Minio & console behind Traefik reverse proxy - docker

I'm trying to get an instance of MinIO working on my Docker Compose stack with a Traefik reverse proxy. The docker compose for MinIO and Traefik look like this:
traefik:
container_name: traefik
image: traefik:2.2.1
restart: unless-stopped
command:
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,1> - --entryPoints.traefik.address=:8080
- --api=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_CLOUD_SERVER`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules
- --providers.file.watch=true
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-rtr.service=api#internal"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth#file"
minio:
container_name: minio
image: minio/minio
restart: always
command: server /data --console-address ":9001"
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- MINIO_BROWSER_REDIRECT_URL=${MINIO_CONSOLE}
- MINIO_DOMAIN=${MINIO_DOMAIN}
- MINIO_ROOT_USER=${MINIO_ROOT_USER}
- MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
- MINIO_SERVER_URL=${MINIO_SERVER}
volumes:
- /mnt/storage/minio:/data
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.minio-console-rtr.entrypoints=https"
- "traefik.http.routers.minio-console-rtr.rule=Host(`minio.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.minio-console-rtr.tls=true"
## Middlewares
- "traefik.http.routers.minio-console-rtr.middlewares=chain-oauth#file" # Google OAuth 2.0
## HTTP Services
- "traefik.http.routers.minio-console-rtr.service=minio-console-svc"
- "traefik.http.services.minio-console-svc.loadbalancer.server.port=9001"
## HTTP Routers
- "traefik.http.routers.minio-rtr.entrypoints=https"
- "traefik.http.routers.minio-rtr.rule=Host(`s3.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.minio-rtr.tls=true"
## Middlewares
- "traefik.http.routers.minio-rtr.middlewares=chain-no-auth#file"
## HTTP Services
- "traefik.http.routers.minio-rtr.service=minio-svc"
- "traefik.http.services.minio-svc.loadbalancer.server.port=9000"
I can access the console just fine, but I am greeted with "An error has occurred
The backend cannot be reached.". There's a red banner at the top saying "Get "": unsupported protocol scheme """. If I check the console, the response I get is a 500 on https://minio.domainname/api/v1/login, with an error message saying "unable to contact configured identity provider".
Absolutely no idea where this might be coming from as I had it working with about the same stack a few months ago.

This error occurring form minio latest version, as you didn't mention the tag in your minio container image, it pulls the latest tag,
To solve just specify the previous version tag in your minio container with
image:minio/minio:RELEASE.2022-07-15T03-44-22Z
You can look on the below official repo for more specific version tag's
https://quay.io/repository/ricardbejarano/minio?tab=tags
As well please always go with the specific release tag and never pull the :latest in your dockerfile or docker-compose as it leads to unexpected results, since you didn't tested the latest version in your environment

Related

traefik rule not redirecting requests made to "localhost/api" to backend container

traefik rule not redirecting requests made to "localhost/api" to backend container
Whenever I change the backend
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
to Host('localhost') I can access the application at localhost but after adding this rule, whenever I go to localhost/api , it leads me to frontend and opens html page
version: '3'
volumes:
myvol2:
external: false
services:
traefik:
image: "traefik:v2.6"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.api.address=:5000"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443" # new
ports:
- "80:80"
- "5000:5000"
- "443:443" # new
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
api:
image: "myimagename"
ports:
- '5000'
scale: 1
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.services.api.loadbalancer.server.port=5000"
volumes:
- /app/node_modules
- ./server:/app
- myvol2:/resources/static/assets/uploads # Volume
environment:
- PORT=5000
web:
image: "myfrontendimage"
stdin_open: true
scale: 1
ports:
- '3000'
environment:
- CHOKIDAR_USEPOLLING=true
- CI=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`localhost`)"
- "traefik.http.routers.web.entrypoints=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
volumes:
- /app/node_modules
- ./client:/app
Tried redirecting the Tried almost all combinations of route, even tried adding regexp for matching localhost/api.
With my current nginx setup,
I have :
location /api{
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
}
in my default.conf,
Trying to migrate to traefik but the requests to localhost/api are not reaching
Your configuration seems to be fine. In your question you have a bunch of placeholder values, so it's not actually possible to test your docker-compose.yaml, but we can produce a runnable version like this:
services:
traefik:
image: "traefik:v2.9"
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# The port mappings here are to avoid conflicts with other services
# on my system
ports:
- "7080:80"
- "7443:443"
- "7090:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
api:
# Note that we don't need a `ports` configuration here because we're
# not publish any ports to the host (all access will be via the
# frontend proxy).
image: "docker.io/traefik/whoami:latest"
command:
- --name=API
- --port=5000
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.services.api.loadbalancer.server.port=5000"
web:
image: "docker.io/traefik/whoami:latest"
command:
- --name=WEB
- --port=3000
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`localhost`)"
- "traefik.http.routers.web.entrypoints=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
The significant changes here are:
I'm using Traefik v2.9 (because why use an older release?)
I've replaced all your images with docker.io/traefik/whoami, which gives us a simple endpoint for testing.
With the above configuration, a request to http://localhost hits the "web" container:
$ curl localhost:7080
Name: WEB
[...]
Whereas a request to http://localhost/api hits the "api" container:
$ curl localhost:7080/api
{...., "name": "API"}
(We're getting a JSON response in the second case because we're hitting the /api path on the whoami container.)
Finally, got the traefik /api to redirect to the other backend container with the following set up
The primary issue was that even though it redirects to the container, it did not strip the /api prefix, so the API route was getting messed up
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=PathPrefix(`/api/`)"
- "traefik.http.routers.api.service=api"
- "traefik.http.services.api.loadbalancer.server.port=5000"
- "traefik.http.middlewares.api.stripprefix.prefixes=/api"
- "traefik.http.middlewares.api.stripprefix.forceSlash=false"
- "traefik.http.routers.api.middlewares=api"

