I'm trying to get this to work on a home localserver, but no meaningful errors show up. I'm not sure if I need to change something on the machine itself or my config is incorrect.
I'm using Ubuntu Desktop 20.04, it's basically a fresh install.
When I run docker hello-world or any docker cli command for running containers, I am able to access things just fine, but when I try my docker-compose files, I get
Error code: SEC_ERROR_INADEQUATE_KEY_USAGE :
I'm guessing something with my resolver is incorrect? I tried a lot of different things, but am unsure.
Below are the files that I'm working through to get it to work.
version: '3.7'
services:
dockerproxy:
container_name: dockerproxy
image: tecnativa/docker-socket-proxy
privileged: true
restart: always
logging:
driver: journald
environment:
CONTAINERS: 1
restart: always
networks:
- traefik
ports:
- 2375
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
traefik:
image: traefik:v2.5
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- dockerproxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- default
- traefik
- serverpublic
- serverprivate
volumes:
- /etc/localtime:/etc/localtime:ro
- ./config:/configurations
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./logs/traefik.log:/traefik.log
- ./acme/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# Services - Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit#file,user-auth#file"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8070"
networks:
traefik:
external: true
serverpublic:
external: true
serverprivate:
external: true
traefik.yml
# Traefik v2.5 - traefik.yml 2021
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
# Configure metrics for prometheus
metrics:
prometheus: {}
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "tcp://dockerproxy:2375"
network: "traefik"
exposedByDefault: false
certificatesResolvers:
letsencrypt:
acme:
email: a#gmail.com
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: http
http:
acme:
email: a#gmail.com
storage: acme.json
httpChallenge:
entryPoint: http
configuration/dynamic.yml
# traefik dynamic config/rules
http:
middlewares:
https_redirect:
redirectScheme:
scheme: https
permanent: true
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
user-auth:
basicAuth:
users:
- "royadmin:$$password"
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
Then below is another separate service, that I'm trying to test, but going to the local server IP shows the same Error Code as I mentioned above:
Basic Page Service, just an html page for testing
version: '3.7'
services:
# homex is Caddy instance listening to port 80 and serving an index.html.
homex:
build:
context: .
dockerfile: ./dockerfiles/home-dockerfile
networks:
- traefik
- serverpublic
labels:
- "traefik.enable:true"
- "traefik.http.routers.homex.rule=Host(`localhost`)"
- "traefik.http.routers.homex.entrypoints=https"
- "traefik.http.routers.homex.tls.certresolver=letsencrypt"
networks:
traefik:
external: true
serverpublic:
external: true
Here is a traceback when I do run Traefik w/the docker-compose.yml
Starting dockerproxy ... done
Starting traefik ... done
Attaching to dockerproxy, traefik
dockerproxy | [WARNING] 296/204816 (1) : Can't open server state file '/var/lib/haproxy/server-state': No such file or directory
dockerproxy | Proxy dockerbackend started.
dockerproxy | Proxy dockerfrontend started.
dockerproxy | [NOTICE] 296/204816 (1) : New worker #1 (8) forked
traefik | time="2021-10-24T13:48:17-07:00" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.459] dockerfrontend dockerbackend/dockersocket 0/0/0/4/4 200 1046 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/version HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.464] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 12881 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/json?limit=0 HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.466] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 9752 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/a456f49a4f73a3292b45a1461091a35869df5e633de6e841d0dca26512836bfa/json HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.467] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 6718 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/ab644f8795bd0e860496580bab303f86c176b1ee4872f3f34241510bd8c7c2fe/json HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.468] dockerfrontend dockerbackend/dockersocket 0/0/0/0/0 200 7739 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/c552360b115fa00063f6ab998790925b642abe3369f1721f69df1d6a01ad73a7/json HTTP/1.1"
dockerproxy | 172.26.0.5:57914 [24/Oct/2021:20:48:17.468] dockerfrontend dockerbackend/dockersocket 0/0/0/0/0 200 7366 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/aa08018aa3a644b86e33eb2f79898e91bf16bc35b7669bbce6ea673e84681b56/json HTTP/1.1"
Finally, I was looking at this: https://doc.traefik.io/traefik/middlewares/http/redirectscheme/
Would I specify that, redirect from http to https, as a label on any new services I add or how do I test it?
