Am a n00b to traefik & linux - have been following guides at smarthomebeginner trying to use traefik2 as a reverse proxy in docker on a synology NAS. To start me easy I'm trying to run portainer and access it securely via the traefik container.
I've got traefik2 up and running and I can connect to it's dashboard at traefik.mydomain.co.uk, and when I do my browser says the certificate is valid so looks like all running ok.
I've then added portainer to my docker compose and it appears to be working as when I send my browser to LocalIP:9000 I get the portainer dashboard.
But when I visit portainer.mydomain.co.uk I get a 404 Error page not found.
I think the problem must be something to do with 'entry points' because when I visit my traefik dashboard, at the top of the page that it says there are entry points http(80) https(443) and traefik(8080). There appears to be no mention of a 9000.
I've tried adding some stuff under command: in my portainer section of the compose file but all that seems to do is stop the portainer from working even on the local IP!
Would anyone be able to look at my docker-compose file and point where I'm going wrong with this?
> version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
# networks:
# - t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
#- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth#file"
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit#file,middlewares-basic-auth#file"
# Portainer - WebUI for Containers
portainer:
container_name: portainer
image: portainer/portainer:latest
restart: unless-stopped
command: -H unix:///var/run/docker.sock
networks:
- t2_proxy
ports:
- "$PORTAINER_PORT:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
## Middlewares
# - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth#file" # No Authentication
- "traefik.http.routers.portainer-rtr.middlewares=middlewares-basic-auth#file" # Basic Authentication
# - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth#file" # Google OAuth 2.0
# - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia#file" # Authelia
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
You are right about entrypoints:
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
You missed your entrypoint for port 9000
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.portainer.address=:9000
But if you add 9000 it supposes you want to listen the 9000 port but it's probably not you want to do.
You want to go to your domain to 443 then be redirected to 9000.
If you publish the port 9000 it could resolve your problem
If you see here:
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
You should add your port 9000 like
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
- target: 9000
published: 9000
protocol: tcp
mode: host
Hope you found the answer somehow before my answer.
Related
I am trying to run 2 apps with traefik.
Both work great without SSL. When I use SSL the first one does not work. I'm getting error 404 page not found. Only first service is giving error. The second service is working with ssl. Check this at second
docker.traefik.yml file
services:
traefik:
image: traefik:latest
ports:
- 80:80
- 443:443
restart: always
labels:
- traefik.enable=true
- traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
## configure http
- traefik.http.routers.traefik-dashboard-http.entrypoints=http
- traefik.http.routers.traefik-dashboard-http.rule=Host(`dash.ibhaskar.com`)
## configure https
- traefik.http.routers.traefik-dashboard-https.entrypoints=https
- traefik.http.routers.traefik-dashboard-https.tls.certresolver=le
- traefik.http.routers.traefik-dashboard-https.rule=Host(`dash.ibhaskar.com`)
- traefik.http.routers.traefik-dashboard-https.service=api#internal
- traefik.http.routers.traefik-dashboard-https.tls=true
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# define common network for traefik and apps
- traefik.docker.network=towapp
volumes:
- traefik-public-certificates:/certificates
- /var/run/docker.sock:/var/run/docker.sock:ro
command:
- --providers.docker
- --api.insecure
- --providers.docker.exposedbydefault=false
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443 # https
- --certificatesresolvers.le.acme.email=imbhaskaran#gmail.com # https
- --certificatesresolvers.le.acme.storage=/certificates/acme.json #ssl
- --certificatesresolvers.le.acme.tlschallenge=true
- --accesslog
- --log
- --api
networks:
- towapp
volumes:
traefik-public-certificates:
networks:
towapp:
external: true
The docker compose file for both services first and second. These apps are working on localhost. I have test these. The traefik dash board works with https also.
