Force https on traefik with docker-compose - docker

I'm using traefik as my reverse proxy on my server. It's used to host multiple web applications like wordpress and larvel.
For these 2 application i found a "fix" for the mixed(the application servers http assets) content warning, as example, the wordpress fix:
if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';
$http_s = ( !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') ? 'https' : 'http';
But I don't really like this solution and not every web-app support the option to declare "https only" or "force https"
Is there an option in traefik to force or rewrite the urls, i didnt have these problems with Apache or nginx. I already have an http->https redirection
These are my configs:
Docker-compose traefik:
reverse-proxy:
container_name: traefik
image: traefik:v2.6
restart: unless-stopped
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --providers.file.directory=/app/certificates
- --providers.file.watch=true
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
Docker-compose web app:
nginx:
image: nginx:latest
container_name: ${APP_NAME}-nginx
env_file:
- .env
volumes:
- "./config/nginx/:/etc/nginx/templates/"
- ./src:/var/www/html:rw,cached
environment:
- "NGINX_ENVSUBST_TEMPLATE_SUFFIX=.conf"
networks:
- default
- traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.${APP_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=80"
- "traefik.docker.network=traefik_proxy"
restart: unless-stopped

Related

I want docker to listen to "http://localhost/user" and forward to "http://portal.local/user" using traefik

I've got my docker environment setup using traefik and I've got two services running at the moment.
I'm using Google OAuth for authentication which redirects to my web application with auth-code. The redirect URL isn't allowed anything but localhost or localhost:<any-port> or any CDN. I've setup my docker for http://portal.local.
I now want http://localhost/user/googleLogin?code=xxxxxxxxxx to be translated to http://portal.local/user/googleLogin?code=xxxxxxxx for further processing of authentication.
Right now, I'm having to manually change localhost to portal.local in browser URL after it gives site not found error, which then takes me to further processing.
Below is my docker-compose.yml file.
version: "3.9"
services:
portal-traefik:
container_name: portal-traefik
command:
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
# - --entrypoints.websecure.address=:443
# - --certificatesresolvers.myresolver.acme.httpchallenge=true
# - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
# - --certificatesresolvers.myresolver.acme.email=ssl#idealsalessolutions.com
# - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
image: traefik:latest
networks:
api_driven:
ports:
- "80:80"
- "8080:8080"
# - "443:443"
restart: unless-stopped
volumes:
- portal_acme:/acme
- /var/run/docker.sock:/var/run/docker.sock:ro
api-i4f:
container_name: api-i4f
depends_on:
- php-i4f
- portal-traefik
image: nginx:stable-alpine
labels:
- traefik.enable=true
- traefik.http.routers.api.rule=Host(`api.local`)
networks:
api_driven:
restart: unless-stopped
volumes:
- ../docker.sites/api.local:/usr/share/nginx/api.local
- ./conf/nginx/conf.d:/etc/nginx/conf.d:ro
command: [nginx, '-g', 'daemon off;']
hostname: api.local
portal-i4f:
container_name: portal-i4f
depends_on:
- php-i4f
- portal-traefik
image: nginx:stable-alpine
labels:
- traefik.enable=true
- traefik.http.routers.portal.rule=Host(`portal.local`)
networks:
api_driven:
restart: unless-stopped
volumes:
- ../docker.sites/portal.local:/usr/share/nginx/portal.local
- ./conf/nginx/conf.d:/etc/nginx/conf.d:ro
command: [nginx, '-g', 'daemon off;']
hostname: portal.local
php-i4f:
container_name: php-i4f
depends_on:
- portal-traefik
image: isshub/core:php7.4.30-fpm-alpine3.16-intl-mysql
networks:
api_driven:
restart: unless-stopped
volumes:
- ../docker.sites/api.local:/usr/share/nginx/api.local
- ../docker.sites/portal.local:/usr/share/nginx/portal.local
networks:
api_driven:
name: "api_driven"
volumes:
portal_acme:
I've tried to use multiple router rules to listen to both localhost and portal.local using regex/replacement middlewares as well but that stops the service at all and gives 404 error.