If I'm missing anything else, please let me know.
Related
I have a small lab setup on docker lab server where I have several containers. I wanted to set up a proxy with Traefik, but I stuck on one thing.
Looks like routing works fine but I am having err_connection_refused when I try to access routed services by the browser.
It works fine with the curl command.
Using DNSMasq to manage records - traefik for proxy.
Below docker-compose files for traefik and test container which I am using for testing the proxy.
Heimdall Dashboard:
---
version: "2.1"
services:
heimdall:
image: lscr.io/linuxserver/heimdall:latest
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
volumes:
- /path/to/appdata/config:/config
restart: unless-stopped
labels:
- "traefik.http.routers.heimdall-www.rule=Host(`heimdall.lab`)"
- "traefik.http.services.heimdall-www.loadbalancer.server.port=80"
networks:
default:
name: traefik_default
Traefik container:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.9
# Enables the web UI and tells Traefik to listen to Docker
command: --api.insecure=true --providers.docker
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.lab`)"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
DNSmasq entry
address=/.lab/127.0.0.1
I dont understand why curling works fine e.g.:
curl -H Host:whoami.lab http://192.168.0.150
Hostname: 1ad1e42dd818
IP: 127.0.0.1
IP: 172.21.0.4
RemoteAddr: 172.21.0.2:54128
GET / HTTP/1.1
Host: whoami.lab
User-Agent: curl/7.84.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.0.100
X-Forwarded-Host: whoami.lab
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ca631c80565a
X-Real-Ip: 192.168.0.100
I installed the traefik v2 in the container, set it up, but when I go to the domain, I get "404 page not found" and not a dashboard.
This is my first time doing this so I'm asking the community for help.
Below are my settings files.
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.8
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./ssl:/ssl
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.DOMAIN.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
traefik.yml
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
letsEncrypt:
acme:
email: mail#example.com
storage: /ssl/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http
api:
dashboard: true
I've been trying to solve my problem for days.
I've created a couple of Docker containers and all of them work with the settings without a problem (Shopware, Sulu, Matomo, Mautic) but only the JTL shop gives me problems.
Frontend goes but backend login blocked without error message.
If you had a message you wouldn't have to poke around.
I'll write my docker-compose from Traefik and JTL-Shop here
Traefik
version: "3.3"
services:
traefik:
image: "traefik:v2.3"
container_name: Traefik
command:
- "--api=true"
- "--api.dashboard=true"
- "--log.level=INFO"
- "--accesslog=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=info#Example.de"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
labels:
traefik.enable: true
# Routers
traefik.http.routers.traefik.rule: Host(`traefik.example.de`)
traefik.http.routers.traefik.entrypoints: websecure
traefik.http.routers.traefik.service: api#internal
traefik.http.routers.traefik.tls.certresolver: myresolver
traefik.http.routers.traefik.middlewares: traefik-auth
# global redirect to https
traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http-catchall.entrypoints: web
traefik.http.routers.http-catchall.middlewares: redirect-to-https
# Middleware
traefik.http.middlewares.traefik-auth.basicauth.removeheader: true
traefik.http.middlewares.traefik-auth.basicauth.users: USER:PASSWORT
# middleware redirect
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
ports:
- "80:80"
- "443:443"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- "traefik_proxy"
- "default"
networks:
traefik_proxy:
external:
name: traefik_proxy
default:
driver: bridge
==
JTL shop
version: '3'
volumes:
www-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/html
mysql-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/mysql
elastic-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/elastic