services:
first:
restart: always
container_name: first
build:
context: ./first
dockerfile: Dockerfile
labels:
# Enable Traefik for this specific "backend" service
- traefik.enable=true
# Define the port inside of the Docker service to use
- traefik.http.services.first.loadbalancer.server.port=8081
# Make Traefik use this domain in HTTP
- traefik.http.routers.first-http.entrypoints=http
- traefik.http.routers.first-http.rule=Host(`first.ibhaskar.com`)
# Use the traefik-public network (declared below)
- traefik.docker.network=traefik-public
# Make Traefik use this domain in HTTPS
- traefik.http.routers.first-https.entrypoints=https
- traefik.http.routers.first-https.rule=Host(`first.ibhaskar.com`)
- traefik.http.routers.first-https.tls=true
# Use the "le" (Let's Encrypt) resolver
- traefik.http.routers.first-https.tls.certresolver=le
# https-redirect middleware to redirect HTTP to HTTPS
- traefik.http.middlewares.first-https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.first-https-redirect.redirectscheme.permanent=true
# Middleware to redirect HTTP to HTTPS
- traefik.http.routers.first-http.middlewares=https-redirect
#- traefik.http.routers.app-https.middlewares=admin-auth
- traefik.docker.network=towapp
command: [ "node", "app.js" ]
networks:
- towapp
second:
restart: always
container_name: second
build:
context: ./second
dockerfile: Dockerfile
labels:
# Enable Traefik for this specific "backend" service
- traefik.enable=true
# Define the port inside of the Docker service to use
- traefik.http.services.second.loadbalancer.server.port=8082
# Make Traefik use this domain in HTTP
- traefik.http.routers.second-http.entrypoints=http
- traefik.http.routers.second-http.rule=Host(`second.ibhaskar.com`)
# Use the traefik-public network (declared below)
- traefik.docker.network=traefik-public
# Make Traefik use this domain in HTTPS
- traefik.http.routers.second-https.entrypoints=https
- traefik.http.routers.second-https.rule=Host(`second.ibhaskar.com`)
- traefik.http.routers.second-https.tls=true
# Use the "le" (Let's Encrypt) resolver
- traefik.http.routers.second-https.tls.certresolver=le
# https-redirect middleware to redirect HTTP to HTTPS
- traefik.http.middlewares.second-https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.second-https-redirect.redirectscheme.permanent=true
# Middleware to redirect HTTP to HTTPS
- traefik.http.routers.second-http.middlewares=https-redirect
#- traefik.http.routers.app-https.middlewares=admin-auth
- traefik.docker.network=towapp
command: [ "node", "server.js" ]
networks:
- towapp
networks:
towapp:
external: true
I'm trying to get an instance of MinIO working on my Docker Compose stack with a Traefik reverse proxy. The docker compose for MinIO and Traefik look like this:
traefik:
container_name: traefik
image: traefik:2.2.1
restart: unless-stopped
command:
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,1> - --entryPoints.traefik.address=:8080
- --api=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_CLOUD_SERVER`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules
- --providers.file.watch=true
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-rtr.service=api#internal"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth#file"
minio:
container_name: minio
image: minio/minio
restart: always
command: server /data --console-address ":9001"
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- MINIO_BROWSER_REDIRECT_URL=${MINIO_CONSOLE}
- MINIO_DOMAIN=${MINIO_DOMAIN}
- MINIO_ROOT_USER=${MINIO_ROOT_USER}
- MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
- MINIO_SERVER_URL=${MINIO_SERVER}
volumes:
- /mnt/storage/minio:/data
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.minio-console-rtr.entrypoints=https"
- "traefik.http.routers.minio-console-rtr.rule=Host(`minio.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.minio-console-rtr.tls=true"
## Middlewares
- "traefik.http.routers.minio-console-rtr.middlewares=chain-oauth#file" # Google OAuth 2.0
## HTTP Services
- "traefik.http.routers.minio-console-rtr.service=minio-console-svc"
- "traefik.http.services.minio-console-svc.loadbalancer.server.port=9001"
## HTTP Routers
- "traefik.http.routers.minio-rtr.entrypoints=https"
- "traefik.http.routers.minio-rtr.rule=Host(`s3.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.minio-rtr.tls=true"
## Middlewares
- "traefik.http.routers.minio-rtr.middlewares=chain-no-auth#file"
## HTTP Services
- "traefik.http.routers.minio-rtr.service=minio-svc"
- "traefik.http.services.minio-svc.loadbalancer.server.port=9000"
I can access the console just fine, but I am greeted with "An error has occurred
The backend cannot be reached.". There's a red banner at the top saying "Get "": unsupported protocol scheme """. If I check the console, the response I get is a 500 on https://minio.domainname/api/v1/login, with an error message saying "unable to contact configured identity provider".
