i've some issues with traefik when i use TLS to connect my API, it cannot connect, i've config follow traefik document https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/, someone can help me
version: "3.8"
services:
myproject:
image: registry.gitlab.com/test/myproject:latest
env_file:
- ./myproject/.env
restart: unless-stopped
volumes:
- ./myproject/jwt.pem:/config/jwt.pem
- ./myproject/jwt.pub:/config/jwt.pub
logging:
driver: json-file
options:
max-size: 200k
max-file: "10"
labels:
- traefik.enable=true
- traefik.http.routers.myproject.rule=Host(`mydomain.com`) && PathPrefix(`/api`)
- traefik.http.routers.myproject.tls=true
- traefik.http.routers.myproject.entrypoints=web,websecure
- traefik.http.services.myproject.loadbalancer.server.port=8000
- traefik.http.middlewares.my_headers.headers.accesscontrolallowmethods=GET,OPTIONS,PUT,POST,DELETE
- traefik.http.middlewares.my_headers.headers.accesscontrolalloworigin=*
- traefik.http.middlewares.my_headers.headers.accessControlAllowHeaders=*
- traefik.http.middlewares.my_headers.headers.accesscontrolmaxage=100
- traefik.http.middlewares.my_headers.headers.addvaryheader=true
- traefik.http.middlewares.api_v1_strippath.stripprefix.prefixes=/api
- traefik.http.routers.myproject.middlewares=my_headers,api_v1_strippath
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
- "--api.insecure=true"
- "--providers.file.directory=/configuration/"
- "--providers.file.watch=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./home/ec2-user/myproject/traefik/configuration/:/configuration/"
and certificates.toml :
[[tls.certificates]]
certFile = "/configuration/mykey.cert"
keyFile = "/configuration/mykey.key"
Related
I have a working docker-compose.yaml configuration that allow me to easily expose my services on my public domain (mydomain.com). But now, I want to also expose some of my services on a local domain (myservice.lan) so need of https.
Here is my docker-compose.yaml:
version: '3.4'
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ${CONFIG}/traefik/acme.json:/acme.json
- ${CONFIG}/traefik/rules.toml:/etc/traefik/rules.toml
command:
- --api.insecure=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.watch=true
- --entrypoints.insecure.address=:80
- --entrypoints.secure.address=:443
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=insecure
- --certificatesresolvers.letsencrypt.acme.email=my_mail
- --certificatesresolvers.letsencrypt.acme.storage=acme.json
- --certificatesresolvers.letsencrypt.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.keyType=EC256
- --providers.file=true
- --providers.file.filename=/etc/traefik/rules.toml
- --providers.file.watch=true
labels:
- traefik.http.middlewares.wss.headers.customrequestheaders.X-Forwarded-Proto=https
grafana:
image: grafana/grafana:latest
container_name: grafana
user: ${PUID}:${PGID}
restart: unless-stopped
volumes:
- ${DATA}/grafana:/var/lib/grafana
environment:
- GF_USERS_ALLOW_SIGN_UP=false
- GF_SERVER_DOMAIN=grafana.${DOMAIN}
- GF_SERVER_ROOT_URL=https://grafana.${DOMAIN}/
- GF_SERVER_SERVE_FROM_SUB_PATH=true
labels:
- traefik.enable=true
- traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)
- traefik.http.routers.grafana.entrypoints=insecure
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.grafana-http.middlewares=https-redirect#docker
- traefik.http.routers.grafana-https.entrypoints=secure
- traefik.http.routers.grafana-https.rule=Host(`grafana.${DOMAIN}`)
- traefik.http.routers.grafana-https.tls=true
- traefik.http.routers.grafana-https.tls.certresolver=letsencrypt
esphome: #6052
image: esphome/esphome
container_name: esphome
restart: unless-stopped
privileged: true
volumes:
- ${CONFIG}/esphome:/config
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=true
- traefik.http.routers.esphome.rule=Host(`esphome.${DOMAIN_LOCAL}`)
- traefik.http.routers.esphome.entrypoints=insecure
- traefik.http.services.esphome.loadbalancer.server.port=6052
Grafana service is well exposed on my ${DOMAIN}(grafana.mydomain.com) but esphome (esphome.lan) doesn't work.
Does my configuration is bad ?
I have had nextjs website running on nextjs, traefik 1.7 and docker. Website was working allright but because of a SSL certificate I had to change traefik version to 2.4 so I can load my bought SSL. Since that website is working as before but images won't load. Anyone who could help?
