Develop Reference

Bad gateway on Portainer on Docker swarm

noob here: I am trying to run portainer in a docker swarm.
I've been searching for a solution but I had no luck so far...
The traefik gui loads fine and I can see the portainer service running.Any ideas?
Please see config and compose files:
traefik.toml
[global]
checkNewVersion = true
# Dashboard
[api]
dashboard = true
# Traefik logs
[log]
level = "DEBUG"
filePath = "/traefik.log"
[entryPoints.http]
address = ":80"
[entryPoints.http.http.redirections.entryPoint]
to = "https"
scheme = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.http.tls]
certResolver = "main"
# Let's Encrypt
[certificatesResolvers.main.acme]
email = "name#gmail.com"
storage = "acme.json"
[certificatesResolvers.main.acme.dnsChallenge]
provider = "route53"
# Docker Traefik provider
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
swarmMode = true
watch = true
exposedByDefault = false
[tls.options]
[tls.options.default]
minVersion = "VersionTLS13"
sniStrict = true
[tls.options.tls12]
minVersion = "VersionTLS12"
sinStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
docker-compose.yml
version: '3.2'
services:
agent:
image: portainer/agent:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- traefik_public
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ee:latest
#command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/user/webapp/portainer/portainer_data:/data
networks:
- traefik_public
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.tls.certresolver=main"
- "traefik.http.routers.portainer.rule=Host(`portainer.mydomain.com`)"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.http.routers.portainer.entrypoints=https"
- "traefik.http.services.portainer.loadbalancer.server.scheme=https"
- "traefik.http.routers.portainer.tls=true"
mode: replicated
placement:
constraints: [node.role == manager]
networks:
traefik_public:
external: true
and this is the output of the traefik debug log :
error msg="Could not define the service name for the router: too many services" providerName=docker routerName=traefik-secure
debug msg="Filtering disabled container" container=portainer-agent-bn1xdlt8xbnzapa0fdjxadjiq providerName=docker
debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"https\"],\"service\":\"api#internal\",\"rule\":\"Host(`traefik.example.com`)\",\"tls\":{\"certResolver\":\"main\"}},\"portainer\":{\"entryPoints\":[\"https\"],\"service\":\"portainer\",\"rule\":\"Host(`portainer.example.com`)\"}},\"services\":{\"dummy\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.6:9999\"}],\"passHostHeader\":true}},\"portainer\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.12:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.6:8080\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
debug msg="Skipping unchanged configuration." providerName=docker

Traefik V2 docker provider path /ws routing to external websocket server

Stack:
serverX
docker
traefik
x-site.com
redirect :80->:443
https://x-site.com/* -> x-site docker container
wss://x-site.com/ws proxy -> ws://external.websocket.com:8083/ws HOW TO?
y-site.com
...
external.websocket.com - works perfectly with all kinds of mqtt,ws clients, except web
software: emqx
listens: ws:8083 mqtt:1883
protocol: ws, mqtt
proxy protocol support: on
docker-compose.yml
version: '3.7'
services:
router:
container_name: router
image: traefik:v2.6
restart: on-failure:5
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 8080
published: 8080
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./router:/etc/traefik
x-site:
container_name: x-site
image: backend
restart: on-failure:5
env_file:
- /.default.env
- /.server.env
- /root/env/x-site.env
labels:
traefik.enable: true
traefik.http.routers.x-site.rule: Host(`x-site.com`)
traefik.http.routers.x-site.entrypoints: web,websecure
traefik.http.routers.x-site.tls: true
# tried service loadbalancer and etc
# traefik.http.routers.ws_x-site.rule: Host(`x-site.com`) && PathPrefix(`/ws`)
# traefik.http.routers.ws_x-site.entrypoints: websecure
# traefik.http.routers.ws_x-site.service: websocket_x-site
# traefik.http.services.websocket_x-site.loadBalancer.server.url: ws://external.websocket.com:8083/ws
traefik.yaml
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
transport:
respondingTimeouts:
readTimeout: 10
writeTimeout: 10
idleTimeout: 10
lifeCycle:
requestAcceptGraceTimeout: 5
graceTimeOut: 5
websecure:
address: ":443"
transport:
respondingTimeouts:
readTimeout: 300
writeTimeout: 3600
idleTimeout: 180
lifeCycle:
requestAcceptGraceTimeout: 30
graceTimeOut: 30
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
file:
filename: /etc/traefik/cert.yaml
log:
level: ERROR

