Develop Reference

Traefik configuration for https external services and http for internal services

I have a working docker-compose.yaml configuration that allow me to easily expose my services on my public domain (mydomain.com). But now, I want to also expose some of my services on a local domain (myservice.lan) so need of https.
Here is my docker-compose.yaml:
version: '3.4'
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ${CONFIG}/traefik/acme.json:/acme.json
- ${CONFIG}/traefik/rules.toml:/etc/traefik/rules.toml
command:
- --api.insecure=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.watch=true
- --entrypoints.insecure.address=:80
- --entrypoints.secure.address=:443
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=insecure
- --certificatesresolvers.letsencrypt.acme.email=my_mail
- --certificatesresolvers.letsencrypt.acme.storage=acme.json
- --certificatesresolvers.letsencrypt.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.keyType=EC256
- --providers.file=true
- --providers.file.filename=/etc/traefik/rules.toml
- --providers.file.watch=true
labels:
- traefik.http.middlewares.wss.headers.customrequestheaders.X-Forwarded-Proto=https
grafana:
image: grafana/grafana:latest
container_name: grafana
user: ${PUID}:${PGID}
restart: unless-stopped
volumes:
- ${DATA}/grafana:/var/lib/grafana
environment:
- GF_USERS_ALLOW_SIGN_UP=false
- GF_SERVER_DOMAIN=grafana.${DOMAIN}
- GF_SERVER_ROOT_URL=https://grafana.${DOMAIN}/
- GF_SERVER_SERVE_FROM_SUB_PATH=true
labels:
- traefik.enable=true
- traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)
- traefik.http.routers.grafana.entrypoints=insecure
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.grafana-http.middlewares=https-redirect#docker
- traefik.http.routers.grafana-https.entrypoints=secure
- traefik.http.routers.grafana-https.rule=Host(`grafana.${DOMAIN}`)
- traefik.http.routers.grafana-https.tls=true
- traefik.http.routers.grafana-https.tls.certresolver=letsencrypt
esphome: #6052
image: esphome/esphome
container_name: esphome
restart: unless-stopped
privileged: true
volumes:
- ${CONFIG}/esphome:/config
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=true
- traefik.http.routers.esphome.rule=Host(`esphome.${DOMAIN_LOCAL}`)
- traefik.http.routers.esphome.entrypoints=insecure
- traefik.http.services.esphome.loadbalancer.server.port=6052
Grafana service is well exposed on my ${DOMAIN}(grafana.mydomain.com) but esphome (esphome.lan) doesn't work.
Does my configuration is bad ?

Docker container without last image version

I'm facing a problem on my production server with a container that contains the latest version of the image but when I'm executing it, the content is not the last one.
To update docker images, I execute a little script with theses commands
docker-compose pull
docker-compose up -d --remove-orphans
docker-compose prune -fa
Of course, the image used in the docker service is with the latest tag
image: registry.gitlab.com/xxxxx/api:latest
Here is two screenshots with the container and the image content to see the differences
Here is my docker-compose.yml
version: '3.3'
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--api"
- "--providers.docker"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.address=:80"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=com#xxxxx.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--pilot.token=xxxxx"
ports:
- 80:80
- 443:443
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
# dashboard
- "traefik.http.routers.monitor.service=api#internal"
- "traefik.http.routers.monitor.rule=Host(`monitor.xxxxx.com`)"
- "traefik.http.routers.monitor.entrypoints=websecure"
- "traefik.http.routers.monitor.tls.certresolver=myresolver"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
api:
image: registry.gitlab.com/xxxxx/api:latest
ports:
- 4200:8080
volumes:
- api-data:/app
depends_on:
- db
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`api.xxxxx.com`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=myresolver"
front:
image: registry.gitlab.com/xxxxx/front:latest
ports:
- 3000:3000
labels:
- "traefik.enable=true"
- "traefik.http.routers.front.rule=Host(`dev.xxxxx.com`)"
- "traefik.http.routers.front.entrypoints=websecure"
- "traefik.http.routers.front.tls.certresolver=myresolver"
panel:
image: registry.gitlab.com/xxxxx/panel:latest
ports:
- 3001:3000
depends_on:
- api
labels:
- "traefik.enable=true"
- "traefik.http.routers.panel.rule=Host(`admin.xxxxx.com`)"
- "traefik.http.routers.panel.entrypoints=websecure"
- "traefik.http.routers.panel.tls.certresolver=myresolver"
coming-soon:
image: registry.gitlab.com/xxxxx/coming-soon:latest
ports:
- 3002:3000
labels:
- "traefik.enable=true"
- "traefik.http.routers.coming-soon.rule=Host(`xxxxx.com`) || Host(`www.xxxxx.com`)"
- "traefik.http.routers.coming-soon.entrypoints=websecure"
- "traefik.http.routers.coming-soon.tls.certresolver=myresolver"
db:
image: postgres
ports:
- 5432:5432
volumes:
- db-data:/var/lib/postgresql/data/
env_file:
- .env
restart: always
adminer:
image: dpage/pgadmin4
ports:
- 5000:80
volumes:
- adminer-data:/root/.pgadmin
env_file:
- .env
depends_on:
- db
labels:
- "traefik.enable=true"
- "traefik.http.routers.adminer.rule=Host(`adminer.xxxxx.com`)"
- "traefik.http.routers.adminer.entrypoints=websecure"
- "traefik.http.routers.adminer.tls.certresolver=myresolver"
gitlab-runner:
image: gitlab/gitlab-runner:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
deploy:
mode: replicated
replicas: 2
update_config:
parallelism: 4
delay: 30s
volumes:
db-data:
api-data:
adminer-data:

Nextcloud on Raspberry Pi via docker compose

I'm trying to run a Nextcloud instance on my Raspbery Pi 3B+ using a docker-compose file from this source: https://blog.ssdnodes.com/blog/installing-nextcloud-docker/
This works out of the box without any issues on a Ubuntu Server.
I've replaced the following images to be compatible with the arm infrastructure of the Pi:
jwilder/nginx-proxy:alpine with braingamer/nginx-proxy-arm or budry/jwilder-nginx-proxy-arm (I tried both)
jrcs/letsencrypt-nginx-proxy-companion with budry/jrcs-letsencrypt-nginx-proxy-companion-arm
mariadb with linuxserver/mariadb
nextcloud:latest with linuxserver/nextcloud
Unfortunately this doesn't work on the Pi, the Pi returns first a 502 Bad Gateway, then after some time the error ERR_TOO_MANY_REDIRECTS.
What am I doing wrong?
Thanks
My docker-compose.yml:
version: '3'
services:
proxy:
image: braingamer/nginx-proxy-arm
labels:
- "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
container_name: nextcloud-proxy
networks:
- nextcloud_network
ports:
- 80:80
- 443:443
volumes:
- ./proxy/conf.d:/etc/nginx/conf.d:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- ./proxy/certs:/etc/nginx/certs:ro
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
letsencrypt:
image: budry/jrcs-letsencrypt-nginx-proxy-companion-arm
container_name: nextcloud-letsencrypt
depends_on:
- proxy
networks:
- nextcloud_network
volumes:
- ./proxy/certs:/etc/nginx/certs:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
db:
image: linuxserver/mariadb
container_name: nextcloud-mariadb
networks:
- nextcloud_network
volumes:
- db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- MYSQL_ROOT_PASSWORD=***PASSWORD***
- MYSQL_PASSWORD=***PASSWORD***
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
ports:
- 3306:3306
restart: unless-stopped
app:
image: linuxserver/nextcloud
container_name: nextcloud-app
networks:
- nextcloud_network
depends_on:
- letsencrypt
- proxy
- db
volumes:
- nextcloud:/var/www/html
- ./app/config:/var/www/html/config
- ./app/custom_apps:/var/www/html/custom_apps
- ./app/data:/var/www/html/data
- ./app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- VIRTUAL_HOST=nextcloud.domain.tld
- LETSENCRYPT_HOST=nextcloud.domain.tld
- LETSENCRYPT_EMAIL=mail#nextcloud.domain.tld
volumes:
nextcloud:
db:
networks:
nextcloud_network:

The tutorial used a Nginx reverse proxy and Let’s Encrypt, for the latter you need a valid domain. If you look at your compose file for linuxserver/nextcloud under environment, it asks for a domain for VIRTUAL_HOST, LETSENCRYPT_HOST and LETSENCRYPT_EMAIL. It then tries to create a ssl certificate for the specified domain (nextcloud.domain.tld), which is not valid, so it doesn't work.
This was the case for me, so I just removed the proxy and ssl from my compose file and nextcloud works now :)
Here is my current working compose file:
version: '3'
services:
db:
image: tobi312/rpi-mariadb:10.5
container_name: nextcloud-mariadb
networks:
- nextcloud_network
volumes:
- db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=very_secure_password
- MYSQL_PASSWORD=very_secure_password
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
app:
image: nextcloud:latest
container_name: nextcloud-app
networks:
- nextcloud_network
depends_on:
- db
volumes:
- nextcloud:/var/www/html
- ./app/config:/var/www/html/config
- ./app/custom_apps:/var/www/html/custom_apps
- ./app/data:/var/www/html/data
- ./app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
ports:
- 80:80
volumes:
nextcloud:
db:
networks:
nextcloud_network:
driver: bridge
Hope it helps.

configure traefik as reverse proxy with docker

I am trying to configure traefik to connect between my 3 docker containers.
I tried with this configuration but I got net::ERR_NAME_NOT_RESOLVED on my browser console.
searchservice:
hostname: searchservice
image: searchservice:0.0.3-SNAPSHOT
container_name: searchservice
networks:
- es-network
#ipv4_address: 172.21.0.12
ports:
- 8070:8080
restart: always
depends_on:
- elasticsearch
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/searchservice,Host:localhost"
- "traefik.port: 8070"
- "traefik.enable=true"
subscriber-service:
hostname: subscriber-service
image: subscriberservice:0.0.4-SNAPSHOT
container_name: subscriber-service
networks:
- es-network
#ipv4_address: 172.21.0.13
ports:
- 8090:8090
restart: always
depends_on:
- mongo1
- mongo2
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/api,Host:localhost"
- "traefik.port: 8090"
- "traefik.enable=true"
searchappfront:
hostname: searchappfront
image: frontservice:latest
container_name: searchappfront
networks:
- es-network
ports:
- 80:80
restart: always
depends_on:
- subscriber-service
- searchservice
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/"
- "traefik.enable=true"
- "traefik.port=80"
# - "traefik.frontend.rule=Host:localhost"
reverseproxy:
image: traefik:v2.1
command:
- '--providers.docker=true'
- '--entryPoints.web.address=:80'
- '--providers.providersThrottleDuration=2s'
- '--providers.docker.watch=true'
- '--providers.docker.defaultRule=Host("local.me")'
- '--accessLog.bufferingSize=0'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
#ports:
# - '80:80'
# - '8080:8080'
The searchappfront is an angular application where the http endPoints have this pattern
http://subscriber-service:8090/
http://searchservice:8070/
if I use localhost instead of hostnames, requests work fine but I need to deploy these containers in a cloud instance.

You are using traefik 2, but your annotation is for traefik 1. This is not going to work.

how to proxy to backend in docker compose with traefik

I'm setting up a frontend and backend with traefik and docker compose like so:
version: "3.7"
services:
frontend:
image: frontend:tag
networks:
- traefik-network
labels:
- traefik.enable=true
- traefik.port=80
- traefik.docker.network=traefik-network
- traefik.http.routers.frontend.entrypoints=web
- traefik.http.routers.frontend.rule=PathPrefix(`/`)
backend:
image: backend:tag
networks:
- traefik-network
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.docker.network=traefik-network
reverse-proxy:
image: traefik:v2.0
networks:
- traefik-network
labels:
- traefik.docker.network=traefik-network
- traefik.enable=true
command:
- --log.level=DEBUG
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entryPoints.web.address=:80
- --entryPoints.name.forwardedHeaders.insecure=true
ports:
- "80:80"
- "3000:3000"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
traefik-network:
name: traefik-network
previously i used nginx to create proxy from FE to BE like so
upstream go_backend {
server backend:8085 max_fails=3 fail_timeout=50;
}
location /api/ {
proxy_pass http://go_backend/;
}
How am I able to proxy requests from the FE to the BE like this with traefik v2?
No toml file.
What results did you expect:
When i go to localhost, the requests from the server gets forwarded to backend:3000.
What happens now:
When i go to localhost, the requests is not reached to the backend.

For anyone in the same position:
- traefik.docker.network=traefik-network
- traefik.http.routers.backend.entrypoints=backend
Remember to set entrypoints to your service:
- traefik.http.routers.<s-name>.entrypoints=<s-name>