I have installed gitea on docker (docker-compose) with traefik (v2.3) as reverse proxy. I'm trying to set up ssh but it's failing, both to SSH into and (mainly) to perform git clone and push.
I get
<user>#<domain>: Permission denied (publickey).
I have tried specifying ports in the docker-compose file for the traefik container
ports:
- "22:22"
and in the docker-compose for gitea I have the following labels:
# SSH
- "traefik.http.routers.gitea_ssh.rule=HOST(`gitea.localhost`)"
- "traefik.http.routers.gitea_ssh.entrypoints=ssh"
- "traefik.http.routers.gitea_ssh.service=gitea_ssh"
# Services
- "traefik.http.services.gitea_ssh.loadbalancer.server.port=22"
I have similar setup for http and https, http is redirected to https.
Entrypoints is defined in traefik.yml as ":22"
This however doesn't work. I figured signal flow would go like this:
ssh request -> server port 1234 -> docker port 22 -> traefik redirects -> gitea container port 22
I have uploaded public key to
The response I get with this setup for ssh connection request is:
<login on computer>:/ <user>$ ssh -v <address to gitea>
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /<Path to config>/config
debug1: /<Path to config>/config line 12: Applying options for <address to gitea>
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to <address to gitea> port 1234.
debug1: Connection established.
debug1: identity file /<Path to private key>/private-key type 0
debug1: identity file /<Path to private key>/private-key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: kex_exchange_identification: banner line 0: HTTP/1.1 400 Bad Request
debug1: kex_exchange_identification: banner line 1: Content-Type: text/plain; charset=utf-8
debug1: kex_exchange_identification: banner line 2: Connection: close
debug1: kex_exchange_identification: banner line 3:
kex_exchange_identification: Connection closed by remote host
And when I try to access git clone:
<login on computer>:/ <user>$ git clone git#<address to gitea>:<path to repo>.git
Cloning into 'some-repo'...
kex_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Example for gitea ssh available on port 222 because port 22 is used for host ssh.
Create a entrypoint for traefik called ssh for port 222
Add port config to traefik container 222:222/tcp (udp, sctp not needed)
for gitea you dont need to expose ports
configure gitea, add environment variables:
# details: https://docs.gitea.io/en-us/config-cheat-sheet/#admin-admin
# start gitea only ssh server, default use system which didn't work for me in any way
GITEA__server__START_SSH_SERVER: "true"
# this port is used in git clone, if not 22 this will add ssh:// to clone url which... i needed to remove everytime
GITEA__server__SSH_PORT: 22
# gitea ssh listen port
GITEA__server__SSH_LISTEN_PORT: 222
configure traefik for gitea with labels:
# host resolving doesn't work for ssh, so you can only use "*"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
- "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=222"
add your ssh key to your account, check if its a valid type, minimum bit aso. https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes
create a simple repository named Example
update on client side ~/.ssh/config:
Host MyGiteaInstance
HostName git.example.de
IdentityFile ~/.ssh/gitea
User username
Port 222
clone git#git.example.de:user/Example.git, for me it failed if there is port information in the url or if there is the protocol prefix like ssh://
Debugging tipps:
check traefik logs if there is an error like entrypoint not found
do a clone with verbose ssh: GIT_SSH_COMMAND="ssh -v" git clone git#git.example.de:user/Example.git
if the host is unreachable -> wrong ssh port on your side or entrypoint not set in traefik
host authenticity request = traefik is fine and client port config is maybe fine (multiple ssh server)
permission denied -> ssh server in gitea started, correct port set, check gitea logs or ssh key not added to user
Complete not minimal example, if I missed something above:
networks:
proxy:
external: false
internal: true
web:
external: false
gitea:
external: false
internal: true
volumes:
gitea:
gitea_db:
services:
traefik:
image: traefik:v2.5
command: --api.insecure=true --providers.docker
ports:
# entrypoint http
- "80:80"
# entrypoint https
- "443:443"
# entrypoint ssh
- "222:222/tcp"
