I have traefik "traefik:v2.4.8" as a reverse proxy to docker container.
Everything works fine except the HTTPS request from server or Postman (request from frontend browser is fine)
The error is Unable to verify the first certificate
My workaround is to disable SSL verification on Postman and set NODE_TLS_REJECT_UNAUTHORIZED=0 in other Nodejs app that request to this app
I don't know where the issue is but my company wildcard certs works fine in other project using Nginx as reverse proxy, I think I might misconfigured something in Traefik
I have little knowledge about TLS, HTTPS so I not sure how to troubleshoot this problem
Here is my config
traefik.yml
log:
level: DEBUG
entryPoints:
web-secure:
address: ":443"
web:
address: ":80"
providers:
docker:
exposedByDefault: false
network: docker_network
endpoint: "unix:///var/run/docker.sock"
file:
filename: "dyn.yaml"
watch: true
api:
dashboard: false
accessLog: {}
dyn.yml
tls:
certificates:
- certFile: /etc/certs/certs.crt
keyFile: /etc/certs/certs.key
stores:
default:
defaultCertificate:
certFile: /etc/certs/certs.crt
keyFile: /etc/certs/certs.key
options:
myTLSOptions:
minVersion: VersionTLS12
docker-compose.yml
version: "3.0"
services:
traefik:
image: "traefik:v2.4.8"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- $PWD/traefik.yaml:/traefik.yaml
- $PWD/dyn.yaml:/dyn.yaml
- $PWD/certs/:/etc/certs/
networks:
default:
external:
name: docker_network
api docker-compose.yml
version: "3"
services:
backend:
build: .
user: "node"
working_dir: /usr/src/app
command: "npm start"
expose:
- 8080
restart: always
labels:
- "traefik.enable=true"
- "traefik.docker.network=docker_network"
- "traefik.http.routers.backend-https.entrypoints=web-secure"
- "traefik.http.routers.backend-https.priority=2"
- "traefik.http.routers.backend-https.middlewares=backend-stripprefix"
- "traefik.http.services.backend.loadbalancer.server.port=8080"
- "traefik.http.routers.backend-https.tls=true"
- "traefik.http.routers.backend-https.tls.domains[0].main=myapp.com"
- "traefik.http.routers.backend-https.tls.domains[0].sans=*.myapp.com"
- "traefik.http.routers.backend-https.tls.options=myTLSOptions#file"
- "traefik.http.routers.backend-https.rule=Host(`myapp.com`) && PathPrefix(`/api`)"
- "traefik.http.middlewares.backend-stripprefix.stripprefix.prefixes=/api"
- "traefik.http.middlewares.backend-http-secured.chain.middlewares=backend-http-redirect-to-https, backend-stripprefix"
- "traefik.http.middlewares.backend-http-redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.backend-http.entrypoints=web"
- "traefik.http.routers.backend-http.rule=Host(`myapp.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.backend-http.priority=2"
- "traefik.http.routers.backend-http.middlewares=backend-http-secured"
networks:
default:
external:
name: docker_network
Related
I have found many similar questions online, but I am certainly lost in this topic which is new for me and I hope somebody can guide me through my problem. In my setup, I have a docker container which runs a secure version on port 8443 and a "read-only" version on port 8080. Now I want to use Traefik as a proxy to then reroute all requests to the secure version, ignoring the read-only. While the dashboard indicates routing to the service, I am just receiving an "Unable to connect" when trying to access the webpage.
As a compose file:
version: "3.7"
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: always
ports:
- "80:80"
- "433:433"
command: --api.insecure=false --providers.docker
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/cloud/traefik.yml:/etc/traefik/traefik.yml
networks:
- traefik-network
my-service:
image: my-image
env_file: variables.env
container_name: my-image
restart: always
ports:
- "8080:8080"
- "8443:8443"
networks:
- traefik-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-service.entryPoints=websecure"
- "traefik.http.routers.my-service.rule=Host(`domain.com`)"
- "traefik.http.services.my-service.loadbalancer.server.port=8443"
networks:
traefik-network:
name: traefik-network
And the traefik.yml:
################################################################
# Provider configuration
################################################################
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # default
exposedByDefault: true # default
network: traefik-network
################################################################
# Entrypoint
################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
Maybe somebody has an idea where I went in the wrong direction.
