I am trying the basic example on traefik website on Mac with Docker Desktop. In my docker configuration, I have also mentioned to use my company http and https proxies. I can access the traefik dashboard at localhost:8080 and when I tried accessing http://whoami.localhost locally, traefik routes the request to my company proxy instead of routing it to the whoami service and I receive DNS resolution failure from my companies website.
Below is the example docker-compose.yml
version: "3.3"
services:
traefik:
image: "traefik:v2.9"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
Traefik Logs when I access the whoami.localhost(73eae85da227 is my traefik container)
traefik | time="2022-11-04T09:50:40Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0\"],\"X-Forwarded-Host\":[\"whoami.localhost\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"73eae85da227\"],\"X-Real-Ip\":[\"172.21.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.localhost\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.21.0.1:62128\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik | time="2022-11-04T09:50:40Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0\"],\"X-Forwarded-Host\":[\"whoami.localhost\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"73eae85da227\"],\"X-Real-Ip\":[\"172.21.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.localhost\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.21.0.1:62128\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://172.21.0.2:80"
traefik | time="2022-11-04T09:50:40Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0\"],\"X-Forwarded-Host\":[\"whoami.localhost\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"73eae85da227\"],\"X-Real-Ip\":[\"172.21.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.localhost\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.21.0.1:62128\",\"RequestURI\":\"/\",\"TLS\":null}"
I checked the traefik container environment, and I can see that http_proxy and https_proxy are set to my company's proxies.
Image of Traefik HTTP Routers
Image of service details
In order to host multiple websites I'am trying to reproduce the following schema
diagram
The redirection works correctly with the following sites and without having to indicate the port: https://git.domain.tld and https://portainer.domain.tld
but does not work for: https://test.domain.tld (The page is not redirected correctly => I'm getting this ERR_TOO_MANY_REDIRECTS)
here is my docker-compose :
version: '2'
services:
proxy:
image: jwilder/nginx-proxy
container_name: proxy
restart: unless-stopped
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- certs:/etc/nginx/certs:rw
- vhost.d:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- ./uploadsize.conf:/etc/nginx/conf.d/uploadsize.conf:ro
ports:
- "80:80"
- "443:443"
networks:
- "default"
- "proxy-tier"
proxy-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: letsencrypt
restart: unless-stopped
environment:
- NGINX_PROXY_CONTAINER=proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes_from:
- "proxy"
depends_on:
- "proxy"
networks:
- "default"
- "proxy-tier"
portainer:
image: portainer/portainer
container_name: portainer
restart: always
environment:
- VIRTUAL_HOST=portainer.domain.tld
- LETSENCRYPT_HOST=portainer.domain.tld
- LETSENCRYPT_EMAIL=xxxxx#xxxx.xxx
- LETSENCRYPT_TEST=false
volumes:
- ./portainer/:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9000:9000"
networks:
- "default"
- "proxy-tier"
gitea:
image: gitea/gitea:latest
container_name: gitea
restart: unless-stopped
environment:
- VIRTUAL_HOST=git.domain.tld
- LETSENCRYPT_HOST=git.domain.tld
- LETSENCRYPT_EMAIL=xxxx#xxxx.xxx
- LETSENCRYPT_TEST=false
- VIRTUAL_PORT=3000
- ROOT_URL=https://git.domain.tld
- DOMAIN=git.domain.tld
- PROTOCOL=http
- USER_UID=1000
- USER_GID=1000
- POSTGRES_USER=xxxxx
- POSTGRES_PASSWORD=xxxxxxx
- POSTGRESS_DB=xxxxx
volumes:
- ./gitea:/data
ports:
- "9001:3000"
- "9002:22"
networks:
- "default"
- "proxy-tier"
nextcloud:
image: lscr.io/linuxserver/nextcloud
container_name: drive
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
- VIRTUAL_HOST=test.domain.tld
- LETSENCRYPT_HOST=test.domain.tld
- LETSENCRYPT_EMAIL=xxxxxxxx#xxxxxxxxxx.xxx
- LETSENCRYPT_TEST=true
- DEBUG=true
ports:
- "9005:443"
- "9006:80"
volumes:
- ./drive/appdata:/config
- ./drive/data:/data
networks:
- "default"
- "proxy-tier"
restart: unless-stopped
volumes:
certs:
vhost.d:
html:
nextcloud:
db:
networks:
proxy-tier:
Thank you in advance for your help, I've been stuck on this problem for a few days
EDIT :
Some lines from proxy logs when I enter test.domain.tld:
nginx.1 | test.domain.tld 91.182.X.X - - [28/Apr/2022:04:21:27 +0000] "GET / HTTP/2.0" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "172.29.0.6:80"
nginx.1 | test.domain.tld 91.182.X.X - - [28/Apr/2022:04:21:27 +0000] "GET / HTTP/2.0" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "172.28.0.3:80"
nginx.1 | test.domain.tld 91.182.X.X - - [28/Apr/2022:04:21:28 +0000] "GET / HTTP/2.0" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "172.29.0.6:80"
...