OLD docker-compose
version: '3'
services:
loadbalancer:
restart: unless-stopped
image: traefik:1.7
command: --docker
ports:
- "80:80"
- "443:443"
- "3000:3000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- ./acme.json:/acme.json:rw
- ./traefik.toml:/traefik.toml:rw
- ./certs:/certs:rw
command:
- --debug=false
- --logLevel=ERROR
- --defaultentrypoints=https,http
- "--entryPoints=Name:http Address::80"
- "--entryPoints=Name:https Address::443 TLS"
- --docker.endpoint=unix:///var/run/docker.sock
- --docker.watch=true
- --docker.exposedbydefault=false
- --acme.email=admin#ssupat.sk
- --acme.storage=acme.json
- --acme.entryPoint=https
- --acme.onHostRule=true
- --acme.httpchallenge.entrypoint=https
security_opt:
- no-new-privileges:true
networks:
- ssupat
cms-postgresql:
restart: unless-stopped
image: 'bitnami/postgresql:latest'
environment:
- POSTGRESQL_USERNAME=ssupat_user
- POSTGRESQL_PASSWORD=password
- POSTGRESQL_DATABASE=ssupat_cms
ports:
- '5432'
networks:
- ssupat
volumes:
- ./db/:/bitnami/postgresql
ssupat-cms-strapi:
restart: unless-stopped
build:
context: ssupat-cms-strapi/
dockerfile: Dockerfile
environment:
DATABASE_CLIENT: postgres
DATABASE_NAME: ssupat_cms
DATABASE_HOST: cms-postgresql
DATABASE_PORT: 5432
DATABASE_USERNAME: ssupat_user
DATABASE_PASSWORD: password
networks:
- ssupat
security_opt:
- no-new-privileges:true
volumes:
- ./app:/srv/app
- ./public:/public/uploads
depends_on:
- "cms-postgresql"
labels:
traefik.frontend.rule: 'Host:cms.ssupat.sk'
traefik.frontend.redirect.regex: ^http?://cms.ssupat.sk/(.*)
traefik.frontend.redirect.replacement: https://cms.ssupat.sk/$${1}
traefik.frontend.redirect.permanent: true
traefik.http.routers.some-name.entryPoints: 'Port:80'
traefik.http.routers.ssupat-cms-strapi.rule: 'Host:cms.ssupat.sk'
traefik.http.routers.my-app.tls: true
traefik.http.routers.my-app.tls.certresolver: 'le-ssl'
traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent: true
traefik.enable: true
traefik.port: 80
traefik.protocol: http
security_opt:
- no-new-privileges:true
ssupat-web-nextjs:
restart: unless-stopped
build:
context: ssupat-web-nextjs/
dockerfile: Dockerfile
networks:
- ssupat
depends_on:
- "ssupat-cms-strapi"
- "cms-postgresql"
labels:
traefik.frontend.rule: 'Host:ssupat.sk,www.ssupat.sk'
traefik.frontend.redirect.regex: ^http?://ssupat.sk/(.*)
traefik.frontend.redirect.replacement: https://ssupat.sk/$${1}
traefik.frontend.redirect.regex: ^http?://www.ssupat.sk/(.*)
traefik.frontend.redirect.replacement: https://ssupat.sk/$${1}
traefik.frontend.redirect.permanent: true
traefik.http.routers.my-app.tls: true
traefik.http.routers.my-app.tls.certresolver: 'le-ssl'
traefik.enable: true
traefik.port: 3000
traefik.protocol: http
security_opt:
- no-new-privileges:true
networks:
ssupat:
driver: bridge
NEW docker-compose
version: '3.3'
networks:
ssupat:
driver: bridge
#networks:
#ssupat:
#external: true
services:
traefik:
#image: traefik:2.4
image: traefik:latest
container_name: traefik
volumes:
- ./certs/traefik-certs/:/etc/traefik/:ro
- /var/run/docker.sock:/var/run/docker.sock
networks:
- ssupat
ports:
- 80:80
- 443:443
- 8080:8080
#- 3000:3000
command:
- '--api.insecure=true'
- '--api.dashboard=true'
- '--api.debug=true'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--providers.file=true'
- '--providers.file.directory=/etc/traefik/'
- '--entrypoints.http=true'
- '--providers.docker.network=proxy'
- '--entrypoints.web.address=:80'
- '--entrypoints.websecure.address=:443'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
#- '--entrypoints.http.http.redirections.entrypoint.permanent=true'
- '--entrypoints.https=true'
- '--log=true'
- '--log.level=DEBUG'
cms-postgresql:
restart: unless-stopped
image: 'bitnami/postgresql:latest'
environment:
- POSTGRESQL_USERNAME=ssupat_user
- POSTGRESQL_PASSWORD=password