Docker-compose . Yml file for traefik running, but can't access dashboard

second post. Was having trouble getting my traefik docker-compose yamel file to run,got that sorted,now it runs, but the traefik dashboard isn't accessible.
The code for my compose file is
version: "3.8"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:2.6.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
- --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder -
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing -
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
# networks:
# t2_proxy:
# ipv4_address: 192.168.90.829 # You can specify a static IP
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
# - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth#file"
`Looked at the log file, and I've observed it saying:
level=debug msg="No default certificate, generating one" tlsStoreName=default
But I'm pretty sure I have a certificate for cloudflare, which is in a environments folder i set up
Also I noticed this:
level=debug msg="http: TLS handshake error from with my server pc's static IP address and port 36198:EOF
When I attempt to access the dashboard via my servers web browser I see this:
And when I get everything running and switch over to my desktop this pops up:

bitwarden_rs not working behind traefik v2.2 (Bad Gateway)

So I'm trying to add bitwarden_rs to my docker network but seems to fail hard.
I also have a nextcloud docker container running behind traefik (nextcloud.mydomain.com) which is working fine. But adding bitwarden with his own subdomain (bitwarden.mydomain.com) to traefik doesn't want to start working. I'm always getting a Bad Gateway error.
Traefik docker-compose
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
command:
- --log.level=DEBUG
- --api.insecure
- --api.dashboard
- --providers.file.directory=/FileProvider/
- --providers.file.watch=true
- --providers.docker
- --providers.docker.exposedbydefault=false
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencryptresolver.acme.email=my#email.com
- --certificatesresolvers.letsencryptresolver.acme.storage=./letsencrypt/acme.json
- --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- ...
networks:
- local-lan
labels:
- --traefik.http.middlewares.https.redirectscheme.scheme=https
- --traefik.http.routers.https_redirect.middlewares=https
- --traefik.http.routers.https_redirect.rule=(Host(`bitwarden.mydomain.com`) || Host(`nextcloud.mydomain.com`))
- --traefik.http.routers.https_redirect.entrypoints=web
- --traefik.docker.network=local-lan
networks:
local-lan:
external: true
traefik dynamic config
middlewares:
ncHeader:
headers:
customResponseHeaders:
stsPreload: true
stsSeconds: 15552000
redirect:
redirectScheme:
scheme: https
bitwarden_rs docker-compose
version: '3'
services:
bitwarden:
image: bitwardenrs/server:latest
container_name: bitwarden
restart: always
volumes:
- /home/reggi/bitwarden/data:/data
environment:
- WEBSOCKET_ENABLED=true
- WEB_VAULT_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=xxxxxxxxxxx
ports:
- 3012:3012
- 4500:80
networks:
- local-lan
labels:
- traefik.enable=true
- traefik.docker.network=local-lan
- traefik.http.services.bitwarden-ui.loadbalancer.server.port=4500
- traefik.http.services.bitwarden-ui.loadbalancer.server.scheme=http
- traefik.http.routers.bitwarden-ui-https.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
- traefik.http.routers.bitwarden-ui-https.tls=true
- traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-ui-http.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-http.entrypoints=web
- traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
- traefik.http.routers.bitwarden-websocket-https.tls=true
- traefik.http.routers.bitwarden-websocket-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
- traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-http.entrypoints=web
- traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
- traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
networks:
local-lan:
external: true
Both containers are running fine with this configuration but for some reason, I get a Bad Gateway when I navigate to http(s)://bitwarden.mydomain.com.
When I navigate to my server IP:4500 bitwarden opens up meaning the docker container is running fine.
In my traefik log I can find this error:
time="2021-03-10T21:06:35Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 17.32.0.8:4500: connect: connection refused"
And when I do a simple curl to the bitwarden container from traefik container I get the same error:
curl --verbose http://17.32.0.8:4500
For example, curl to my nextcloud container does work:
I tried a lot of stuff already but can't seem to figure it out. For nextcloud I could add a trusted proxy domain but that doesn't seem to be possible for bitwarden_rs if I'm not mistaken.
Adding network label didn't help GitHub answer
Using these config labels didn't help as well GitHub answer
Does someone know what I'm missing or doing wrong?
After some more investigation, I found my error.
I don't need to map port 80 outside your docker network, I just needed to expose it. So this works now:
version: '3'
services:
bitwarden:
image: bitwardenrs/server:latest
container_name: bitwarden
restart: always
volumes:
- /home/reggi/bitwarden/data:/data
environment:
- WEBSOCKET_ENABLED=true
- WEB_VAULT_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=xxxxxxxxxxx
expose:
- 3012
- 80
networks:
- local-lan
labels:
- traefik.enable=true
- traefik.docker.network=local-lan
- traefik.http.services.bitwarden-ui.loadbalancer.server.port=4500
- traefik.http.services.bitwarden-ui.loadbalancer.server.scheme=http
- traefik.http.routers.bitwarden-ui-https.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
- traefik.http.routers.bitwarden-ui-https.tls=true
- traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-ui-http.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-http.entrypoints=web
- traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
- traefik.http.routers.bitwarden-websocket-https.tls=true
- traefik.http.routers.bitwarden-websocket-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
- traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-http.entrypoints=web
- traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
- traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
networks:
local-lan:
external: true

