.replacement=/$$1"
portainer:
image: portainer/portainer:latest
container_name: portainer
ports:
- 9000
volumes:
- /etc/localtime:/etc/localtime
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`app.mydomain.com`)"
- 'traefik.http.routers.portainer.rule=PathPrefix(`/portainer/`)'
- 'traefik.http.routers.portainer.tls.domains[0].main=app.mydomain.com'
- 'traefik.http.routers.portainer.tls=true'
- 'traefik.http.routers.portainer.tls.certresolver=lets-encrypt'
- "traefik.http.routers.portainer.middlewares=portainerreplacer"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.regex=^/portainer/(.*)"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.replacement=/$$1"
proxy:
image: my-proxy:latest
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./traefik:/etc/traefik:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
build: .
db:
image: mongo:3.7
container_name: db
ports:
- 27017
/etc/traefik/traefik.toml:

configure traefik as reverse proxy with docker

I am trying to configure traefik to connect between my 3 docker containers.
I tried with this configuration but I got net::ERR_NAME_NOT_RESOLVED on my browser console.
searchservice:
hostname: searchservice
image: searchservice:0.0.3-SNAPSHOT
container_name: searchservice
networks:
- es-network
#ipv4_address: 172.21.0.12
ports:
- 8070:8080
restart: always
depends_on:
- elasticsearch
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/searchservice,Host:localhost"
- "traefik.port: 8070"
- "traefik.enable=true"
subscriber-service:
hostname: subscriber-service
image: subscriberservice:0.0.4-SNAPSHOT
container_name: subscriber-service
networks:
- es-network
#ipv4_address: 172.21.0.13
ports:
- 8090:8090
restart: always
depends_on:
- mongo1
- mongo2
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/api,Host:localhost"
- "traefik.port: 8090"
- "traefik.enable=true"
searchappfront:
hostname: searchappfront
image: frontservice:latest
container_name: searchappfront
networks:
- es-network
ports:
- 80:80
restart: always
depends_on:
- subscriber-service
- searchservice
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/"
- "traefik.enable=true"
- "traefik.port=80"
# - "traefik.frontend.rule=Host:localhost"
reverseproxy:
image: traefik:v2.1
command:
- '--providers.docker=true'
- '--entryPoints.web.address=:80'
- '--providers.providersThrottleDuration=2s'
- '--providers.docker.watch=true'
- '--providers.docker.defaultRule=Host("local.me")'
- '--accessLog.bufferingSize=0'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
#ports:
# - '80:80'
# - '8080:8080'
The searchappfront is an angular application where the http endPoints have this pattern
http://subscriber-service:8090/
http://searchservice:8070/
if I use localhost instead of hostnames, requests work fine but I need to deploy these containers in a cloud instance.
You are using traefik 2, but your annotation is for traefik 1. This is not going to work.

Resources