Best
I'm trying to set up a private Docker registry behind reverse proxy (with Traefik v2).
I have a computer with two local domains in the internal network
The private docker registry could work without a password
I created self-signed certificates
Without traefik I can push and pull images to the domain "docker-registry.mydomain.de:443".
If I include traefik I get certificate errors, bad gadway or a 404 error.
What am I doing wrong ?I have attached my code.
cat /srv/docker-compose/docker-compose.yml
version: '3.6'
services:
docker-registry:
image: registry:2
#ports:
##- 5000:5000
# - 443:443
environment:
- REGISTRY_HTTP_SECRET="mysecret"
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
- REGISTRY_STORAGE_DELETE_ENABLED=true
- REGISTRY_HTTP_ADDR=0.0.0.0:443
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker-registry.mydomain.de.pem
- REGISTRY_HTTP_TLS_KEY=/certs/docker-registry.mydomain.de-key.pem
labels:
- traefik.enable=true
- traefik.http.routers.dr-http.entrypoints=http
- traefik.http.routers.dr-http.rule=Host(`docker-registry.mydomain.de`)
- traefik.http.routers.dr-http.middlewares=dr-https
- traefik.http.middlewares.dr-https.redirectscheme.scheme=https
- traefik.http.routers.dr.entrypoints=https
- traefik.http.routers.dr.rule=Host(`docker-registry.mydomain.de`)
- traefik.http.routers.dr.tls=true
- traefik.http.services.dr.loadbalancer.server.port=443
- traefik.docker.network=traefik-net
volumes:
- ./data:/data
- ./certs:/certs
networks:
- traefik-net
networks:
traefik-net:
external: true
cat /srv/traefik/docker-compose.yml
version: '3.6'
services:
reverse-proxy:
image: traefik:latest
networks:
- traefik-net
ports:
- 8080:8080
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./conf:/etc/traefik
- ./certs:/etc/ssl:ro
labels:
- traefik.enable=true
- traefik.http.routers.traefik-http.entrypoints=http
- traefik.http.routers.traefik-http.rule=Host(`traefik.mydomain.de`)
- traefik.http.routers.traefik-http.middlewares=traefik-https
- traefik.http.middlewares.traefik-https.redirectscheme.scheme=https
- traefik.http.routers.traefik.entrypoints=https
- traefik.http.routers.traefik.rule=Host(`traefik.mydomain.de`)
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.service=api#internal
networks:
traefik-net:
external: true
cat /srv/traefik/conf/traefik.yml
insecureSkipVerify: true
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
cat /srv/traefik/conf/dynamic.yml
tls:
certificates:
- certFile: /tools/certs/_wildcard.pem
keyFile: /tools/certs/_wildcard-key.pem
- certFile: /tools/certs/traefik.mydomain.de.crt
keyFile: /tools/certs/traefik.mydomain.de.key
- certFile: /tools/certs/docker-registry.mydomain.de.pem
keyFile: /tools/certs/docker-registry.mydomain.de.pem
all certifates are in the /srv/traefik/certs path.
Certificates are generated by mkcert and openssl tool.
The problem in code is docker registry accept only the intermediate.crt extension with crt not pem or csr. change that and you will succeed.
I am trying to expose my docker services (like Heimdall, Plex, Tautulli, etc) on my host machines IP for internal purposes only, so without a domain name. I want each service to be accessible ith its own prefix like 192.168.0.100/heimdall, 192.168.0.100/tautulli, etc.
I would like to have the dashboard on a separate port, like 8080, but even after I specify an entry point for 8080 as traefik and set traefik as the entry point for the service it still goes to the port 80 named http.