# todo maybe behind vpn?
# - "8080:8080"
# todo create docker.sock proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik:/etc/traefik:ro
- ./acme.json:/certs/acme.json
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
networks:
- proxy
- web
watchtower:
image: containrrr/watchtower:latest
environment:
WATCHTOWER_CLEANUP: "true"
WATCHTOWER_REVIVE_STOPPED: "true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
# disable for container?
# LABEL com.centurylinklabs.watchtower.enable="false"
gitea_db:
image: postgres:14
restart: unless-stopped
environment:
POSTGRES_USER: gitea
POSTGRES_PASSWORD: ${GITEA_DB_PASSWD}
POSTGRES_DB: gitea
networks:
- gitea
volumes:
- gitea_db:/var/lib/postgresql/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
gitea:
image: gitea/gitea:1.15
depends_on:
- gitea_db
# https://docs.gitea.io/en-us/config-cheat-sheet/
environment:
USER_UID: 1000
USER_GID: 1000
# configuration:
# some values are created from the documentation but untested, therefore uncommented
# https://docs.gitea.io/en-us/config-cheat-sheet/#repository---local-repositorylocal
## default
GITEA__default__RUN_MODE: prod
GITEA__default__APP_NAME: "Gitea: Git with a cup of tea"
## database
GITEA__database__DB_TYPE: postgres
GITEA__database__HOST: gitea_db:5432
GITEA__database__NAME: gitea
GITEA__database__USER: gitea
GITEA__database__PASSWD: ${GITEA_DB_PASSWD}
## server
GITEA__server__DOMAIN: ${GITEA_DOMAIN}
# ensuring unneccessary port isnt added
GITEA__server__ROOT_URL: "https://%(DOMAIN)s"
GITEA__server__HTTP_PORT: 80
# if true SSH_LISTEN_PORT needs to be != 22
GITEA__server__START_SSH_SERVER: "true"
# SSH port in clone URL (needs to be 22 to remove ssh:// from clone url)
GITEA__server__SSH_PORT: 22
# disable forced ssh:// prefix of clone url
GITEA__repository__USE_COMPAT_SSH_URI: "false"
# SSH port for built-in SSH server (e.g. docker run ... -p SSH_PORT:LISTEN_PORT)
GITEA__server__SSH_LISTEN_PORT: 222
# mailer
GITEA__mailer__ENABLED: "true"
GITEA__mailer__HOST: "${GITEA_MAIL_HOST}"
GITEA__mailer__FROM: "${GITEA_MAIL}"
GITEA__mailer__USER: "${GITEA_MAIL}"
# require email confirmation to register, enable email notifications
# no effect: GITEA__server__REGISTER_EMAIL_CONFIRM: "true"
# allows mails as notifications on updates
# no effect: GITEA__server__ENABLE_NOTIFY_MAIL: "true"
#
# open-id sign
GITEA__openid__ENABLE_OPENID_SIGNIN: "true"
# disable self-registration
GITEA__service__DISABLE_REGISTRATION: "true"
# require sign in to view pages
GITEA__service__REQUIRE_SIGNIN_VIEW: "true"
# password hash argon2
GITEA__security__PASSWORD_HASH_ALGO: "argon2"
#
# change default branch from master to x
GITEA__repository__DEFAULT_BRANCH: "main"