Absolutely no idea where this might be coming from as I had it working with about the same stack a few months ago.
This error occurring form minio latest version, as you didn't mention the tag in your minio container image, it pulls the latest tag,
To solve just specify the previous version tag in your minio container with
image:minio/minio:RELEASE.2022-07-15T03-44-22Z
You can look on the below official repo for more specific version tag's
https://quay.io/repository/ricardbejarano/minio?tab=tags
As well please always go with the specific release tag and never pull the :latest in your dockerfile or docker-compose as it leads to unexpected results, since you didn't tested the latest version in your environment
second post. Was having trouble getting my traefik docker-compose yamel file to run,got that sorted,now it runs, but the traefik dashboard isn't accessible.
The code for my compose file is
version: "3.8"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:2.6.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
- --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder -
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing -
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
# networks:
# t2_proxy:
# ipv4_address: 192.168.90.829 # You can specify a static IP
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
# - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth#file"
`Looked at the log file, and I've observed it saying:
level=debug msg="No default certificate, generating one" tlsStoreName=default
But I'm pretty sure I have a certificate for cloudflare, which is in a environments folder i set up
Also I noticed this:
level=debug msg="http: TLS handshake error from with my server pc's static IP address and port 36198:EOF
When I attempt to access the dashboard via my servers web browser I see this:
And when I get everything running and switch over to my desktop this pops up:
I have a service running on port 8080 that accepts both http and gRPC. I understand that there are some limitations with gRPC in traefik, so here is the ultimate goal.
Accept ipWhitelisted traffic on port 8080
Accept traffic from :80 /graphql and route to :8080 /graphql
Eventually I would like to accept this on route / and route to /graphql
Accept ipWhitelisted traffic from :80 /admin/schema and route to :8080 /admin/schema
Eventually I would like to accept this on route /admin and route to /graphql
If I get this working, I believe I can get the next part done:
Enable https with letsencrypt and accept traeffic from :443 to the /graphql and /admin endpoints.
For configuration I am using a docker compose file.
version: "3.2"
services:
reverse-proxy:
image: traefik:v2.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.dgraph.address=:8080"
ports:
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# there is another service here `zero` that is not using traefik so I ommitted its config.
alpha:
image: dgraph/dgraph:master
volumes:
- /dgraph/data:/dgraph
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.adminIps.ipwhitelist.sourcerange=1.1.1.1" # my ip address instead of 1.1.1.1
- "traefik.http.routers.alpha.rule=Host(`api.mydomain.com`) && Path(`/graphql`)"
- "traefik.http.routers.alpha.entrypoints=dgraph"
- "traefik.http.routers.schema.rule=Host(`api.mydomain.com`) && Path(`/admin/schema`)"
- "traefik.http.routers.schema.middlewares=adminIps#docker"
- "traefik.http.routers.schema.entrypoints=dgraph"
- "traefik.http.routers.all.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.all.middlewares=adminIps#docker"
- "traefik.http.routers.all.entrypoints=dgraph"
restart: always
command: dgraph alpha --my=alpha:7080 --zero=zero:5080 --whitelist 172.0.0.0:172.254.254.254
I have tried creating another entry point on port 80 and then use that in the routers and added a loadbalancer, but that does not seem to work. Here is that modified config:
version: "3.2"
services:
reverse-proxy:
image: traefik:v2.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.dgraph.address=:8080"
- "--entrypoints.web.address=:80"
ports:
- "8080:8080"
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# there is another service here `zero` that is not using traefik so I ommitted its config.