- POSTGRESQL_DATABASE=ssupat_cms
#- POSTGRESQL_ENABLE_TLS=yes
#- POSTGRESQL_TLS_CERT_FILE=/opt/bitnami/postgresql/certs/certs.crt
#- POSTGRESQL_TLS_KEY_FILE=/opt/bitnami/postgresql/certs/private.key
#- POSTGRESQL_TLS_CA_FILE=/opt/bitnami/postgresql/certs/ssupat.sk.ca
ports:
- '5432'
networks:
- ssupat
volumes:
- ./db/:/bitnami/postgresql
#- ./certs/traefik-certs/certs:/opt/bitnami/postgresql/certs
#- ./pg_hba.conf:/opt/bitnami/postgresql/conf/pg_hba.conf
ssupat-cms-strapi:
restart: unless-stopped
build:
context: ssupat-cms-strapi/
dockerfile: Dockerfile
environment:
DATABASE_CLIENT: postgres
DATABASE_NAME: ssupat_cms
DATABASE_HOST: cms-postgresql
DATABASE_PORT: 5432
DATABASE_USERNAME: ssupat_user
DATABASE_PASSWORD: password
networks:
- ssupat
security_opt:
- no-new-privileges:true
volumes:
- ./app/:/srv/app
- ./public/:/public/uploads
depends_on:
- "cms-postgresql"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.ssupat-cms-strapi.rule=Host(`cms.ssupat.sk`)'
- 'traefik.http.routers.ssupat-cms-strapi.entrypoints=websecure'
- 'traefik.http.routers.ssupat-cms-strapi.tls=true'
- 'traefik.http.routers.ssupat-cms-strapi.tls.options=default'
#- 'traefik.http.routers.ssupat-cms-strapi.middlewares=authelia#docker'
- 'traefik.http.services.ssupat-cms-strapi.loadbalancer.server.port=80'
#- 'traefik.port=80'
- 'traefik.docker.network=ssupat'
- 'traefik.http.middlewares.ssupat-cms-strapi.redirectregex.regex=^http://www.cms.ssupat.sk/(.*)'
- 'traefik.http.middlewares.ssupat-cms-strapi.redirectregex.replacement=https://cms.ssupat.sk/$${1}'
- 'traefik.http.middlewares.ssupat-cms-strapi.redirectregex.permanent=true'
ssupat-web-nextjs:
restart: unless-stopped
build:
context: ssupat-web-nextjs/
dockerfile: Dockerfile
networks:
- ssupat
security_opt:
- no-new-privileges:true
depends_on:
- "ssupat-cms-strapi"
- "cms-postgresql"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.ssupat-web-nextjs.rule=Host(`ssupat.sk`) || Host(`www.ssupat.sk`)'
#- 'traefik.http.routers.ssupat-web-nextjs.rule=Host(`ssupat.sk`, `www.ssupat.sk`)'
- 'traefik.http.routers.ssupat-web-nextjs.entrypoints=web'
#- 'traefik.http.middlewares.force_https.redirectscheme.scheme=https
- 'traefik.http.routers.ssupat-web-nextjs-secure.rule=Host(`ssupat.sk`) || Host(`www.ssupat.sk`)'
- 'traefik.http.routers.ssupat-web-nextjs-secure.entrypoints=websecure'
- 'traefik.http.routers.ssupat-web-nextjs-secure.tls=true'
- 'traefik.http.routers.ssupat-web-nextjs-secure.tls.options=default'
- 'traefik.http.services.ssupat-web-nextjs-secure.loadbalancer.server.port=3000'
#- 'traefik.port=3000'
- 'traefik.docker.network=ssupat'
#- 'traefik.http.routers.ssupat-web-nextjs-secure.middlewares=ssupat-web-nextjs-redirect'
- 'traefik.http.middlewares.ssupat-web-nextjs-secure.redirectregex.regex=^http://ssupat.sk/(.*)'
- 'traefik.http.middlewares.ssupat-web-nextjs-secure.redirectregex.replacement="https://ssupat.sk/$${1}"'
- 'traefik.http.middlewares.ssupat-web-nextjs-secure.redirectregex.permanent=true'
I have my traefik v2 setup and when i try to access the dashboard which is behind AWS elb, the basic auth doe not work. But the same configu works when i hit traefik directly
here is what my config looks like
version: '3.5'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: always
command:
- "--api.insecure=true"
- "--providers.docker=true"
networks:
- traefik_network
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik.rule=Host(`traefik.local.host`)"
- "traefik.http.routers.traefik.middlewares=traefik"
- "traefik.http.middlewares.traefik.basicauth.users=test:$$apr1$$1pmerTx$$qsMzjTuYTHyEn12LKmteghC."
- "traefik.http.middlewares.traefik.basicauth.removeheader=true"
networks:
traefik_network:
name: traefik_network
What do i need to do to have basic auth work for the traefik v2 dashboard when am behind AWS elb???