redis-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUMES}/redis
services:
# sshd:
# image: hermsi/alpine-sshd
# container_name: ${COMPOSE_PROJECT_NAME}-SSH
# environment:
# ROOT_PASSWORD: ${ROOT_PASSWORD}
# ports:
# - "${SSH_PORT}:22"
# volumes:
# - www-data:/var/www/html
apache:
image: webdevops/php-apache:7.4-alpine
container_name: ${COMPOSE_PROJECT_NAME}-Apache-PHP
environment:
WEB_DOCUMENT_ROOT: /app/${COMPOSE_PROJECT_NAME}-Projekt
PHP_DISMOD:
PHP_DISPLAY_ERRORS: 1
PHP_DATE_TIMEZONE: Europe/Berlin
PHP_MAX_EXECUTION_TIME: 360
PHP_MEMORY_LIMIT: 756M
PHP_UPLOAD_MAX_FILESIZE: 64M
PHP_POST_MAX_SIZE: 64M
PHP_ALLOW_URL_FOPEN: 1
volumes:
- ./configs/php.ini:/opt/docker/etc/php/php.ini:ro
- ./configs/root:/var/spool/cron/crontabs/root:ro
- www-data:/app
networks:
- default
- proxy
labels:
- traefik.enable=true
# Docker Netzwerk
- traefik.docker.network=traefik_proxy
# Routers
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=${HOSTRULE}
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=websecure
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=myresolver
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.service=${COMPOSE_PROJECT_NAME}_SVC
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=${COMPOSE_PROJECT_NAME}_MidWa
- traefik.http.services.${COMPOSE_PROJECT_NAME}_SVC.loadBalancer.server.port=80
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.sslredirect=true
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.customrequestheaders.X-Forwarded-Ssl=on
- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_MidWa.headers.customrequestheaders.X-Forwarded-Port=443
mysql:
image: mysql:5.7
container_name: ${COMPOSE_PROJECT_NAME}-MySQL
# command für mysql 8.x
# command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
volumes:
- mysql-data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${MYSQL_DATABASE}
MYSQL_USER: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
redis:
image: redis:alpine
container_name: ${COMPOSE_PROJECT_NAME}-Redis
volumes:
- redis-data:/data
# elastic:
# image: docker.elastic.co/elasticsearch/elasticsearch:7.9.2
# container_name: ${COMPOSE_PROJECT_NAME}-Elastic
# volumes:
# - elastic-data:/usr/share/elasticsearch/data
# ulimits:
# memlock:
# soft: -1
# hard: -1
# nofile:
# soft: 65535
# hard: 65535
# environment:
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
# - discovery.type=single-node
# - bootstrap.memory_lock=true
# expose:
# - 9200
# - 9300
networks:
proxy:
external:
name: ${PROXY_NETWORK}
==
yesterday I saw these logs in the container when I logged in.
LOGS
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:36 +0000] "GET /admin/favicon.ico HTTP/1.1" 200 bytesIn:782 bytesOut:626 reqTime:0
172.18.0.2 - - [25/Oct/2020:19:10:36 +0000] "GET /admin/templates/bootstrap/css/custom.css HTTP/1.1" 200 9585 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:36 +0000] "GET /admin/templates/bootstrap/css/custom.css HTTP/1.1" 200 bytesIn:753 bytesOut:9937 reqTime:0
NOTICE: PHP message: PHP Warning: Unknown: POST Content-Length of 88 bytes exceeds the limit of 64 bytes in Unknown on line 0
[Sun Oct 25 19:10:49.591342 2020] [proxy_fcgi:error] [pid 67:tid 140596503538464] [client 172.18.0.2:42418] AH01071: Got error 'PHP message: PHP Warning: Unknown: POST Content-Length of 88 bytes exceeds the limit of 64 bytes in Unknown on line 0', referer: https://www.example.fr/admin/index.php
[php-fpm:access] 127.0.0.1 - 25/Oct/2020:19:10:49 +0000 "POST /admin/index.php" 200 /app/JTL4-CeT-Projekt/admin/index.php 149.417 2048 13.39%
172.18.0.2 - - [25/Oct/2020:19:10:49 +0000] "POST /admin/index.php HTTP/1.1" 200 2162 "https://www.example.fr/admin/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:49 +0000] "POST /admin/index.php HTTP/1.1" 200 bytesIn:1066 bytesOut:2531 reqTime:0
172.18.0.2 - - [25/Oct/2020:19:10:50 +0000] "GET /admin/favicon.ico HTTP/1.1" 200 271 "https://www.example.fr/admin/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
[httpd:access] www.example.fr:80 93.230.203.21 - 172.18.0.2 - - [25/Oct/2020:19:10:50 +0000] "GET /admin/favicon.ico HTTP/1.1" 200 bytesIn:782 bytesOut:626 reqTime:0
==
Ok, I've tried it from the start.