Docker compose ECS AWS Application Load balance redirect

Im deploying my docker container via my docker compose file.
When i initially deploy my app it creates a load balancer but as type "network". I cannot do a redirect to https with this type.
I want my load balancer to be created as a type "application" and then setup the redirect from http to https.
My container will still be listening to port 80.
Bonus: i would like to deploy and also attach my SSL cert in my compose file so that its all ready on a fresh deploy.
As you can see ive tried a few things but cant get it to work.
Thanks
version: '3.8'
services:
web:
container_name: auction_web
image: <ECR Image>
# x-aws-pull_credentials: arn:aws:secretsmanager:xxxxxxxxxxxx
depends_on:
- redis
ports:
# - "80:80" - tried this
# - "443:443" - tried this
- target: 80
x-aws-protocol: http
- target: 443
x-aws-protocol: https
# - published: 80
# protocol: "http"
# x-aws-alb-default-actions:
# - type: redirect
# host: '<domain>'
# port: 443
# protocol: HTTPS
# status-code: HTTP_301
# - published: 443
# protocol: "https"
# x-aws-acm-certificate: <cert name>
deploy:
resources:
limits:
cpus: '1'
memory: 4096M

Please try this:
Define ports with "80:80" and "443:443" and nothing else.
Add the following section at the bottom of the docker-compose file:
x-aws-cloudformation:
Resources:
Web443Listener:
Properties:
Certificates:
- CertificateArn: "<certificate ARN>"
Protocol: HTTPS
Port: 443
Web80Listener:
Properties:
DefaultActions:
- Type: redirect
RedirectConfig:
Port: 443
Protocol: HTTPS
StatusCode: HTTP_301

x-aws-cloudformation:
Resources:
App80Listener:
Properties:
Port: 80
Protocol: HTTP
LoadBalancerArn:
Ref: LoadBalancer
DefaultActions:
- Type: redirect
RedirectConfig:
Port: 443
Protocol: HTTPS
StatusCode: HTTP_301
Type: AWS::ElasticLoadBalancingV2::Listener
App443Listener:
Properties:
Port: 443
Protocol: HTTPS
LoadBalancerArn:
Ref: LoadBalancer
DefaultActions:
- ForwardConfig:
TargetGroups:
- TargetGroupArn:
Ref: App8080TargetGroup
Type: forward
Certificates:
- CertificateArn: "<arn for cert>"
Type: AWS::ElasticLoadBalancingV2::Listener
App8080TargetGroup:
Properties:
Name: 'jenkins-tg'
Port: 8080
Protocol: HTTP
Tags:
- Key: com.docker.compose.project
Value: jenkins
TargetType: ip
VpcId: vpc-d21afbbb
HealthCheckPath: '/login'
Type: AWS::ElasticLoadBalancingV2::TargetGroup