traefik rule not redirecting requests made to "localhost/api" to backend container

traefik rule not redirecting requests made to "localhost/api" to backend container
Whenever I change the backend
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
to Host('localhost') I can access the application at localhost but after adding this rule, whenever I go to localhost/api , it leads me to frontend and opens html page
version: '3'
volumes:
myvol2:
external: false
services:
traefik:
image: "traefik:v2.6"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.api.address=:5000"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443" # new
ports:
- "80:80"
- "5000:5000"
- "443:443" # new
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
api:
image: "myimagename"
ports:
- '5000'
scale: 1
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.services.api.loadbalancer.server.port=5000"
volumes:
- /app/node_modules
- ./server:/app
- myvol2:/resources/static/assets/uploads # Volume
environment:
- PORT=5000
web:
image: "myfrontendimage"
stdin_open: true
scale: 1
ports:
- '3000'
environment:
- CHOKIDAR_USEPOLLING=true
- CI=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`localhost`)"
- "traefik.http.routers.web.entrypoints=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
volumes:
- /app/node_modules
- ./client:/app
Tried redirecting the Tried almost all combinations of route, even tried adding regexp for matching localhost/api.
With my current nginx setup,
I have :
location /api{
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
}
in my default.conf,
Trying to migrate to traefik but the requests to localhost/api are not reaching
Your configuration seems to be fine. In your question you have a bunch of placeholder values, so it's not actually possible to test your docker-compose.yaml, but we can produce a runnable version like this:
services:
traefik:
image: "traefik:v2.9"
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# The port mappings here are to avoid conflicts with other services
# on my system
ports:
- "7080:80"
- "7443:443"
- "7090:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
api:
# Note that we don't need a `ports` configuration here because we're
# not publish any ports to the host (all access will be via the
# frontend proxy).
image: "docker.io/traefik/whoami:latest"
command:
- --name=API
- --port=5000
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.services.api.loadbalancer.server.port=5000"
web:
image: "docker.io/traefik/whoami:latest"
command:
- --name=WEB
- --port=3000
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`localhost`)"
- "traefik.http.routers.web.entrypoints=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
The significant changes here are:
I'm using Traefik v2.9 (because why use an older release?)
I've replaced all your images with docker.io/traefik/whoami, which gives us a simple endpoint for testing.
With the above configuration, a request to http://localhost hits the "web" container:
$ curl localhost:7080
Name: WEB
[...]
Whereas a request to http://localhost/api hits the "api" container:
$ curl localhost:7080/api
{...., "name": "API"}
(We're getting a JSON response in the second case because we're hitting the /api path on the whoami container.)
Finally, got the traefik /api to redirect to the other backend container with the following set up
The primary issue was that even though it redirects to the container, it did not strip the /api prefix, so the API route was getting messed up
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=PathPrefix(`/api/`)"
- "traefik.http.routers.api.service=api"
- "traefik.http.services.api.loadbalancer.server.port=5000"
- "traefik.http.middlewares.api.stripprefix.prefixes=/api"
- "traefik.http.middlewares.api.stripprefix.forceSlash=false"
- "traefik.http.routers.api.middlewares=api"