AND this is from nexcloud :
Exception: Not installed in /config/www/nextcloud/lib/base.php:277
Stack trace:
#0 /config/www/nextcloud/lib/base.php(649): OC::checkInstalled()
#1 /config/www/nextcloud/lib/base.php(1087): OC::init()
#2 /config/www/nextcloud/cron.php(43): require_once('/config /www/nex...')
}
Exception: Not installed in /config/www/nextcloud/lib/base.php:277
Stack trace:
#0 /config/www/nextcloud/lib/base.php(649): OC::checkInstalled()
#1 /config/www/nextcloud/lib/base.php(1087): OC::init()
#2 /config/www/nextcloud/cron.php(43): require_once('/config/www/nex...')
}
Exception: Not installed in /config/www/nextcloud/lib/base.php:277
Stack trace:
#0 /config/www/nextcloud/lib/base.php(649): OC::checkInstalled()
#1 /config/www/nextcloud/lib/base.php(1087): OC::init()
#2 /config/www/nextcloud/cron.php(43): require_once('/config/www/nex...')
}
...
And this is my ngnix config /etc/nginx/conf.d/default.conf
# test.domain.tld
upstream test.domain.tld {
# Exposed ports: [{ 443 9005 tcp 0.0.0.0} { 80 9006 tcp 0.0.0.0}]
# Default virtual port: 80
# VIRTUAL_PORT: <no value>
## Can be connected with "proxy_default" network
# drive
server 172.28.0.3:80;
# Cannot connect to network 'proxy_proxy-tier' of this container
# Cannot connect to network 'proxy_default' of this container
## Can be connected with "proxy_proxy-tier" network
# drive
server 172.29.0.6:80;
}
server {
server_name test.domain.tld;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name test.domain.tld;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/test.domain.tld.crt;
ssl_certificate_key /etc/nginx/certs/test.domain.tld.key;
ssl_dhparam /etc/nginx/certs/test.domain.tld.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/test.domain.tld.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://test.domain.tld;
}
}
The answer is in the question itself - yes, it is possible and you already doing it.
You say the page test.domain.tld is not redirected correctly - what exactly happens?
Without knowing what happens exactly with the redirection when you enter the test.domain.tld, I would suggest some experiments with the nextcloud image, but in the first place I would ensure if in the exact configuration you have, there is no typo in the VIRTUAL_HOST environment variable. In the example it looks good, but in the actual compose file you use there might be a typo that would cause it to fail.
The other services work, so the nextcloud setup might need something yet to work with nginx-proxy.
I'm trying to get this to work on a home localserver, but no meaningful errors show up. I'm not sure if I need to change something on the machine itself or my config is incorrect.
I'm using Ubuntu Desktop 20.04, it's basically a fresh install.
When I run docker hello-world or any docker cli command for running containers, I am able to access things just fine, but when I try my docker-compose files, I get
Error code: SEC_ERROR_INADEQUATE_KEY_USAGE :
I'm guessing something with my resolver is incorrect? I tried a lot of different things, but am unsure.
Below are the files that I'm working through to get it to work.
version: '3.7'
services:
dockerproxy:
container_name: dockerproxy
image: tecnativa/docker-socket-proxy
privileged: true
restart: always
logging:
driver: journald
environment:
CONTAINERS: 1
restart: always
networks:
- traefik
ports:
- 2375
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
traefik:
image: traefik:v2.5
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- dockerproxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- default
- traefik
- serverpublic
- serverprivate
volumes:
- /etc/localtime:/etc/localtime:ro
- ./config:/configurations
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./logs/traefik.log:/traefik.log
- ./acme/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# Services - Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit#file,user-auth#file"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8070"
networks:
traefik:
external: true
serverpublic:
external: true
serverprivate:
external: true
traefik.yml
# Traefik v2.5 - traefik.yml 2021
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
# Configure metrics for prometheus
metrics:
prometheus: {}
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "tcp://dockerproxy:2375"
network: "traefik"
exposedByDefault: false
certificatesResolvers:
letsencrypt:
acme:
email: a#gmail.com
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: http
http:
acme:
email: a#gmail.com
storage: acme.json
httpChallenge:
entryPoint: http
configuration/dynamic.yml
# traefik dynamic config/rules
http:
middlewares:
https_redirect:
redirectScheme:
scheme: https
permanent: true
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
user-auth:
basicAuth:
users:
- "royadmin:$$password"
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
Then below is another separate service, that I'm trying to test, but going to the local server IP shows the same Error Code as I mentioned above:
Basic Page Service, just an html page for testing
version: '3.7'
services:
# homex is Caddy instance listening to port 80 and serving an index.html.
homex:
build:
context: .
dockerfile: ./dockerfiles/home-dockerfile
networks:
- traefik
- serverpublic
labels:
- "traefik.enable:true"
- "traefik.http.routers.homex.rule=Host(`localhost`)"
- "traefik.http.routers.homex.entrypoints=https"
- "traefik.http.routers.homex.tls.certresolver=letsencrypt"
networks:
traefik:
external: true
serverpublic:
external: true
Here is a traceback when I do run Traefik w/the docker-compose.yml
Starting dockerproxy ... done
Starting traefik ... done
Attaching to dockerproxy, traefik
dockerproxy | [WARNING] 296/204816 (1) : Can't open server state file '/var/lib/haproxy/server-state': No such file or directory
dockerproxy | Proxy dockerbackend started.
dockerproxy | Proxy dockerfrontend started.
dockerproxy | [NOTICE] 296/204816 (1) : New worker #1 (8) forked
traefik | time="2021-10-24T13:48:17-07:00" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.459] dockerfrontend dockerbackend/dockersocket 0/0/0/4/4 200 1046 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/version HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.464] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 12881 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/json?limit=0 HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.466] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 9752 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/a456f49a4f73a3292b45a1461091a35869df5e633de6e841d0dca26512836bfa/json HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.467] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 6718 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/ab644f8795bd0e860496580bab303f86c176b1ee4872f3f34241510bd8c7c2fe/json HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.468] dockerfrontend dockerbackend/dockersocket 0/0/0/0/0 200 7739 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/c552360b115fa00063f6ab998790925b642abe3369f1721f69df1d6a01ad73a7/json HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.468] dockerfrontend dockerbackend/dockersocket 0/0/0/0/0 200 7366 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/aa08018aa3a644b86e33eb2f79898e91bf16bc35b7669bbce6ea673e84681b56/json HTTP/1.1"
Finally, I was looking at this: https://doc.traefik.io/traefik/middlewares/http/redirectscheme/
Would I specify that, redirect from http to https, as a label on any new services I add or how do I test it?
If I'm missing anything else, please let me know.
I've been trying to solve my problem for days.
I've created a couple of Docker containers and all of them work with the settings without a problem (Shopware, Sulu, Matomo, Mautic) but only the JTL shop gives me problems.
Frontend goes but backend login blocked without error message.
If you had a message you wouldn't have to poke around.