#
# set manually during install, keys don't work for unknown reason:
# Email Settings:
# SMTP Password:
# GITEA__mailer__PASSWD: "${GITEA_MAIL_PASSWORD}"
# [x] Require Email Confirmation to Register
# [x] Enable Email Notifications (to watch repos / issues aso.)
#
# set manually, no config option found:
# Server and Third-Party Service Settings:
# [x] Enable Local Mode (disable all third party content)
#
# Admin Account:
# admin: ${GITEA_ADMIN_NAME}
# pw: "${GITEA_MAIL_PASSWORD}"
# mail: ${GITEA_MAIL}
#
# check configuration here:
# https://${GITEA_DOMAIN}/admin/config
#
# remember correct port isn't part of ssh clone url, but works with ~/.ssh/config
restart: unless-stopped
networks:
- gitea
- proxy
volumes:
- gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
- "traefik.http.services.gitea.loadbalancer.server.port=80"
- "traefik.http.routers.gitea_insecure.rule=Host(`${GITEA_DOMAIN}`)"
- "traefik.http.routers.gitea_insecure.entrypoints=http"
- "traefik.http.routers.gitea_insecure.middlewares=https-redirect#file"
- "traefik.http.routers.gitea.rule=Host(`${GITEA_DOMAIN}`)"
- "traefik.http.routers.gitea.entrypoints=https"
- "traefik.http.routers.gitea.tls.certresolver=tlsChallenge"
# https://community.traefik.io/t/routing-ssh-traffic-with-traefik-v2/717
# ssh cant be set on specific domain
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
- "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=222"
.env file:
GITEA_DOMAIN=git.example.de
GITEA_DB_PASSWD=securePassword
GITEA_ADMIN_NAME=admin name
GITEA_MAIL_PASSWORD=securePassword
GITEA_MAIL_HOST=smtp.mymail.de:465
GITEA_MAIL=yourEmail
./traefik/dynamic.yml
http:
middlewares:
https-redirect:
redirectScheme:
scheme: https
./traefik/traefik.yml
global:
sendAnonymousUsage: false
log:
level: INFO
entryPoints:
http:
address: :80
https:
address: :443
ssh:
address: :222
defaultEntryPoints:
- https
api:
insecure: true
dashboard: true
providers:
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: false
network: shared_proxy
file:
filename: /etc/traefik/dynamic.yml
watch: true
certificatesResolvers:
tlsChallenge:
acme:
email: MyEmailAdress
storage: /certs/acme.json
tlsChallenge: {}
# https://doc.traefik.io/traefik/https/acme/#caserver
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # For test certificates
I don't have first hand experience with proxying ssh via traefik but i've looked at this article before:
https://www.georglutz.de/blog/2020/06/20/homeassistant-with-traefik-and-ssh/
and makes sense to recommend it, since it's the same setup.
and i would point out that you're wrongly using the http router, you need the tcp one.
I use Gitea and I would advise just exposing SSH, on a different port; Traefik will only give you overhead.
Related
I'm a complete docker noob. Just installed docker and docker-compose as well as portainer following a tutorial.
Now I would like to set up traefik reverse proxy on portainer.
This is the traefik.yml file in /etc/traefik
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
# (Optional) Log information
# ---
# log:
# level: ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL
# format: common # common, json, logfmt
# filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
# accesslog:
# format: common # common, json, logfmt
# filePath: /var/log/traefik/access.log
# (Optional) Enable API and Dashboard
# ---
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
# (Optional) Redirect to HTTPS
# ---
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
websecure:
address: :443
# Certificates configuration
# ---
# TODO: Custmoize your Cert Resolvers and Domain settings
#
This is the docker-compose file:
version: '3'
volumes:
traefik-ssl-certs:
driver: local
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
# (Optional) Expose Dashboard
- "8080:8080" # Don't do this in production!
volumes:
- /etc/traefik:/etc/traefik
- traefik-ssl-certs:/ssl-certs
- /var/run/docker.sock:/var/run/docker.sock:ro
But when I try to start the container I get this error:
2021/12/08 18:08:07 command traefik error: yaml: line 19: did not find expected key
I can get the container to run when I remove the whole "volumes" section under "services" from the docker-compose file, but I need it for my traefik set up. I have no clue what I did wrong as I am following a video tutorial for this 1:1
I think you should check your traefik.yml indentation. There are some keys at different levels and YAML is pretty sensible to this. I'm talking specially about:
global
checkNewVersion
sendAnonymousUsage
api
Check the number of spaces before them.
I cannot recreate your exact error message, but I got an error when using your exact traefik.yml config file (as posted in the question) as the syntax is invalid (as pointed out in another answer).