I think that I also have the error now.
When I call the installation routine, my server or container fulfills the requirements.
But I can't install because:
The CSS and JS instructions come over HTTP and he sees these urls as unsafe.
If I override the protection it loads the pages with the CSS instructions etc. but if I enter the database data it doesn't do it and shows me the same page again as when I logged in.
My question is how do I get Traefik to control the web server via https (internally) so that the installation program does not control http as it does now (internally) for me but changes to https and in the best case also forwards the URL to www.
So the same as the htaccess rules:
# Redirect requests to access the site with HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
#REWRITE ANPASSUNG 2 (auf www.meinedomain.de umleiten)
#Ihr Shop sollte nicht unter www.meinedomain.de und nur meinedomain.de erreichbar sein, siehe: http://guide.jtl-software.de/index.php?title=JTL-Shop3-Neuinstallation#4._Einrichtung_einer_Domainweiterleitung
RewriteCond %{HTTP_HOST} ^example.fr
RewriteRule ^(.*)$ http://www.example.fr/$1 [r=301,L]
I'ved managed to get it Traefik working for http containers but when I switched to websocket, had no luck. Traefik is pretty easy. Let me share it's docker-compose file:
version: "3.3"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
# - "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entryPoints.ws.address=:81" #I ADDED THIS
- "--accesslog"
ports:
- "80:80"
- "81:81" #I ADDED THIS
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
To make it easier, I added and comment like #I ADDED THIS so you can see the changes I've made to make WS work.
Now on the actual project docker-compose I've added this labels:
version: '2.1'
services:
test:
restart: unless-stopped
hostname: test
build:
context: .
dockerfile: ./Dockerfile
expose:
- 81
labels:
- "traefik.enable=true"
- "traefik.http.routers.test.rule=Host(`test.com`)"
- "traefik.http.routers.test.entrypoints=ws"
- "traefik.http.services.test.loadBalancer.sticky.cookie=true"
And I'm trying to connect using Nodejs:
var ws = new WebSocket('ws://test.com:81')
Dont know what else to try.
Thank you in advanced.
EDIT Saw in traefik log:
time="2020-08-23T16:07:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Connection\":[\"Upgrade\"],\"Sec-Websocket-Extensions\":[\"permessage-deflate; client_max_window_bits\"],\"Sec-Websocket-Key\":[\"jaXhUWe2lvrgxF0tOn3nWA==\"],\"Sec-Websocket-Version\":[\"13\"],\"Upgrade\":[\"websocket\"],\"X-Forwarded-Host\":[\"test.com:81\"],\"X-Forwarded-Port\":[\"81\"],\"X-Forwarded-Proto\":[\"ws\"],\"X-Forwarded-Server\":[\"58077bdceffd\"],\"X-Real-Ip\":[\"192.168.99.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"test.com:81\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.99.1:56705\",\"RequestURI\":\"/\",\"TLS\":null}"
192.168.99.1 - - [23/Aug/2020:16:07:07 +0000] "GET / HTTP/1.1" 499 21 "-" "-" 56 "test#docker" "http://172.19.0.2:81" 21082ms
Looks right, but still no communication between client/server.
I think you need to add service port to your test container:
- "traefik.http.services.test.loadbalancer.server.port=81"
edit:
for traefik to be able to discover your service, it needs to be on same network. so best solution seems to define external network for both services or use the one defined with your websocket service
I try to set up Traefik in version 2 but I only get "404 Page not found" or DNS_PROBE_FINISHED_NXDOMAIN errors in my browser.