Traefik Docker SSL Configuration With Lets Encrypt

Hi everyone I am trying to enable SSL in my docker-compose.yml file for my backend service. All of my Traefik configuration is done in my docker-compose.yml file, so I may be missing a line. Running docker-compose on this configuration works without SSL and the site is displayed properly, but it does not work when using https. I have checked the Traefik documentation for the certResolvers and I am not sure what I am missing thanks.
version: "3"
networks:
NanoWall-Net:
services:
api:
build:
context: .
dockerfile: Dockerfile
labels:
- "traefik.docker.network=NanoWall-Net"
- "traefik.enable=true"
- "traefik.port=5000"
- "traefik.http.routers.http-catchall.rule=Host(`nanowalldocs.com`)"
- "traefik.http.routers.http-catchall.tls=true"
- "traefik.http.routers.http-catchall.tls.certresolver=le"
- "traefik.http.routers.http-catchall.tls.domains[0].sans=nanowalldocs.com"
- "traefik.http.routers.http-catchall.entrypoints=web"
ports:
- "5000:5000"
networks:
- NanoWall-Net
reverse-proxy:
image: traefik:v2.0
# Enables the web UI and tells Traefik to listen to docker
command:
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--entryPoints.websecure.http.tls.certResolver: le"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--api.insecure=true"
- "--api.debug=true"
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedbydefault=false"
- "--accesslog=true"
- "--accesslog.filepath=/var/log/traefik-access.log"
- "--accesslog.bufferingsize=1000"
- "--log.filePath=/var/log/traefik.log"
- "--certificatesResolvers.le.acme.email=jamar.phillip99#gmail.com"
- "--certificatesResolvers.le.acme.storage=acme.json"
- "--certificatesResolvers.le.acme.httpChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
networks:
- NanoWall-Net
volumes:
- /acme.json/etc/traefik/acme.json
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: always
It may not be the only issue, but you are missing a colon in your traefik volumes section. You have:
- /acme.json/etc/traefik/acme.json
I think it should be (assuming your host location is really /acme.json and not ./acme.json or in some other directory):
- /acme.json:/etc/traefik/acme.json
That said, I have also been having an issue where traefik always wants it in /acme.json, so I just put it there instead of in /etc/traefik/acme.json .

Apache Nifi behind Traefik as a reverse proxy

I'm using Traefik as a reverse proxy for a lot of services and for tls termination. This works properly excepted Nifi. When trying to forward incomming requests to Nifi I get "Bad Gateway" responses.
Does anybody have an idea how to fix that?
Thanks a lot :-)
traefik:
image: "traefik:v2.2"
container_name: "traefik"
restart: always
networks:
- monitoring
- website
- iot
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
#s- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=test#test.de"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# prom metrics
- "--metrics.prometheus=true"
---
nifi:
image: apache/nifi:latest
container_name: nifi
restart: on-failure
environment:
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- NIFI_WEB_HTTP_PORT= 8080
expose:
- 8080
networks:
- iot
labels:
- "traefik.enable=true"
- "traefik.http.routers.nifi.rule=Host(`nifi.example.de`)"
- "traefik.http.routers.nifi.entrypoints=web"
- "traefik.http.routers.nifi.middlewares=nifi-auth"
# Basic Auth
- "traefik.http.middlewares.nifi-auth.basicauth.users=admin:$$xyz$$xyz$$xyz"
Any idea?? :-)
Since there are several ports open for the ui etc. it's required to define the routing port by using (e. g.):
- "traefik.http.services.nifi.loadbalancer.server.port=8080"

forward url with traefik v2 using docker

I want to forward url with traefik(version 2) like If I hit URL http://localhost/1 then it is forwarded to http://localhost:8081/1.
I have tried with several configuration but no one works. Please find below configuration I have done but it didn't worked.
version: "3.3"
services:
traefik:
image: "traefik:v2.0.0-rc3"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
- "8081:8081"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
#image: "containous/whoami"
#container_name: "simple-service"
#command:
# - "--port=8081"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.services.whoami.loadbalancer.server.port=8081"
I think you don't need to forward, since you have defined the loadbalancer port, add PathPrefix to your whoami routers rule should work.
Like this
- "traefik.http.routers.whoami.rule=Host(`localhost`) && PathPrefix(`/1`)"
And if you do need forward requests, you can use middlewares.redirectregex.
- "traefik.http.routers.whoami.middlewares=whoami-redirectregex"
- "traefik.http.middlewares.whoami-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.whoami-redirectregex.redirectregex.replacement=http://localhost:8081/$${1}"
FYI. middleware docs

Resources