Develop Reference

Bad gateway on traefik docker

I build traefik with cloudflare CDN. I used docker container run command to execute my docker container execute by Drone CI. I have an issue when I successfully built docker container which leads to bad gateway on subdomain.
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- traefik_proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:monitor.${DOMAINNAME}"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=example.com"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.auth.basic.users:${HTTP_USERNAME}:${HTTP_PASSWORD}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/traefik:/etc/traefik
- /etc/docker/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
Traefik.toml
nsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Let's encrypt configuration
[acme]
email = "example#gmail.com" #any email id will work
storage="acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 300
[[acme.domains]]
main = "example.com"
[[acme.domains]]
main = "*.example.com"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
Command I used to run the docker container execute by Drone:
docker container run -d --name example-development --restart=unless-
stopped --label "traefik.backend=example-development" --label
"traefik.frontend.rule=Host:subdomain.example.com" --label
"traefik.enable=false" --label "traefik.port=6611" --expose 6611
cloud.canister.io:5000/username/repo
My docker container is listening to http://127.0.0.1:6611
Above codes examples lead to Error 504 Gateway Timeout.

Traefik needs to have a common network with the containers it is connecting to. In this case, you need to run containers with --net=traefik_proxy.
If you're container is on multiple networks, you'll also need the label traefik.docker.network=traefik_proxy to tell traefik which of those networks to use.

Where are Traefik logs?

Do you happen to know where the Traefik logs are located? I read the documentation on Traefik and it says it will output to stdout but when I start the docker container with docker-compose up -d it doesn't show anything in stdout after I try the domain name and pull up multiple linked docker containers.
I also tried to specify these:
[traefikLog]
filePath = "./traefik.log" #<--Tried this but It doesn't work, file empty and permissions set to 777
[accessLog]
filePath = "./access.log" #<--Tried this but doesn't work, file empty and permissions set to 777
I'm confused, am I missing something? or is Traefik supposed to be this quiet?
When I run it this is all I see, nothing afterwards.
# docker-compose up
Creating traefik ... done
Attaching to traefik
Attached is my config. Thanks.
traefik/traefik.toml:
logLevel = "DEBUG"
defaultEntryPoints = ["http","https"]
[api]
address = ":8080"
[traefikLog]
filePath = "./traefik.log" #<--Tried this but It doesn't work
[accessLog]
filePath = "./access.log" #<--Tried this but doesn't work
[entryPoints]
[entryPoints.http]
#redirect ALL http traffic to https 443
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#Let's encrypt setup
[acme]
email = "email#email.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
#When new host is created, request certificate.
onHostRule = true
onDemand = false
[acme.httpChallenge]
entryPoint = "http"
#Watch Docker, when new containers are created with label create mapping.
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "exampledomain.net"
watch = true
exposedbydefault = false
docker-compose.yml:
version: '3'
services:
traefik:
hostname: traefik
domainname: exampledomain.net
image: traefik:alpine
command: --api --docker
container_name: traefik
networks:
- nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./traefik/traefik.toml:/traefik.toml"
- "./traefik/acme.json:/acme.json"
labels:
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.frontend.rule=Host:monitor.exampledomain.net"
- "traefik.docker.network=nginx-proxy"
networks:
nginx-proxy:
external:
name: nginx-proxy

