Traefik Docker SSL Configuration With Lets Encrypt - docker

Hi everyone I am trying to enable SSL in my docker-compose.yml file for my backend service. All of my Traefik configuration is done in my docker-compose.yml file, so I may be missing a line. Running docker-compose on this configuration works without SSL and the site is displayed properly, but it does not work when using https. I have checked the Traefik documentation for the certResolvers and I am not sure what I am missing thanks.
version: "3"
networks:
NanoWall-Net:
services:
api:
build:
context: .
dockerfile: Dockerfile
labels:
- "traefik.docker.network=NanoWall-Net"
- "traefik.enable=true"
- "traefik.port=5000"
- "traefik.http.routers.http-catchall.rule=Host(`nanowalldocs.com`)"
- "traefik.http.routers.http-catchall.tls=true"
- "traefik.http.routers.http-catchall.tls.certresolver=le"
- "traefik.http.routers.http-catchall.tls.domains[0].sans=nanowalldocs.com"
- "traefik.http.routers.http-catchall.entrypoints=web"
ports:
- "5000:5000"
networks:
- NanoWall-Net
reverse-proxy:
image: traefik:v2.0
# Enables the web UI and tells Traefik to listen to docker
command:
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--entryPoints.websecure.http.tls.certResolver: le"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--api.insecure=true"
- "--api.debug=true"
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedbydefault=false"
- "--accesslog=true"
- "--accesslog.filepath=/var/log/traefik-access.log"
- "--accesslog.bufferingsize=1000"
- "--log.filePath=/var/log/traefik.log"
- "--certificatesResolvers.le.acme.email=jamar.phillip99#gmail.com"
- "--certificatesResolvers.le.acme.storage=acme.json"
- "--certificatesResolvers.le.acme.httpChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
networks:
- NanoWall-Net
volumes:
- /acme.json/etc/traefik/acme.json
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: always

It may not be the only issue, but you are missing a colon in your traefik volumes section. You have:
- /acme.json/etc/traefik/acme.json
I think it should be (assuming your host location is really /acme.json and not ./acme.json or in some other directory):
- /acme.json:/etc/traefik/acme.json
That said, I have also been having an issue where traefik always wants it in /acme.json, so I just put it there instead of in /etc/traefik/acme.json .

Related

traefik rule not redirecting requests made to "localhost/api" to backend container

traefik rule not redirecting requests made to "localhost/api" to backend container
Whenever I change the backend
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
to Host('localhost') I can access the application at localhost but after adding this rule, whenever I go to localhost/api , it leads me to frontend and opens html page
version: '3'
volumes:
myvol2:
external: false
services:
traefik:
image: "traefik:v2.6"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.api.address=:5000"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443" # new
ports:
- "80:80"
- "5000:5000"
- "443:443" # new
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
api:
image: "myimagename"
ports:
- '5000'
scale: 1
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.services.api.loadbalancer.server.port=5000"
volumes:
- /app/node_modules
- ./server:/app
- myvol2:/resources/static/assets/uploads # Volume
environment:
- PORT=5000
web:
image: "myfrontendimage"
stdin_open: true
scale: 1
ports:
- '3000'
environment:
- CHOKIDAR_USEPOLLING=true
- CI=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`localhost`)"
- "traefik.http.routers.web.entrypoints=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
volumes:
- /app/node_modules
- ./client:/app
Tried redirecting the Tried almost all combinations of route, even tried adding regexp for matching localhost/api.
With my current nginx setup,
I have :
location /api{
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
}
in my default.conf,
Trying to migrate to traefik but the requests to localhost/api are not reaching
Your configuration seems to be fine. In your question you have a bunch of placeholder values, so it's not actually possible to test your docker-compose.yaml, but we can produce a runnable version like this:
services:
traefik:
image: "traefik:v2.9"
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# The port mappings here are to avoid conflicts with other services
# on my system
ports:
- "7080:80"
- "7443:443"
- "7090:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
api:
# Note that we don't need a `ports` configuration here because we're
# not publish any ports to the host (all access will be via the
# frontend proxy).
image: "docker.io/traefik/whoami:latest"
command:
- --name=API
- --port=5000
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`localhost`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.services.api.loadbalancer.server.port=5000"
web:
image: "docker.io/traefik/whoami:latest"
command:
- --name=WEB
- --port=3000
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`localhost`)"
- "traefik.http.routers.web.entrypoints=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
The significant changes here are:
I'm using Traefik v2.9 (because why use an older release?)
I've replaced all your images with docker.io/traefik/whoami, which gives us a simple endpoint for testing.
With the above configuration, a request to http://localhost hits the "web" container:
$ curl localhost:7080
Name: WEB
[...]
Whereas a request to http://localhost/api hits the "api" container:
$ curl localhost:7080/api
{...., "name": "API"}
(We're getting a JSON response in the second case because we're hitting the /api path on the whoami container.)
Finally, got the traefik /api to redirect to the other backend container with the following set up
The primary issue was that even though it redirects to the container, it did not strip the /api prefix, so the API route was getting messed up
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=PathPrefix(`/api/`)"
- "traefik.http.routers.api.service=api"
- "traefik.http.services.api.loadbalancer.server.port=5000"
- "traefik.http.middlewares.api.stripprefix.prefixes=/api"
- "traefik.http.middlewares.api.stripprefix.forceSlash=false"
- "traefik.http.routers.api.middlewares=api"