I'll write my docker-compose from Traefik and JTL-Shop here
Traefik
version: "3.3"
services:
traefik:
image: "traefik:v2.3"
container_name: Traefik
command:
- "--api=true"
- "--api.dashboard=true"
- "--log.level=INFO"
- "--accesslog=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=info#Example.de"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
labels:
traefik.enable: true
# Routers
traefik.http.routers.traefik.rule: Host(`traefik.example.de`)
traefik.http.routers.traefik.entrypoints: websecure
traefik.http.routers.traefik.service: api#internal
traefik.http.routers.traefik.tls.certresolver: myresolver
traefik.http.routers.traefik.middlewares: traefik-auth
# global redirect to https
traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http-catchall.entrypoints: web
traefik.http.routers.http-catchall.middlewares: redirect-to-https
# Middleware
traefik.http.middlewares.traefik-auth.basicauth.removeheader: true
traefik.http.middlewares.traefik-auth.basicauth.users: USER:PASSWORT
# middleware redirect
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
ports:
- "80:80"
- "443:443"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- "traefik_proxy"
- "default"
networks:
traefik_proxy:
external:
name: traefik_proxy
default:
driver: bridge
==
JTL shop
version: '3'
volumes:
www-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/html
mysql-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/mysql
elastic-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/elastic
redis-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/redis
services:
# sshd:
# image: hermsi/alpine-sshd
# container_name: ${COMPOSE_PROJECT_NAME}-SSH
# environment:
# ROOT_PASSWORD: ${ROOT_PASSWORD}
# ports:
# - "${SSH_PORT}:22"
# volumes:
# - www-data:/var/www/html
apache:
image: webdevops/php-apache:7.4-alpine
container_name: ${COMPOSE_PROJECT_NAME}-Apache-PHP
environment:
WEB_DOCUMENT_ROOT: /app/${COMPOSE_PROJECT_NAME}-Projekt
PHP_DISMOD:
PHP_DISPLAY_ERRORS: 1
PHP_DATE_TIMEZONE: Europe/Berlin
PHP_MAX_EXECUTION_TIME: 360
PHP_MEMORY_LIMIT: 756M
PHP_UPLOAD_MAX_FILESIZE: 64M
PHP_POST_MAX_SIZE: 64M
PHP_ALLOW_URL_FOPEN: 1
volumes:
- ./configs/php.ini:/opt/docker/etc/php/php.ini:ro
- ./configs/root:/var/spool/cron/crontabs/root:ro
- www-data:/app
networks:
- default
- proxy
labels:
- traefik.enable=true
# Docker Netzwerk
- traefik.docker.network=traefik_proxy
# Routers
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=${HOSTRULE}
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=websecure
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=myresolver
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.service=${COMPOSE_PROJECT_NAME}_SVC
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=${COMPOSE_PROJECT_NAME}_MidWa
- traefik.http.services.${COMPOSE_PROJECT_NAME}_SVC.loadBalancer.server.port=80
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.sslredirect=true
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.customrequestheaders.X-Forwarded-Ssl=on
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.customrequestheaders.X-Forwarded-Port=443
mysql:
image: mysql:5.7
container_name: ${COMPOSE_PROJECT_NAME}-MySQL
# command für mysql 8.x
# command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
volumes:
- mysql-data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${MYSQL_DATABASE}
MYSQL_USER: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
redis:
image: redis:alpine
container_name: ${COMPOSE_PROJECT_NAME}-Redis
volumes:
- redis-data:/data
# elastic:
# image: docker.elastic.co/elasticsearch/elasticsearch:7.9.2
# container_name: ${COMPOSE_PROJECT_NAME}-Elastic
# volumes:
# - elastic-data:/usr/share/elasticsearch/data
# ulimits:
# memlock:
# soft: -1
# hard: -1
# nofile:
# soft: 65535
# hard: 65535
# environment:
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
# - discovery.type=single-node
# - bootstrap.memory_lock=true
# expose:
# - 9200
# - 9300
networks:
proxy:
external:
name: ${PROXY_NETWORK}
==
yesterday I saw these logs in the container when I logged in.
LOGS
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:36 +0000] "GET /admin/favicon.ico HTTP/1.1" 200 bytesIn:782 bytesOut:626 reqTime:0
172.18.0.2 - - [25/Oct/2020:19:10:36 +0000] "GET /admin/templates/bootstrap/css/custom.css HTTP/1.1" 200 9585 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:36 +0000] "GET /admin/templates/bootstrap/css/custom.css HTTP/1.1" 200 bytesIn:753 bytesOut:9937 reqTime:0
NOTICE: PHP message: PHP Warning: Unknown: POST Content-Length of 88 bytes exceeds the limit of 64 bytes in Unknown on line 0
[Sun Oct 25 19:10:49.591342 2020] [proxy_fcgi:error] [pid 67:tid 140596503538464] [client 172.18.0.2:42418] AH01071: Got error 'PHP message: PHP Warning: Unknown: POST Content-Length of 88 bytes exceeds the limit of 64 bytes in Unknown on line 0', referer: https://www.example.fr/admin/index.php
[php-fpm:access] 127.0.0.1 - 25/Oct/2020:19:10:49 +0000 "POST /admin/index.php" 200 /app/JTL4-CeT-Projekt/admin/index.php 149.417 2048 13.39%
172.18.0.2 - - [25/Oct/2020:19:10:49 +0000] "POST /admin/index.php HTTP/1.1" 200 2162 "https://www.example.fr/admin/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:49 +0000] "POST /admin/index.php HTTP/1.1" 200 bytesIn:1066 bytesOut:2531 reqTime:0
172.18.0.2 - - [25/Oct/2020:19:10:50 +0000] "GET /admin/favicon.ico HTTP/1.1" 200 271 "https://www.example.fr/admin/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:50 +0000] "GET /admin/favicon.ico HTTP/1.1" 200 bytesIn:782 bytesOut:626 reqTime:0
==
Ok, I've tried it from the start.