To see logs in the stdout event if you run docker-compose up -d:
docker-compose logs -f
https://docs.docker.com/compose/reference/logs/
FYI The path ./traefik.log is inside the Traefik container.
[traefikLog]
filePath = "./traefik.log"
With your files (without the section [traefikLog]), I see the logs.
However, your configuration have some issues:
version: '3'
services:
traefik:
hostname: traefik
domainname: exampledomain.net
image: traefik:v1.7.9-alpine
# command: --api --docker # <-- don't define the same configuration with CLI and TOML https://docs.traefik.io/basics/#static-traefik-configuration
container_name: traefik
networks:
- nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./traefik/traefik.toml:/traefik.toml"
- "./traefik/acme.json:/acme.json"
labels:
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.frontend.rule=Host:monitor.exampledomain.net"
- "traefik.docker.network=nginx-proxy"
networks:
nginx-proxy:
external:
name: nginx-proxy
logLevel = "DEBUG"
defaultEntryPoints = ["http","https"]
[api]
# address = ":8080" <- this options doesn't exist. https://docs.traefik.io/v1.7/configuration/api/
# [traefikLog] # <-- remove because not needed
# filePath = "./traefik.log"
# [accessLog] # <-- remove because not needed
# filePath = "./access.log"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Let's encrypt setup
[acme]
email = "email#email.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
onHostRule = true
onDemand = false
[acme.httpChallenge]
entryPoint = "http"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "exampledomain.net"
# watch = true # <---- useful only for swarm
exposedbydefault = false

Just add [accessLog] to your traefik.toml file and you are fine.

I am sharing a docker-compose file, which will create a volume for both access logs and service logs:
"networks":
"network":
"external":
"name": "appliance"
"services":
"container":
"container_name": "traefik"
"image": "traefik:1.7.4"
"networks":
- "network"
"ports":
- "80:80"
- "443:443"
- "8099:8099"
"restart": "always"
"volumes":
- "/var/run/docker.sock:/var/run/docker.sock"
- "{pwd}/traefik.toml:/traefik.toml"
- "{pwd}/acme.json:/acme.json"
- "logs:/var/log/traefik"
"version": "3.4"
"volumes":
"logs":
"name": "traefik_logs"
Add the log location in traefik.toml as follows:
[accessLog]
filePath = "/var/log/traefik/access.log"

Traefik - unable to obtain Let's encrypt certificate for domains => acme http challenge times out

I'm trying to secure a site which is served by trafik using let's encrypt. However, it fails when testing the acme challenge.
time="2019-02-07T23:23:35Z" level=error msg="Unable to obtain ACME certificate for domains \"git.redacted.be\" detected thanks to rule \"Host:git.redacted.be\" : unable to generate a certificate for the domains [git.redacted.be]: acme: Error -> One or more domains had a problem:\n[git.redacted.be] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://git.redacted.be/.well-known/acme-challenge/I_44HUy2IqyYZk-6GmfWxtm7Uunx_wid9rgHpXkhZcM: Error getting validation data, url: \n"
The server is publicly available (if I go to http://git.redacted.be, it get's redirected to https and I can configure my git server) from the internet, and gogs (the git server) is also made accessible via traefik and docker.
When I manually navigate to the url mentioned (.well-known/acme-challenge/...), the request times out but logging inside traefik shows: Error getting challenge for token: cannot find challenge for
I already tried some of the workarounds mentioned in https://github.com/containous/traefik/issues/2763 (disable IPv6 and use traefik:alpine)
This is my setup:
Traefik docker-compose.yml
version: '3.2'
services:
traefik:
image: traefik:alpine # The official Traefik docker image
command: --api --docker --logLevel=info # Enables the web UI and tells Tr ik to listen to docker
restart: unless-stopped
ports:
- "81:80" # The HTTP port
- "444:443"
- "18080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
networks:
- traefik
logging:
driver: "json-file"
networks:
traefik:
external:
name: traefik
Traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "redacted.be"
watch = true
exposedByDefault = false
[acme]
email = "ronald#redacted.be"
storage = "acme.json"
entryPoint = "https"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
The docker-compose of my git server:
version: '3.2'
services:
gogs:
restart: unless-stopped
image: gogs/gogs
volumes:
- ./data/db:/data/db
- ./data/git:/data/git
- ./data/gogs:/data/gogs
networks:
- gogs
- traefik
ports:
- "10022:22"
- "3000:3000"
labels:
- "traefik.port=3000"
- "traefik.frontend.rule=Host:git.redacted.be"
- "traefik.docker.network=traefik"
networks:
gogs:
traefik:
external:
name: traefik
Any idea what I'm doing wrong?