Force https on traefik with docker-compose

I'm using traefik as my reverse proxy on my server. It's used to host multiple web applications like wordpress and larvel.
For these 2 application i found a "fix" for the mixed(the application servers http assets) content warning, as example, the wordpress fix:
if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';
$http_s = ( !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') ? 'https' : 'http';
But I don't really like this solution and not every web-app support the option to declare "https only" or "force https"
Is there an option in traefik to force or rewrite the urls, i didnt have these problems with Apache or nginx. I already have an http->https redirection
These are my configs:
Docker-compose traefik:
reverse-proxy:
container_name: traefik
image: traefik:v2.6
restart: unless-stopped
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --providers.file.directory=/app/certificates
- --providers.file.watch=true
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
Docker-compose web app:
nginx:
image: nginx:latest
container_name: ${APP_NAME}-nginx
env_file:
- .env
volumes:
- "./config/nginx/:/etc/nginx/templates/"
- ./src:/var/www/html:rw,cached
environment:
- "NGINX_ENVSUBST_TEMPLATE_SUFFIX=.conf"
networks:
- default
- traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.${APP_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=80"
- "traefik.docker.network=traefik_proxy"
restart: unless-stopped

bitwarden_rs not working behind traefik v2.2 (Bad Gateway)

So I'm trying to add bitwarden_rs to my docker network but seems to fail hard.
I also have a nextcloud docker container running behind traefik (nextcloud.mydomain.com) which is working fine. But adding bitwarden with his own subdomain (bitwarden.mydomain.com) to traefik doesn't want to start working. I'm always getting a Bad Gateway error.
Traefik docker-compose
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
command:
- --log.level=DEBUG
- --api.insecure
- --api.dashboard
- --providers.file.directory=/FileProvider/
- --providers.file.watch=true
- --providers.docker
- --providers.docker.exposedbydefault=false
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencryptresolver.acme.email=my#email.com
- --certificatesresolvers.letsencryptresolver.acme.storage=./letsencrypt/acme.json
- --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- ...
networks:
- local-lan
labels:
- --traefik.http.middlewares.https.redirectscheme.scheme=https
- --traefik.http.routers.https_redirect.middlewares=https
- --traefik.http.routers.https_redirect.rule=(Host(`bitwarden.mydomain.com`) || Host(`nextcloud.mydomain.com`))
- --traefik.http.routers.https_redirect.entrypoints=web
- --traefik.docker.network=local-lan
networks:
local-lan:
external: true
traefik dynamic config
middlewares:
ncHeader:
headers:
customResponseHeaders:
stsPreload: true
stsSeconds: 15552000
redirect:
redirectScheme:
scheme: https
bitwarden_rs docker-compose
version: '3'
services:
bitwarden:
image: bitwardenrs/server:latest
container_name: bitwarden
restart: always
volumes:
- /home/reggi/bitwarden/data:/data
environment:
- WEBSOCKET_ENABLED=true
- WEB_VAULT_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=xxxxxxxxxxx
ports:
- 3012:3012
- 4500:80
networks:
- local-lan
labels:
- traefik.enable=true
- traefik.docker.network=local-lan
- traefik.http.services.bitwarden-ui.loadbalancer.server.port=4500
- traefik.http.services.bitwarden-ui.loadbalancer.server.scheme=http
- traefik.http.routers.bitwarden-ui-https.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
- traefik.http.routers.bitwarden-ui-https.tls=true
- traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-ui-http.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-http.entrypoints=web
- traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
- traefik.http.routers.bitwarden-websocket-https.tls=true
- traefik.http.routers.bitwarden-websocket-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
- traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-http.entrypoints=web
- traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
- traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
networks:
local-lan:
external: true
Both containers are running fine with this configuration but for some reason, I get a Bad Gateway when I navigate to http(s)://bitwarden.mydomain.com.
When I navigate to my server IP:4500 bitwarden opens up meaning the docker container is running fine.
In my traefik log I can find this error:
time="2021-03-10T21:06:35Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 17.32.0.8:4500: connect: connection refused"
And when I do a simple curl to the bitwarden container from traefik container I get the same error:
curl --verbose http://17.32.0.8:4500
For example, curl to my nextcloud container does work:
I tried a lot of stuff already but can't seem to figure it out. For nextcloud I could add a trusted proxy domain but that doesn't seem to be possible for bitwarden_rs if I'm not mistaken.
Adding network label didn't help GitHub answer
Using these config labels didn't help as well GitHub answer
Does someone know what I'm missing or doing wrong?
After some more investigation, I found my error.
I don't need to map port 80 outside your docker network, I just needed to expose it. So this works now:
version: '3'
services:
bitwarden:
image: bitwardenrs/server:latest
container_name: bitwarden
restart: always
volumes:
- /home/reggi/bitwarden/data:/data
environment:
- WEBSOCKET_ENABLED=true
- WEB_VAULT_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=xxxxxxxxxxx
expose:
- 3012
- 80
networks:
- local-lan
labels:
- traefik.enable=true
- traefik.docker.network=local-lan
- traefik.http.services.bitwarden-ui.loadbalancer.server.port=4500
- traefik.http.services.bitwarden-ui.loadbalancer.server.scheme=http
- traefik.http.routers.bitwarden-ui-https.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
- traefik.http.routers.bitwarden-ui-https.tls=true
- traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-ui-http.rule=Host(`bitwarden.mydomain.com`)
- traefik.http.routers.bitwarden-ui-http.entrypoints=web
- traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui#docker
- traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
- traefik.http.routers.bitwarden-websocket-https.tls=true
- traefik.http.routers.bitwarden-websocket-https.tls.certresolver=letsencryptresolver
- traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
- traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-http.entrypoints=web
- traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
- traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
networks:
local-lan:
external: true