I reduced the compose file to the minimum:
version: '3'
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
volumes:
- 'c:\temp\traefik\etc\traefik.yml:/etc/traefik/traefik.yml'
And mounted just the traefik.yml file into the container as you can see. The file is shown below with commented out lines removed:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
entryPoints:
web:
address: :80
websecure:
address: :443
Running a docker-compose up on this gives the following error:
c:\Temp\traefik>docker-compose up
[+] Running 1/0
- Container traefik Created 0.0s
Attaching to traefik
traefik | 2021/12/09 08:44:36 command traefik error: no valid configuration found in file: /etc/traefik/traefik.yml
traefik exited with code 1
When I fix the indentation in the traefik.yml file (and turn on DEBUG logging) I have this:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
entryPoints:
web:
address: :80
websecure:
address: :443
log:
level: DEBUG
and running docker-compose up again I now get this:
c:\Temp\traefik>docker-compose up
[+] Running 2/2
- Network traefik_default Created 0.2s
- Container traefik Created 29.5s
Attaching to traefik
traefik | time="2021-12-09T08:49:30Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2021-12-09T08:49:30Z" level=info msg="Traefik version 2.5.4 built on 2021-11-08T17:41:41Z"
traefik | time="2021-12-09T08:49:30Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\"},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"pilot\":{\"dashboard\":true}}"
traefik | time="2021-12-09T08:49:30Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
traefik | time="2021-12-09T08:49:30Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
...
...
So it can be seen that traefik starts up. This is not necessarily the same issue you have, but it shows how to approach troubleshooting it. Once you know your traefik configuration is good, you can add DEBUG logging and then try adding the other volumes and configuration so see if they are OK too.
I'm using a K3S Cluster in a docker(-compose) container in my CI/CD pipeline, to test my application code. However I have problem with the certificate of the cluster. I need to communicate on the cluster using the external addres. My docker-compose script looks as follows
version: '3'
services:
server:
image: rancher/k3s:v0.8.1
command: server --disable-agent
environment:
- K3S_CLUSTER_SECRET=somethingtotallyrandom
- K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml
- K3S_KUBECONFIG_MODE=666
volumes:
- k3s-server:/var/lib/rancher/k3s
# get the kubeconfig file
- .:/output
ports:
# - 6443:6443
- 6080:6080
- 192.168.2.110:6443:6443
node:
image: rancher/k3s:v0.8.1
tmpfs:
- /run
- /var/run
privileged: true
environment:
- K3S_URL=https://server:6443
- K3S_CLUSTER_SECRET=somethingtotallyrandom
ports:
- 31000-32000:31000-32000
volumes:
k3s-server: {}
accessing the cluster from python gives me
MaxRetryError: HTTPSConnectionPool(host='192.168.2.110', port=6443): Max retries exceeded with url: /apis/batch/v1/namespaces/mlflow/jobs?pretty=True (Caused by SSLError(SSLCertVerificationError("hostname '192.168.2.110' doesn't match either of 'localhost', '172.19.0.2', '10.43.0.1', '172.23.0.2', '172.18.0.2', '172.23.0.3', '127.0.0.1', '0.0.0.0', '172.18.0.3', '172.20.0.2'")))
Here are my two (three) question
how can I add additional IP adresses to the cert generation? I was hoping the --bind-address in the server command triggers taht
how can I fall back on http providing an --http-listen-port didn't achieve the expected result
any other suggestion how I can enable communication with the cluster
changing the python code is not really an option as I would like o keep the code unaltered for testing. (Fallback on http works via kubeconfig.