Traeffic, Docker and Let's Encrypt

Final stage before my website can finally go live --> SSL.
I'm using a Jekyll site, with Traefic as a reverse proxy, Docker to prevent "it works on my machine" and Let's Encrypt for SSL. Looking at the docs this should be a walk in the park, but (as everything in software development) it is harder then it seems.
My current Traefic configuration:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
permanent = true
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "johanvergeer.com"
watch = true
exposedByDefault = true
usebindportip = true
swarmMode = true
[acme]
email = "johanvergeer#gmail.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[[acme.domains]]
main = "johanvergeer.com"
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
And the docker-compose file
version: "3.6"
services:
site:
ports:
- 4000:4000
image: registry.gitlab.com/johanvergeer/redgyro/site:latest
deploy:
labels:
- traefik.site.port=4000
- traefik.enable=true
- traefik.frontend.rule=Host:johanvergeer.com
- traefik.frontend.entryPoints=http,https
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
networks:
- traefik-net
reverse-proxy:
image: traefik # The official Traefik docker image
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/etc/traefik/acme.json
deploy:
labels:
- traefik.site.port=80
- traefik.logLevel=DEBUG
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
networks:
- traefik-net
networks:
traefik-net:
name: traefik-net
At this moment I don't even receive anything in the Traefic logs, while it is set on DEBUG.
The browser shows an error Your connection is not private and NET::ERR_CERT_AUTHORITY_INVALID.
Does anyone know how to solve this?

httpChallenge does not accept a provider param. You could try removing that.
If that doesn't work and you're running on DigitalOcean try doing a dnsChallenge instead of an httpChallenge. To do so modify your traefik.toml from this:
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
To this:
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
And pass in the DO_AUTH_TOKEN environment variable as specified here. If you anticipate adding subdomains later DNS challenge with wildcard domains is the way to go.
Also consider removing caServer from your config so you default to production in case you've hit the Let's Encrypto Rate Limit for staging.
You could also try asking for help on the Let's Encrypt Community Support forum if you haven't yet.

Trafik.io as docker container with basic auth

I want the following setup:
run traefik as docker container via docker compose
hide the dashboard behind a traefik frontend and use basic auth
what do I have?
A simple docker-compose.yml:
version: '3'
services:
traefik:
image: traefik
command: --api --docker --docker.domain=domain.com --logLevel=WARN
networks:
- webgateway
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
labels:
- "traefik.frontend.rule=Host:traefik.domain.com"
- "traefik.port=8080"
networks:
webgateway:
driver: bridge
and a traefik.toml like this:
logLevel = "DEBUG"
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
[entryPoints.traefik.auth]
[entryPoints.traefik.auth.basic]
users = [
"admin:$SomeSaltedString"
]
[api]
entryPoint = "traefik"
dashboard = true
[ping]
[docker]
exposedbydefault = false
I would expect, that because of the traefik labels in the compose file the dasboard from port 8080 is available via traefik.domain.com and protected via basic auth because of the the entrypoint configuration in the traefik config.
But what does happen is the following:
curl -L http://traefik.domain.com
Bad Gateway%
Any idea whats wrong here? I don't find any logs somewhere

You can just use a label
- "traefik.frontend.auth.basic.users=username:$$apr1$$EgzP3sdp$$/AbxxRulwvuoE.3ReJo.i/"
The username password pair is generated by
echo $(htpasswd -nb <AUTH-USER> <AUTH-PASS>) | sed -e s/\\$/\\$\\$/g.

You have to define an address for your Traefik Web UI. Your traefik.toml should look like this:
logLevel = "DEBUG"
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth]
[entryPoints.traefik.auth.basic]
users = [
"admin:$SomeSaltedString"
]
[api]
entryPoint = "traefik"
dashboard = true
[ping]
[docker]
exposedbydefault = false