Apache Nifi behind Traefik as a reverse proxy

I'm using Traefik as a reverse proxy for a lot of services and for tls termination. This works properly excepted Nifi. When trying to forward incomming requests to Nifi I get "Bad Gateway" responses.
Does anybody have an idea how to fix that?
Thanks a lot :-)
traefik:
image: "traefik:v2.2"
container_name: "traefik"
restart: always
networks:
- monitoring
- website
- iot
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
#s- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=test#test.de"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# prom metrics
- "--metrics.prometheus=true"
---
nifi:
image: apache/nifi:latest
container_name: nifi
restart: on-failure
environment:
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- NIFI_WEB_HTTP_PORT= 8080
expose:
- 8080
networks:
- iot
labels:
- "traefik.enable=true"
- "traefik.http.routers.nifi.rule=Host(`nifi.example.de`)"
- "traefik.http.routers.nifi.entrypoints=web"
- "traefik.http.routers.nifi.middlewares=nifi-auth"
# Basic Auth
- "traefik.http.middlewares.nifi-auth.basicauth.users=admin:$$xyz$$xyz$$xyz"
Any idea?? :-)
Since there are several ports open for the ui etc. it's required to define the routing port by using (e. g.):
- "traefik.http.services.nifi.loadbalancer.server.port=8080"

forward url with traefik v2 using docker

I want to forward url with traefik(version 2) like If I hit URL http://localhost/1 then it is forwarded to http://localhost:8081/1.
I have tried with several configuration but no one works. Please find below configuration I have done but it didn't worked.
version: "3.3"
services:
traefik:
image: "traefik:v2.0.0-rc3"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
- "8081:8081"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
#image: "containous/whoami"
#container_name: "simple-service"
#command:
# - "--port=8081"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.services.whoami.loadbalancer.server.port=8081"
I think you don't need to forward, since you have defined the loadbalancer port, add PathPrefix to your whoami routers rule should work.
Like this
- "traefik.http.routers.whoami.rule=Host(`localhost`) && PathPrefix(`/1`)"
And if you do need forward requests, you can use middlewares.redirectregex.
- "traefik.http.routers.whoami.middlewares=whoami-redirectregex"
- "traefik.http.middlewares.whoami-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.whoami-redirectregex.redirectregex.replacement=http://localhost:8081/$${1}"
FYI. middleware docs

Resources