I think that I also have the error now.
When I call the installation routine, my server or container fulfills the requirements.
But I can't install because:
The CSS and JS instructions come over HTTP and he sees these urls as unsafe.
If I override the protection it loads the pages with the CSS instructions etc. but if I enter the database data it doesn't do it and shows me the same page again as when I logged in.
My question is how do I get Traefik to control the web server via https (internally) so that the installation program does not control http as it does now (internally) for me but changes to https and in the best case also forwards the URL to www.
So the same as the htaccess rules:
# Redirect requests to access the site with HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
#REWRITE ANPASSUNG 2 (auf www.meinedomain.de umleiten)
#Ihr Shop sollte nicht unter www.meinedomain.de und nur meinedomain.de erreichbar sein, siehe: http://guide.jtl-software.de/index.php?title=JTL-Shop3-Neuinstallation#4._Einrichtung_einer_Domainweiterleitung
RewriteCond %{HTTP_HOST} ^example.fr
RewriteRule ^(.*)$ http://www.example.fr/$1 [r=301,L]
I have a docker setup with the following
rails api backend
mysql db
redis db
node/react frontend (webpack)
nginx serving the frontend
(the rails backend is currently being served through the builtin puma server - I think I will move it to the same nginx server runing the node app)
My problem is that the frontend will request stuff on the backend, but this does not work.
I have set up a proxy on nginx as follows:
#nginx.conf
server {
listen 8080;
# Always serve index.html for any request
location / {
# Set path
root /wwwroot/;
try_files $uri /index.html;
}
location /api/ {
proxy_pass http://127.0.0.1:3000;
}
}
But when I when I initiate an api call I get the following in the nginx log:
nginx-server | 2017/05/13 20:56:08 [error] 5#5: *19 connect() failed (111: Connection refused) while connecting to upstream, client: 172.21.0.1, server: , request: "POST /api/authenticate HTTP/1.1", upstream: "http://127.0.0.1:3000/api/authenticate", host: "localhost:8080", referrer: "http://localhost:8080/"
nginx-server | 172.21.0.1 - - [13/May/2017:20:56:08 +0000] "POST /api/authenticate HTTP/1.1" 502 575 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-"
And I do not see any thing hitting the puma server.
I am not sure where I should be looking. Is this a problem with my docker-compose file or is it a nginx issue (or both).
I have included my docker-compose.yml below:
version: '2'
services:
nginx:
build:
context: .
dockerfile: docker.nginx
image: pt-nginx
container_name: nginx-server
ports:
- "8080:8080"
volumes:
- wwwroot:/wwwroot
webpack:
build:
context: ./frontend
dockerfile: docker.webpack
image: pt-webpack
container_name: react-frontend
ports:
- "35729:35729"
volumes:
- ./frontend:/app
- /app/node_modules
- wwwroot:/wwwroot
db:
build:
context: ./backend
dockerfile: docker.mysql
image: pt-mysql
container_name: mysql-server
env_file: ./backend/.env
ports:
- "3306:3306"
volumes:
- ./sql/data/:/var/lib/mysql
redis:
build:
context: ./backend
dockerfile: docker.redis
image: pt-redis
container_name: redis-server
app:
build:
context: ./backend
dockerfile: docker.rails
image: pt-rails
container_name: rails-server
command: >
sh -c '
rake resque:start_workers;
bundle exec rails s -p 3000 -b 0.0.0.0;
'
env_file: ./backend/.env
volumes:
- ./backend:/usr/src/app
- /Users/mh/Pictures/ROR_PT/phototank:/Users/martinhinge/Pictures/ROR_PT/phototank
ports:
- "3000:3000"
expose:
- "3000"
depends_on:
- db
- redis
volumes:
wwwroot:
driver: local
The problem is that your nginx service is requesting upstream of localhost (127.0.0.1). But the application is in another container (with another IP). You can reference the rails application by DNS at appsince they are both in a default network. The upstream in nginx configuration would look something like proxy_pass http://app:3000; instead.
Read more about the networking at https://docs.docker.com/compose/networking/, specifically:
Within the web container, your connection string to db would look like postgres://db:5432, and from the host machine, the connection string would look like postgres://{DOCKER_IP}:8001.