Traefik Docker SSL Configuration With Lets Encrypt

Hi everyone I am trying to enable SSL in my docker-compose.yml file for my backend service. All of my Traefik configuration is done in my docker-compose.yml file, so I may be missing a line. Running docker-compose on this configuration works without SSL and the site is displayed properly, but it does not work when using https. I have checked the Traefik documentation for the certResolvers and I am not sure what I am missing thanks.
version: "3"
networks:
NanoWall-Net:
services:
api:
build:
context: .
dockerfile: Dockerfile
labels:
- "traefik.docker.network=NanoWall-Net"
- "traefik.enable=true"
- "traefik.port=5000"
- "traefik.http.routers.http-catchall.rule=Host(`nanowalldocs.com`)"
- "traefik.http.routers.http-catchall.tls=true"
- "traefik.http.routers.http-catchall.tls.certresolver=le"
- "traefik.http.routers.http-catchall.tls.domains[0].sans=nanowalldocs.com"
- "traefik.http.routers.http-catchall.entrypoints=web"
ports:
- "5000:5000"
networks:
- NanoWall-Net
reverse-proxy:
image: traefik:v2.0
# Enables the web UI and tells Traefik to listen to docker
command:
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--entryPoints.websecure.http.tls.certResolver: le"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--api.insecure=true"
- "--api.debug=true"
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedbydefault=false"
- "--accesslog=true"
- "--accesslog.filepath=/var/log/traefik-access.log"
- "--accesslog.bufferingsize=1000"
- "--log.filePath=/var/log/traefik.log"
- "--certificatesResolvers.le.acme.email=jamar.phillip99#gmail.com"
- "--certificatesResolvers.le.acme.storage=acme.json"
- "--certificatesResolvers.le.acme.httpChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
networks:
- NanoWall-Net
volumes:
- /acme.json/etc/traefik/acme.json
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: always
It may not be the only issue, but you are missing a colon in your traefik volumes section. You have:
- /acme.json/etc/traefik/acme.json
I think it should be (assuming your host location is really /acme.json and not ./acme.json or in some other directory):
- /acme.json:/etc/traefik/acme.json
That said, I have also been having an issue where traefik always wants it in /acme.json, so I just put it there instead of in /etc/traefik/acme.json .

Apache Nifi behind Traefik as a reverse proxy

I'm using Traefik as a reverse proxy for a lot of services and for tls termination. This works properly excepted Nifi. When trying to forward incomming requests to Nifi I get "Bad Gateway" responses.
Does anybody have an idea how to fix that?
Thanks a lot :-)
traefik:
image: "traefik:v2.2"
container_name: "traefik"
restart: always
networks:
- monitoring
- website
- iot
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
#s- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=test#test.de"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# prom metrics
- "--metrics.prometheus=true"
---
nifi:
image: apache/nifi:latest
container_name: nifi
restart: on-failure
environment:
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- NIFI_WEB_HTTP_PORT= 8080
expose:
- 8080
networks:
- iot
labels:
- "traefik.enable=true"
- "traefik.http.routers.nifi.rule=Host(`nifi.example.de`)"
- "traefik.http.routers.nifi.entrypoints=web"
- "traefik.http.routers.nifi.middlewares=nifi-auth"
# Basic Auth
- "traefik.http.middlewares.nifi-auth.basicauth.users=admin:$$xyz$$xyz$$xyz"
Any idea?? :-)
Since there are several ports open for the ui etc. it's required to define the routing port by using (e. g.):
- "traefik.http.services.nifi.loadbalancer.server.port=8080"

Resources