I cannot publish a service in port 8080 using Traefik - docker

I cannot publish my service in port 8080 even I redirect dasboard to another port, Traefik automatically redirect URL http://localhost:8080 to http://localhost:8080/dasboard. I need to publish in port 8080 because infrastructure out of my control.
Everything works fine if I use another port to publish my service.
My docker-compose file looks like:
version: "3.3"
services:
traefik:
image: "traefik:v2.8.1"
command:
- "--api.insecure=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.traefik.address=:9090"
- "--entrypoints.web.address=:80"
ports:
- "4000:9090"
- "8080:80" # if I put another port it works fine
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
salamandra:
image: "salamandra"
container_name: "salamandra"
ports:
- "5000:8080"
labels:
- "traefik.enable=true"
- "traefik.http.routers.salamandra.rule=Host(localhost)"
- "traefik.http.routers.salamandra.entrypoints=web

If you need that traefik service work on 8080
"--entryPoints.web.address=:8080"
and
"--entryPoints.traefik.address=:9090"
the dashboard listen on port 9090
https://doc.traefik.io/traefik/routing/entrypoints/
Regards

Related

How to access a Docker container without specifying its HTTP port?

I set up a Docker network with a db container, a nextcloud container, and a nginx container. I can access the nextcloud website with 'ip-adress':8080, but I want to access it without specifying port 8080. How can I do that?
This is my docker-compose.yml:
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
restart: always
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=
- MYSQL_PASSWORD=
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
app:
image: nextcloud:fpm
restart: always
links:
- db
volumes:
- nextcloud:/var/www/html
environment:
- MYSQL_PASSWORD=
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
web:
image: nginx
restart: always
ports:
- 8080:80
links:
- app
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
volumes_from:
- app
What you want is to avoid having to specify the port when you request a URI. One way to do that is to use the default port for the protocol you are using (80 for HTTP, 443 for https, 21 for FTP, etc). Then rely on your client to automatically fallback to the default port.
In a Docker Compose configuration file, the syntax for exposing a port is defined as such: <host_port>:<container_port> (see the documentation). That means 8080:80 exposes port 80 from the container on your docker host on port 8080.
In your case, the service is exposing an HTTP server, which means you have to change it to the default port 80 in order to omit it. Update web.services.ports[0] from 8080:80 to 80:80, and you will be able to access nextcloud from 'ip-adress'.

Traefik routing one application to port 80, others require explicit port

I have an environment running docker containers.
This environment hosts Traefik, Nextcloud, MotionEye and Heimdall.
I also have another environment running CoreDNS in a docker container.
For some reason, I can get MotionEye to be accessible from motioneye.docker.swarm (changed the domain in here for privacy).
However, for nextcloud and Heimdall, I have to explicitly access the ports and I'm struggling to tell why.
e.g. Heimdall is gateway.docker.swarm:8091 when should be gateway.docker.swarm
When a user requests a webpage onto the local dns server X.X.X.117 it gets routed through to the traefik instance on X.X.X.106.
My traefik compose file is as follows:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.3
restart: always
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.port=8080"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:traefik.docker.swarm"
- "traefik.docker.network=traefik_default"
My Heimdall compose is as follows:
version: "3"
services:
heimdall:
image: ghcr.io/linuxserver/heimdall
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
volumes:
- /home/pi/heimdall/config:/config
ports:
- 8091:80
restart: unless-stopped
networks:
- heimdall
labels:
- "traefik.enable=true"
- "traefik.port=8091"
- "traefik.http.routers.heimdall.entrypoints=http"
- "traefik.http.routers.heimdall.rule=Host(`gateway.docker.swarm`)"
networks:
heimdall:
external:
name: heimdall
Can anyone see what I'm doing wrong here?
When you access through gateway.docker.swarm:8091 it works because you are accessing the heimdall container directly. This is possible because you defined
ports:
- 8091:80
in your docker-compose.
In order to access through traefik they must be on the same network. Also, remove the port mapping if you like this container to be only accessible through traefik. And finally correct the traefik port accordingly.
version: "3"
services:
heimdall:
image: ghcr.io/linuxserver/heimdall
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
volumes:
- /home/pi/heimdall/config:/config
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.http.routers.heimdall.entrypoints=http"
- "traefik.http.routers.heimdall.rule=Host(`gateway.docker.swarm`)"