Issue was me, all looks good but i needed to use port 80, not 8080!!!
version: '3.5'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: always
command:
- "--api.insecure=true"
- "--providers.docker=true"
networks:
- traefik_network
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.traefik.loadbalancer.server.port=80"
- "traefik.http.routers.traefik.rule=Host(`traefik.local.host`)"
- "traefik.http.routers.traefik.middlewares=traefik"
- "traefik.http.middlewares.traefik.basicauth.users=test:$$apr1$$1pmerTx$$qsMzjTuYTHyEn12LKmteghC."
- "traefik.http.middlewares.traefik.basicauth.removeheader=true"
networks:
traefik_network:
name: traefik_network
We are trying to configure api and frontend with docker-compose using Traefik and we need that both applications are exposed by domain.
With this configuration we get 404 but commented "frontend" lines make api works.
In Traefik dashboard we can see both applications in "HTTP Services" tab as loadbalancer but we have no routers in "Routers" tab.
What we miss?
We also tried using "network" with no luck (receive "gateway time out").
version: "3.3"
services:
traefik:
image: "traefik:latest"
restart: always
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=myemail" # Let's Encrypt email
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
db:
image: mysql:latest
volumes:
- db_data:/var/lib/mysql
restart: always
container_name: "db"
environment:
MYSQL_ROOT_PASSWORD: mypassword
MYSQL_DATABASE: mydb
MYSQL_USER: myuser
MYSQL_PASSWORD: mypassword
ports:
- "32769:3306"
api:
image: "myregistry/myimage:latest"
restart: always
container_name: "api"
labels:
- "traefik.enable=true"
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
- traefik.http.routers.web.middlewares=redirect-to-https
- traefik.http.routers.web.rule=Host(`mydomainapi`)
- traefik.http.routers.web.entrypoints=web
- "traefik.http.routers.websecure.rule=Host(`mydomainapi`)"
- "traefik.http.routers.websecure.entrypoints=websecure"
- "traefik.http.routers.websecure.tls.certresolver=letsencrypt"
depends_on:
- db
frontend:
image: "myregistry/myimagefrontend:latest"
restart: always
container_name: "frontend"
labels:
- "traefik.enable=true"
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
- traefik.http.routers.web.middlewares=redirect-to-https
- traefik.http.routers.web.rule=Host(`mydomainfrontend`)
- traefik.http.routers.web.entrypoints=web
- "traefik.http.routers.websecure.rule=Host(`mydomainfrontend`)"
- "traefik.http.routers.websecure.entrypoints=websecure"
- "traefik.http.routers.websecure.tls.certresolver=letsencrypt"
depends_on:
- api
volumes:
db_data:
driver: local
I am trying to configure traefik to connect between my 3 docker containers.
I tried with this configuration but I got net::ERR_NAME_NOT_RESOLVED on my browser console.
searchservice:
hostname: searchservice
image: searchservice:0.0.3-SNAPSHOT
container_name: searchservice
networks:
- es-network
#ipv4_address: 172.21.0.12
ports:
- 8070:8080
restart: always
depends_on:
- elasticsearch
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/searchservice,Host:localhost"
- "traefik.port: 8070"
- "traefik.enable=true"
subscriber-service:
hostname: subscriber-service
image: subscriberservice:0.0.4-SNAPSHOT
container_name: subscriber-service
networks:
- es-network
#ipv4_address: 172.21.0.13
ports:
- 8090:8090
restart: always
depends_on:
- mongo1
- mongo2
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/api,Host:localhost"
- "traefik.port: 8090"
- "traefik.enable=true"
searchappfront:
hostname: searchappfront
image: frontservice:latest
container_name: searchappfront
networks:
- es-network
ports:
- 80:80
restart: always
depends_on:
- subscriber-service
- searchservice
- reverseproxy
labels:
- "traefik.frontend.rule=PathPrefix:/"
- "traefik.enable=true"
- "traefik.port=80"
# - "traefik.frontend.rule=Host:localhost"
reverseproxy:
image: traefik:v2.1
command:
- '--providers.docker=true'
- '--entryPoints.web.address=:80'
- '--providers.providersThrottleDuration=2s'
- '--providers.docker.watch=true'
- '--providers.docker.defaultRule=Host("local.me")'
- '--accessLog.bufferingSize=0'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
#ports:
# - '80:80'
# - '8080:8080'
The searchappfront is an angular application where the http endPoints have this pattern
http://subscriber-service:8090/
http://searchservice:8070/
if I use localhost instead of hostnames, requests work fine but I need to deploy these containers in a cloud instance.
You are using traefik 2, but your annotation is for traefik 1. This is not going to work.