When I check the API endpoints for routers I can see that my two containers are enabled in Traefik and that the rules are correct.
curl http://localhost:8080/api/http/routers
[{"entryPoints":["web","secure"],"service":"gotify-gotify","rule":"Host(`sub2.example.org`)","tls":{"certResolver":"letsencrypt"},"status":"enabled","using":["secure","web"],"name":"gotify#docker","provider":"docker"},{"entryPoints":["web","secure"],"service":"nextcloud-cloud","rule":"Host(`sub.example.org`)","tls":{"certResolver":"letsencrypt"},"status":"enabled","using":["secure","web"],"name":"nextcloud#docker","provider":"docker"}]
But on "sub2" I get no website at all and on "sub" I get "404 page not found". I have set a DNS entry for "*" so all subdomains go to the same server.
I have set the following labels for the docker containers
labels:
traefik.enable: true
traefik.http.routers.nextcloud.rule: "Host(`sub.example.org`)"
traefik.http.routers.nextcloud.entrypoints: "web, secure"
traefik.http.routers.nextcloud.tls.certresolver: "letsencrypt"
And this is my Traefik configuration traefik.toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.secure]
address = ":443"
[providers.docker]
exposedByDefault = false
network = "traefik"
[certificatesResolvers.letsencrypt.acme]
email = "me#example.org"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"
[api]
insecure = true
debug = true
dashboard = false
Traefik itself is running as a docker container.
version: "3.7"
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
volumes:
- "./traefik.toml:/etc/traefik/traefik.toml"
- "./acme:/etc/traefik/acme"
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "80:80"
- "127.0.0.1:8080:8080"
- "443:443"
networks:
- traefik
networks:
traefik:
driver: bridge
name: traefik
I use ufw to manage firewall rules and opened port 22, 80 and 443
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
You can find a working example for traefik 2.2.1. Also, you can check full setup gist: https://gist.github.com/fatihyildizhan/8f124039a9bd3801f0caf3c01c3601fb
I prefer to use traefik.yml with version 2.0. It looks simple and many people are familiar with the YAML files.
[Traefik v2.0] - docker-compose.yml with httpChallenge
version: '3.7'
services:
traefik:
image: traefik:v2.2.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=username:hashed-password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.your-domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
proxy:
external: true
[Traefik v2.0] - traefik.yml with httpChallenge
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: your-email.com
storage: acme.json
httpChallenge:
entryPoint: http
[Traefik v2.0] - your-container docker-compose.yml
version: '3.7'
services:
your-container-name:
image: docker.pkg.github.com/username/repo-name/image-name:latest
container_name: your-container-name
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.your-container-name.entrypoints=http"
- "traefik.http.routers.your-container-name.rule=Host(`your-container-name.your-domain.com`)"
- "traefik.http.middlewares.your-container-name-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.your-container-name.middlewares=your-container-name-https-redirect"
- "traefik.http.routers.your-container-name-secure.entrypoints=https"
- "traefik.http.routers.your-container-name-secure.rule=Host(`your-container-name.your-domain.com`)"
- "traefik.http.routers.your-container-name-secure.tls=true"
- "traefik.http.routers.your-container-name-secure.tls.certresolver=http"
- "traefik.http.routers.your-container-name-secure.service=your-container-name"
- "traefik.http.services.your-container-name.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
Several things could be causing this, some of which are:
You have SSL/TLS proxying enabled at your DNS level (e.g. CloudFlare) which will prevent http challenge completion.
You have a misconfigured storage path for the certificate resolver (probably not in this case but for other readers); check your Traefik container logs docker logs traefik for errors like
level=error msg="The ACME resolver \"[resolver]\" is skipped from the resolvers
list because: unable to get ACME account: open /[path_to_storage]/acme.json:
no such file or directory
level=error msg="the router [service]#docker uses a non-existent resolver:
[resolver]"
If you see these errors, make sure the storage folder exists and/or the volume is mapped correctly from your host to the Traefik docker container (you may need to create it manually, Traefik won't do it for you, at least currently).
There is a technical issue with the service behind the proxy (e.g. Nginx, Apache, etc is misconfigured). Traefik will produce a generic 404 page not found for a series of errors that do not technically correspond to a real 404 error (e.g. 500, 501, maybe others) and this can be confusing.