Is there any issue with my config or is it an issue on traefik side?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik
container_name: traefik
ports:
- "80:80"
- "8080:8080"
restart: always
volumes:
- ./traefik:/etc/traefik
- "/var/run/docker.sock:/var/run/docker.sock:ro"
traefik.yml
entryPoints:
http:
address: ":80"
traefik:
address: ":8080"
api: {}
log:
level: "DEBUG"
providers:
file:
directory: /etc/traefik/dynamic
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
dashboard.yml
http:
routers:
api:
rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
entrypoints:
- traefik
service: api#internal
According to documentation (https://docs.traefik.io/v2.2/operations/api/#insecure), this could help:
api:
insecure: true
It should implicitly use special entrypoint traefik with port 8080.
You can also check this for more info about dashboard: https://docs.traefik.io/operations/dashboard/
EDIT
I have just tried it and it works on port 8080 with this configuration:
docker-compose.yml
version: '3'
services:
traefik:
image: traefik
container_name: traefik
restart: always
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./dockerfiles/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
- "traefik.http.routers.dashboard.entrypoints=traefik"
- "traefik.http.routers.dashboard.service=api#internal"
traefik.yml (I have used yours without file provider):
entryPoints:
http:
address: ":80"
traefik:
address: ":8080"
api: {}
log:
level: "DEBUG"
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
I'm new to Linux in general, and even newer to Traefik, and have been trying for some time to setup a nginx container to serve some AngularJS web pages, using Traefik as reverse-proxy. I have a small Ubuntu 20.4 server hosted on DigitalOcean (if that's of any relevance).
I have tried following a few different nginx tutorials, and messing with the settings on my own, to no success. It works if I run a simple command like:
$ docker run –name some-nginx -d -p 8888:80 nginx
But then I can only access it through myip:8888, and I would like to access it with a subdomain, i.e. docs.domain.com.
I managed to setup Traefik using a traefik.yml like that:
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: email#email.com
storage: acme.json
httpChallenge:
entryPoint: http
And then docker-compose this file:
version: '3'
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`monitor.domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:secret_password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`monitor.domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
networks:
proxy:
external: true
I also successfully set up a portainer:
version: '3'
services:
portainer:
image: portainer/portainer:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.rule=Host(`manage.domain.com`)"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`manage.domain.com`)"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.tls.certresolver=http"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
This way I can access both portainer and traefik subdomains, with SSL, no problems.
I tried using docker-compose files for nginx similar to the portainer one, using the volumes "./data:/usr/share/nginx/html:ro" and "./nginx.conf:/etc/nginx/nginx.conf:ro", as well some different nginx.conf options as exemplified in the Beginner's Guide from the official docs.
I would appreciate if someone could point ou which labels I should use on the docker-compose file and how to properly interface Traefik with the nginx config.
I would like to configure my Trafik installation in my docker to work with subfolders instead of subdomains. I know it should work, as I read in other posts already.
However, I don't understand what I'm doing wrong...
my docker in my test domain has the FQDN ubuntudocker.domain.qa (and I have also defined an alias for traefik.ubuntudocker.domain.qa)
This is my compose file:
The setting with subdomain works just fine, but if I use the commented-out variant with the path, it doesn't. In my browser I just get "path not found".
version: '3'
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.ubuntudocker.domain.qa`)"
#- "traefik.http.routers.traefik.rule=Host(`ubuntudocker.domain.qa`) && Path(`/traefik`)"
- "traefik.http.routers.traefik.service=api#internal"
networks:
proxy:
external: true
and my traefik.yml settings file:
api:
dashboard: true
log:
level: INFO
entryPoints:
http:
address: ":80"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
Thank you so much!
Try PathPrefix(`/traefik`) instead of Host(`traefik.ubuntudocker.domain.qa`).
In case it helps someone, try to use this
(Host(`ubuntudocker.domain.qa`) && PathPrefix(`/traefik`))