Port forwarding with Traefik on docker v2.2

I have a service running on port 8080 that accepts both http and gRPC. I understand that there are some limitations with gRPC in traefik, so here is the ultimate goal.
Accept ipWhitelisted traffic on port 8080
Accept traffic from :80 /graphql and route to :8080 /graphql
Eventually I would like to accept this on route / and route to /graphql
Accept ipWhitelisted traffic from :80 /admin/schema and route to :8080 /admin/schema
Eventually I would like to accept this on route /admin and route to /graphql
If I get this working, I believe I can get the next part done:
Enable https with letsencrypt and accept traeffic from :443 to the /graphql and /admin endpoints.
For configuration I am using a docker compose file.
version: "3.2"
services:
reverse-proxy:
image: traefik:v2.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.dgraph.address=:8080"
ports:
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# there is another service here `zero` that is not using traefik so I ommitted its config.
alpha:
image: dgraph/dgraph:master
volumes:
- /dgraph/data:/dgraph
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.adminIps.ipwhitelist.sourcerange=1.1.1.1" # my ip address instead of 1.1.1.1
- "traefik.http.routers.alpha.rule=Host(`api.mydomain.com`) && Path(`/graphql`)"
- "traefik.http.routers.alpha.entrypoints=dgraph"
- "traefik.http.routers.schema.rule=Host(`api.mydomain.com`) && Path(`/admin/schema`)"
- "traefik.http.routers.schema.middlewares=adminIps#docker"
- "traefik.http.routers.schema.entrypoints=dgraph"
- "traefik.http.routers.all.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.all.middlewares=adminIps#docker"
- "traefik.http.routers.all.entrypoints=dgraph"
restart: always
command: dgraph alpha --my=alpha:7080 --zero=zero:5080 --whitelist 172.0.0.0:172.254.254.254
I have tried creating another entry point on port 80 and then use that in the routers and added a loadbalancer, but that does not seem to work. Here is that modified config:
version: "3.2"
services:
reverse-proxy:
image: traefik:v2.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.dgraph.address=:8080"
- "--entrypoints.web.address=:80"
ports:
- "8080:8080"
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# there is another service here `zero` that is not using traefik so I ommitted its config.
alpha:
image: dgraph/dgraph:master
volumes:
- /dgraph/data:/dgraph
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.adminIps.ipwhitelist.sourcerange=1.1.1.1" # my ip address instead of 1.1.1.1
- "traefik.http.routers.alpha.rule=Host(`api.mydomain.com`) && Path(`/graphql`)"
- "traefik.http.routers.alpha.entrypoints=web"
- "traefik.http.services.alpha.loadbalancer.server.port=80"
- "traefik.http.routers.schema.rule=Host(`api.mydomain.com`) && Path(`/admin/schema`)"
- "traefik.http.routers.schema.middlewares=adminIps#docker"
- "traefik.http.routers.schema.entrypoints=dgraph"
- "traefik.http.routers.all.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.all.middlewares=adminIps#docker"
- "traefik.http.routers.all.entrypoints=dgraph"
restart: always
command: dgraph alpha --my=alpha:7080 --zero=zero:5080 --whitelist 172.0.0.0:172.254.254.254
The first docker-compose.yml file above works. By works I mean that it correctly applies the routing, rules, and middleware all on port 8080.
The second docker-compose.yml file above I expect to open port 80 and apply the rules to route http api.mydomain.com/graphql to alpha:8080/graphql. This does not happen though. I do not get any errors when I push it up with docker-compose up -d but when I use yougetsignal.com and check for open port 80 I get the response that port 80 is closed, and when I try to use port 8080 that was working before with route all (api.mydomain.com:8080), I get the response in the browser "Bad Gateway"
You said your service alpha is listening on 8080, so you should use that in loadbalancer:
"traefik.http.services.alpha.loadbalancer.server.port=8080"
You can think of it like this: entrypoint is incoming connection and loadbalancer is where Traefik redirects the requests.

Traefik 2.0 and docker simple configuration doesnt work

I'm following some tutorial link_to_tutorial about traefik 2.0 and docker, and I have docker-compose file which starts up two containers: traefik and my-app. The problem is when containers up and running, I am not able to browse to localhost:8082, as suggested by configuration, I always get "unable to connect" in browser.
docker-compose.yml :
version: "3.3"
services:
traefik:
image: "traefik:v2.0.1"
command:
- --entrypoints.web.address=:80
- --providers.docker
- --api.insecure
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
my-app:
image: containous/whoami:v1.3.0
command:
# It tells whoami to start listening on 8082 instead of 80
- --port=8082
labels:
- "traefik.http.routers.my-app.rule=Host(`whoami.docker.localhost`)"
- "traefik.http.services.my-app.loadbalancer.server.port=8082"
However I am able to get localhost:8080 and traefik UI works well. As I understand all requests to "traefik" container normally should be redirected to "my-app":8082 container but it somehow fails. Help heeded.Thanks.
"traefik.http.routers.my-app.rule=Host(localhost,127.0.0.1)"