docker-compose and express-gateway show bag gateway locally

I want run my express-gateway locally in my pc and have two services for access with my gateway, the problem is that always have the same problem "bad gateway" I test with other public api and work fine, how can do run this locally without this problem? because always show "bad gateway":
my docker-compose.yml
version: "3.4"
services:
express-gateway:
image: gateway:latest
build:
context: ./
dockerfile: Dockerfile
labels:
- "traefik.enable=true"
- "traefik.http.routers.express-gateway.rule=Host(`eg.127.0.0.1.nip.io`)"
- "traefik.http.routers.express-gateway.entrypoints=web"
- "traefik.http.services.express-gateway.loadbalancer.server.port=9090"
volumes:
- ./gateway.config.yml:/usr/src/app/config/gateway.config.yml
ingress-controller:
image: traefik:v2.0
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
this is the configuration on my express gateway. my gateway.config.yml :
http:
port: 9090
admin:
port: 9876
host: 0.0.0.0
apiEndpoints:
events:
host: "*"
paths: ["/api/events*", "/swagger*"]
methods: ["GET", "PATCH"]
eventsCreate:
host: "*"
paths: "/api/events*"
methods: ["POST", "PUT", "OPTIONS"]
auth:
host: "*"
paths: "/api/auth*"
methods: ["POST", "GET", "OPTIONS"]
serviceEndpoints:
auth:
url: "http://127.0.0.1:59868"
events:
url: "http://127.0.0.1:5000"
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
- jwt
- request-transformer
pipelines:
authPipeline:
apiEndpoints:
- auth
policies:
- cors:
- log:
action:
message: "auth ${req.method}"
- proxy:
action:
serviceEndpoint: auth
changeOrigin: true
eventsPipeline:
apiEndpoints:
- events
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- proxy:
action:
serviceEndpoint: events
changeOrigin: true
eventsCreatePipeline:
apiEndpoints:
- eventsCreate
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- jwt:
action:
secretOrPublicKey: "MORTADELAIsMyPassion321"
checkCredentialExistence: false
- proxy:
action:
serviceEndpoint: events
changeOrigin: true

Bad Gateway is usually an error raised by the Proxy policy — in such case you should be able to check the log and see the specifics, and then go from there.

Use traefik middleware globally

i am trying to declare https redirect inside the traefik.yml file. For now i tried to add those rules inside the traefik service in docker-compose.yml. That worked like a charm. Although i'd prefer to configure this global and middleware redirect inside the traefik.yml file and then just reference it in the traefik service on docker-compose.yml.
What i had before
version: '3'
networks:
web:
external: true
services:
traefik:
image: traefik:v2.1
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./.traefik/traefik.yml:/traefik.yml
- ./.traefik/acme.json:/acme.json
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`$HOSTNAME`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.certresolver=le"
- "traefik.http.routers.traefik.entrypoints=https"
# Global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# Middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
That worked easily and redirected all other domains from http to https.
What i want now
I want to declare those redirects inside the traefik.yml.
So far i have done this.
api: {}
entryPoints:
http:
address: ":80"
https:
address: ":443"
log:
level: DEBUG
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: web
http:
# Global redirect to https
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)"
entrypoints:
http
middlewares:
- redirect-to-https
# Middleware redirect
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
certificatesResolvers:
le:
acme:
email: john#doe.com
storage: acme.json
# Activate for Development: Certificate will not be valid. It's only for testing if it can be obtained.
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
httpChallenge:
entryPoint: http
As you can see i declared the http settings.
My question is now how can i reference those settings into my traefik service?
I tried it with
- "traefik.http.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https"
- "traefik.http.middlewares.traefik=redirect-to-https#file"
None of them work. Some show the middleware in the dashboard but it is not linked to any settings.
Did anyone find a solution to this? I can't get out anything from the docs about this. I think it must be linked somehow to the #file.
Thank you

#file means that the middleware was defined in the file provider.
You can add a file provider like this in traefik.yml.
providers:
file:
directory: "/path/to/dynamic/conf"
Create a file in that directory with the middleware.
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
You can now reference redirect-to-https#file in your labels.
- "traefik.http.middlewares.traefik=redirect-to-https#file"
NOTE: Some of your configuration in traefik.yml might need to be moved to your new yml file. I am new to Traefik and have not full knownlegde of why yet.
See the following sections in documentation:
https://docs.traefik.io/middlewares/overview/#provider-namespace
https://docs.traefik.io/providers/file/

In fact, you don't need to set this middleware to traefik in labels block. If you have such configuration in your traefik.yml:
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
It means - all traffic which came to entrypoint http should use middleware redirect-to-https and be redirected to another entrypoint: https. This configuration is globally.
So, you just have to set your container to https entrypoint (as you did, in your example)
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.ua`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api#internal"