The solution is to use the parameter tls-san
server --disable-agent --tls-san 192.168.2.110
in Centos7, I'm trying to start 2 containers by docker-compose when I get this error:
error: container_linux.go:235: starting container process caused keycloak/keycloak-gatekeeper
# ls
docker-compose.yml Dockerfile gatekeeper-be.conf gatekeeper-fe.conf nginx-conf.d README.MD
=================
# cat docker-compose
version: '3.2'
networks:
network-bo-network:
driver: "bridge"
ipam:
config:
- subnet: "173.200.1.0/24"
gatekeeper-fe:
image: keycloak/keycloak-gatekeeper:latest
command: /keycloak-proxy --config /opt/keycloak-gatekeeper/gatekeeper.conf
volumes:
- ./gatekeeper-fe.conf:/opt/keycloak-gatekeeper/gatekeeper.conf
networks:
network-bo-network:
ipv4_address: "173.200.1.3"
network-bo-nginx:
image: nginx:1.17
ports:
- "83:80"
volumes:
- ./nginx-conf.d:/etc/nginx/conf.d
networks:
network-bo-network:
ipv4_address: "173.200.1.5"
===========================================
cat gatekeeper-fe.conf
ClientID is the client id
client-id: client-bo-app
## ClientSecret is the secret for AS
client-secret: xxxxxxxxxxxxxxxxxxx
## DiscoveryURL is the url for the keycloak server
discovery-url: https://xxxxxxxxxxxxxxxxxxxx
## SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication
skip-openid-provider-tls-verify: true
## EnableDefaultDeny indicates we should deny by default all requests
enable-default-deny: true
## EnableRefreshTokens indicate's you wish to ignore using refresh tokens and re-auth on expiration of access token
enable-refresh-tokens: true
## EncryptionKey is the encryption key used to encrypt the refresh token
encryption-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
## Listen is the binding interface
listen: :8081
## Upstream is the upstream endpoint i.e whom were proxying to
upstream-url: http://173.200.1.1:8082
## EnableLogging indicates if we should log all the requests
enable-logging: true
## EnableJSONLogging is the logging format
enable-json-logging: true
## PreserveHost preserves the host header of the proxied request in the upstream request
preserve-host: true
## NoRedirects informs we should hand back a 401 not a redirect
no-redirects: true
## AddClaims is a series of claims that should be added to the auth headers
add-claims:
- email
- given_name
- family_name
- name
## Resources configuration
resources:
- uri: /api/v1/metadata
methods:
- GET
white-listed: true
==================================================
# docker-compose up
WARNING: Found orphan containers (network-bo-dev_network-bo-postgres_1) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
network-bo-dev_network-bo-nginx_1 is up-to-date
Creating network-bo-dev_gatekeeper-fe_1 ... error
ERROR: for network-bo-dev_gatekeeper-fe_1 Cannot start service gatekeeper-fe: oci runtime error: container_linux.go:235: starting container process caused "container init exited prematurely"
ERROR: for gatekeeper-fe Cannot start service gatekeeper-fe: oci runtime error: container_linux.go:235: starting container process caused "container init exited prematurely"
ERROR: Encountered errors while bringing up the project.
You should provide https://stackoverflow.com/help/minimal-reproducible-example - provided docker-compose doesn't have correct syntax.
A few obvious errors:
gatekeeper binary in the image has /opt/keycloak-gatekeeper
location, not /keycloak-proxy, but see next point
used images uses entrypoint=/opt/keycloak-gatekeeper=> command just needs that part after binary, e.g.: --config /opt/keycloak-gatekeeper/gatekeeper.conf
first line in gatekeeper-fe.conf should be comment
I have a simple server written in Python that listens on port 8000 inside a private network (HTTP communication). There is now a requirement to switch to HTTPS communications and every client that sends a request to the server should get authenticated with his own cert/key pair.
I have decided to use Traefik v2 for this job. Please see the block diagram.
Traefik runs as a Docker image on a host that has IP 192.168.56.101. First I wanted to simply forward a HTTP request from a client to Traefik and then to the Python server running outside Docker on port 8000. I would add the TLS functionality when the forwarding is running properly.
However, I can not figure out how to configure Traefik to reverse proxy from i.e. 192.168.56.101/notify?wrn=1 to the Python server 127.0.0.1:8000/notify?wrn=1.