Docker: nginx-proxy with ssl backend

I am currently in the process of containerizing wordpress apps for development. And that has been going reasonably well so far :)
At the moment I am using one docker-compose.yml file (and some configs) per app. Each app consists of an nginx-webserver, a database and wordpress with fpm. (example docker-compose.yml below). Each app handles it's ssl on it's own and I have confirmed, that it works.
The next step in my masterplan is to use an nginx reverse proxy to have all app containers up at the same time without the need to use different ports on the host.
As I understand jwilder/nginx-proxy is the best tool for the job. So I was thinking - and please correct me if that is not best practice - that I could create a compose.yml file for the nginx-proxy that could run all the time and that would expose ports 80 and 443 to the host while automatically generating the nginx-configs for every container I' spin up afterwards.
version: '3.6'
services:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx_proxy
ports:
- '80:80'
- '443:443'
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
networks:
default:
external:
name: nginx-proxy
I tried that with an nginx-proxy which exposed port 80 to the host and a wordpress app setup in its own docker-compose.yml file using the mariadb:latest and wordpress:latest images. That did indeed work simply by adding the expose: \ -80 and the VIRTUAL_HOST environment variable.
But I don't quite get how to use the reverse proxy in front of my aforementioned wordpress apps. The documentation states this:
SSL Backends
If you would like the reverse proxy to connect to your backend using HTTPS instead of HTTP, set VIRTUAL_PROTO=https on the backend container.
Note: If you use VIRTUAL_PROTO=https and your backend container exposes port 80 and 443, nginx-proxy will use HTTPS on port 80. This is almost certainly not what you want, so you should also include VIRTUAL_PORT=443.
so I tried adding these environment variables to the app's docker-compose.yml file. Specifically on the nginx service inside and added exposed ports 80 and 443.
version: '3.6'
services:
wordpress:
image: wordpress:4.7.2-php7.1-fpm
volumes:
- ../public:/var/www/html
environment:
- WORDPRESS_DB_NAME=${WORDPRESS_DB_NAME:-wordpress}
- WORDPRESS_TABLE_PREFIX=${WORDPRESS_TABLE_PREFIX:-wp_}
- WORDPRESS_DB_HOST=${WORDPRESS_DB_HOST:-mysql}
- WORDPRESS_DB_USER=${WORDPRESS_DB_USER:-root}
- WORDPRESS_DB_PASSWORD=${WORDPRESS_DB_PASSWORD:-password}
depends_on:
- db
restart: always
db:
image: mariadb:${MARIADB_VERSION:-latest}
volumes:
- tss-data:/var/lib/mysql
# - ./db:/docker-entrypoint-initdb.d/
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-password}
- MYSQL_USER=${MYSQL_USER:-root}
- MYSQL_PASSWORD=${MYSQL_PASSWORD:-password}
- MYSQL_DATABASE=${MYSQL_DATABASE:-wordpress}
restart: always
nginx:
image: nginx:${NGINX_VERSION:-latest}
container_name: nginx
volumes:
- ${NGINX_CONF_DIR:-./nginx}:/etc/nginx/conf.d
- ${NGINX_LOG_DIR:-./logs/nginx}:/var/log/nginx
- ${WORDPRESS_DATA_DIR:-./wordpress}:/var/www/html
- ${SSL_CERTS_DIR:-./certs}:/etc/letsencrypt
- ${SSL_CERTS_DATA_DIR:-./certs-data}:/data/letsencrypt
environment:
- VIRTUAL_HOST:local.my-app.com
- VIRTUAL_PROTO:https
- VIRTUAL_PORT:443
expose:
- 80
- 443
depends_on:
- wordpress
restart: always
volumes:
tss-data:
networks:
default:
external:
name: nginx-proxy
Alas, if I try to browse to local.my-app.com on port 80 I get
503 Service Temporarily Unavailable
If I try on port 443 the nginx reverse proxy does not respond at all. I feel like I am missing something fairly obvious but I can't seem to find it and I would really appreciate any thoughts on the matter.
In the end, I opted to not handle the SSL encryption in each individual app. But instead I changed the reverse proxy to
version: '3.6'
services:
nginx-proxy:
image: jwilder/nginx-proxy:alpine
container_name: nginx_proxy
ports:
- '80:80'
- '443:443'
volumes:
- ./certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
networks:
default:
external:
name: nginx-proxy
So now I can reach each app on Port 80 until I add a cert for it in which case it becomes reachable on port 443.

Resources