alpha:
image: dgraph/dgraph:master
volumes:
- /dgraph/data:/dgraph
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.adminIps.ipwhitelist.sourcerange=1.1.1.1" # my ip address instead of 1.1.1.1
- "traefik.http.routers.alpha.rule=Host(`api.mydomain.com`) && Path(`/graphql`)"
- "traefik.http.routers.alpha.entrypoints=web"
- "traefik.http.services.alpha.loadbalancer.server.port=80"
- "traefik.http.routers.schema.rule=Host(`api.mydomain.com`) && Path(`/admin/schema`)"
- "traefik.http.routers.schema.middlewares=adminIps#docker"
- "traefik.http.routers.schema.entrypoints=dgraph"
- "traefik.http.routers.all.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.all.middlewares=adminIps#docker"
- "traefik.http.routers.all.entrypoints=dgraph"
restart: always
command: dgraph alpha --my=alpha:7080 --zero=zero:5080 --whitelist 172.0.0.0:172.254.254.254
The first docker-compose.yml file above works. By works I mean that it correctly applies the routing, rules, and middleware all on port 8080.
The second docker-compose.yml file above I expect to open port 80 and apply the rules to route http api.mydomain.com/graphql to alpha:8080/graphql. This does not happen though. I do not get any errors when I push it up with docker-compose up -d but when I use yougetsignal.com and check for open port 80 I get the response that port 80 is closed, and when I try to use port 8080 that was working before with route all (api.mydomain.com:8080), I get the response in the browser "Bad Gateway"
You said your service alpha is listening on 8080, so you should use that in loadbalancer:
"traefik.http.services.alpha.loadbalancer.server.port=8080"
You can think of it like this: entrypoint is incoming connection and loadbalancer is where Traefik redirects the requests.
I have followed the instructions for the TLS challenge and read through the grpc guide for traefik but I can't figure out how to put them together.
Currently I have the traefik dashboard at my domain working, and I could get a http server working, but I can't get the grpc service to be reachable. It shows up under HTTP Services in the dashboard, but when I attempt to hit the endpoint with a request it just times out saying it's unreachable.
my docker-compose (I don't have a TOML file):
traefik:
image: "traefik:v2.0.0"
container_name: traefik
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.grpc.address=:8090
- --providers.docker
- --api
# Lets Encrypt Resolvers
- --certificatesresolvers.leresolver.acme.email=${EMAIL}
- --certificatesresolvers.leresolver.acme.storage=/etc/acme/cert.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/etc/acme/:/etc/acme/"
labels:
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "traefik.http.routers.traefik.entrypoints=websecure"
# Auth
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=admin:xxx"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- internal
- proxied
grpc_server:
image: xxx
container_name: grpc_server
labels:
- "traefik.http.routers.grpc_server.rule=Host(`grpc.${DOMAIN}`)"
- "traefik.http.routers.grpc_server.entrypoints=grpc"
- "traefik.http.routers.grpc_server.tls=true"
- "traefik.http.routers.grpc_server.tls.certresolver=leresolver"
expose:
- 8090 # grpc server
I don't need the layer from traefik to grpc to be encrypted which is why I haven't set up the self signed cert as per the grpc example. My grpc service is running in insecure mode and words when not behind traefik.
Anything obvious that I missed?
On gRPC endpoint please use scheme as h2c then traefik will work,
gRPC connection for example in YAML:
spec:
entryPoints:
- grpc
routes:
- kind: Rule
match: Host(`xyz.com`)
services:
- name: service_name
port: 50051
scheme: h2c
tls:
options:
name: mytlsoption
secretName: secret_name
You are using port 8090 as entrypoint for grpc - in your docker compose file you don't map the port to traefik.
Assuming that you use port 80 to reach traefik it will result in a 404, if you use port 8080 it will be mapped to traefik, but traefik is not listening on that port and if you use 8090 the port is not mapped to a docker container, both resulting in a port unreachable error.