When I try to send the above mentioned request to the server (curl "192.168.56.101/notify?wrn=1") I get "Bad Gateway" as an answer. What am I missing here? This is the first time that I am in contact with Docker and reverse proxy/Traefik. I believe it has something to do with ports but I can not figure it out.
Here is my Traefik configuration:
docker-compose.yml
version: "3.3"
services:
traefik:
image: "traefik:v2.1"
container_name: "traefik"
hostname: "traefik"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
traefik.yml
## STATIC CONFIGURATION
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
providers:
docker:
watch: true
endpoint: "unix:///var/run/docker.sock"
file:
filename: "traefik.yml"
## DYNAMIC CONFIGURATION
http:
routers:
to-local-ip:
rule: "Host(`192.168.56.101`)"
service: to-local-ip
entryPoints:
- web
services:
to-local-ip:
loadBalancer:
servers:
- url: "http://127.0.0.1:8000"
First, 127.0.0.1 will resolve to the traefik container and not to the docker host. You need to provide a private IP of the node and it needs to be accessible form the traefik container.
There is some workaround to make proxy to localhost:
change 127.0.0.1 to IP of docker0 interface
It should be 172.17.0.1
and then try to listen your python server on all interfaces (0.0.0.0)
if you use simple python http server nothing change... on default it listen on all interfaces
I'm trying to deploy a private repository on my docker swarm.
I'm following the official docker repository guide to deploy it as a service. I want to be able to use it with https, from outside with a simple url as https://myregistry.mysite.com.
To do so I use following traefik labels in my stack yml file :
traefik.backend: "privateregistry"
traefik.docker.network: "webgateway" # docker overlay external
traefik.enable: "true"
traefik.frontend.entryPoint: "https"
traefik.frontend.redirect.entryPoint: "https"
traefik.frontend.rule: "Host:myregistry.mysite.com"
traefik.port: "5000"
I'm seeing my two frontend/backend in traefik UI but when I access to https://myregistry.mysite.com/v2/ (for example) I've a 500 fatal error. The service log output is
http: TLS handshake error from 10.0.0.68:47796: tls: first record does not look like a TLS handshake
I think I misunderstood something, certs side probably.
Any idea to do that without error ?
Thanks
I suppose you are missing the certificate of the (registry-) server on your client machine. I assume you have two certificate files (used on the server):
myregistry.mysite.com.crt
myregistry.mysite.com.key
Copy myregistry.mysite.com.crt on your client machine to /etc/docker/certs.d/myregistry.mysite.com/ca.crt on Linux or
~/.docker/certs.d/myregistry.mysite.com/ca.crt on Mac. Now you should be able to login from the client:
docker login myregistry.mysite.com
Appendix - Server Setup
Your server setup might look like this:
~/certs/myregistry.mysite.com.crt
~/certs/myregistry.mysite.com.key
~/docker-compose.yml
~/traefik.toml
docker-compose.yml
version: '3'
services:
frontproxy:
image: traefik
command: --api --docker --docker.swarmmode
ports:
- "80:80"
- "443:443"
volumes:
- ./certs:/etc/ssl:ro
- ./traefik.toml:/etc/traefik/traefik.toml:ro
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
docker-registry:
image: registry:2
deploy:
labels:
- traefik.port=5000 # default port exposed by the registry
- traefik.frontend.rule=Host:myregistry.mysite.com
traefik.toml
defaultEntryPoints = ["http", "https"]
# Redirect HTTP to HTTPS and use certificate, see https://docs.traefik.io/configuration/entrypoints/
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/myregistry.mysite.com.crt"
keyFile = "/etc/ssl/myregistry.mysite.com.key"
# Docker Swarm Mode Provider, see https://docs.traefik.io/configuration/backends/docker/#docker-swarm-mode
[docker]
endpoint = "tcp://127.0.0.1:2375"
domain = "docker.localhost"
watch = true
swarmMode = true
To deploy your registry run:
docker stack deploy myregistry -c ~/docker-compose.yml