Develop Reference

Issue with routing http flow with Traefik

I have a small lab setup on docker lab server where I have several containers. I wanted to set up a proxy with Traefik, but I stuck on one thing.
Looks like routing works fine but I am having err_connection_refused when I try to access routed services by the browser.
It works fine with the curl command.
Using DNSMasq to manage records - traefik for proxy.
Below docker-compose files for traefik and test container which I am using for testing the proxy.
Heimdall Dashboard:
---
version: "2.1"
services:
heimdall:
image: lscr.io/linuxserver/heimdall:latest
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
volumes:
- /path/to/appdata/config:/config
restart: unless-stopped
labels:
- "traefik.http.routers.heimdall-www.rule=Host(`heimdall.lab`)"
- "traefik.http.services.heimdall-www.loadbalancer.server.port=80"
networks:
default:
name: traefik_default
Traefik container:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.9
# Enables the web UI and tells Traefik to listen to Docker
command: --api.insecure=true --providers.docker
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.lab`)"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
DNSmasq entry
address=/.lab/127.0.0.1
I dont understand why curling works fine e.g.:
curl -H Host:whoami.lab http://192.168.0.150
Hostname: 1ad1e42dd818
IP: 127.0.0.1
IP: 172.21.0.4
RemoteAddr: 172.21.0.2:54128
GET / HTTP/1.1
Host: whoami.lab
User-Agent: curl/7.84.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.0.100
X-Forwarded-Host: whoami.lab
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ca631c80565a
X-Real-Ip: 192.168.0.100

Traefik 2 - Trying to configure my first container to use traefik

Am a n00b to traefik & linux - have been following guides at smarthomebeginner trying to use traefik2 as a reverse proxy in docker on a synology NAS. To start me easy I'm trying to run portainer and access it securely via the traefik container.
I've got traefik2 up and running and I can connect to it's dashboard at traefik.mydomain.co.uk, and when I do my browser says the certificate is valid so looks like all running ok.
I've then added portainer to my docker compose and it appears to be working as when I send my browser to LocalIP:9000 I get the portainer dashboard.
But when I visit portainer.mydomain.co.uk I get a 404 Error page not found.
I think the problem must be something to do with 'entry points' because when I visit my traefik dashboard, at the top of the page that it says there are entry points http(80) https(443) and traefik(8080). There appears to be no mention of a 9000.
I've tried adding some stuff under command: in my portainer section of the compose file but all that seems to do is stop the portainer from working even on the local IP!
Would anyone be able to look at my docker-compose file and point where I'm going wrong with this?
> version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
# networks:
# - t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
#- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth#file"
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit#file,middlewares-basic-auth#file"
# Portainer - WebUI for Containers
portainer:
container_name: portainer
image: portainer/portainer:latest
restart: unless-stopped
command: -H unix:///var/run/docker.sock
networks:
- t2_proxy
ports:
- "$PORTAINER_PORT:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
## Middlewares
# - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth#file" # No Authentication
- "traefik.http.routers.portainer-rtr.middlewares=middlewares-basic-auth#file" # Basic Authentication
# - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth#file" # Google OAuth 2.0
# - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia#file" # Authelia
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"

You are right about entrypoints:
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
You missed your entrypoint for port 9000
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.portainer.address=:9000
But if you add 9000 it supposes you want to listen the 9000 port but it's probably not you want to do.
You want to go to your domain to 443 then be redirected to 9000.
If you publish the port 9000 it could resolve your problem
If you see here:
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
You should add your port 9000 like
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
- target: 9000
published: 9000
protocol: tcp
mode: host
Hope you found the answer somehow before my answer.

Access client ip inside nextcloud docker with haproxy docker

I have a some docker container running and i want to see the real ip address from the client on the nextcloud docker logs. But currently i only can see the ip address from the haproxy container, i already added option forwardfor but still it does not work.
My docker-compose:
version: '3'
services:
db:
image: linuxserver/mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=
- PUID=100
- PGID=100
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=
volumes:
- /home/raspi/nextcloud-docker/volumen/mariadb/:/config
app:
image: nextcloud:apache
restart: always
volumes:
- /home/raspi/nextcloud-docker/volumen/nextcloud/:/var/www/html
environment:
- VIRTUAL_HOST=
- LETSENCRYPT_HOST=
- LETSENCRYPT_EMAIL=
- MYSQL_HOST=db
- OVERWRITEPROTOCOL=https
env_file:
- db.env
depends_on:
- db
networks:
- proxy-tier
- default
haproxy:
restart: always
image: haproxy:2.1.7
volumes:
- /home/raspi/nextcloud-docker/haproxy/config:/usr/local/etc/haproxy/
- /home/raspi/nextcloud-docker/haproxy/certs/haproxy/:/usr/local/etc/ssl/
ports:
- 8080:8080
networks:
- proxy-tier
depends_on:
- app
networks:
proxy-tier:
My haproxy.cfg:
global
maxconn 50
tune.ssl.default-dh-param 2048
log stdout format raw local0
defaults
log global
mode http
timeout tunnel 1h
timeout http-request 1h
timeout connect 20s
option forwardfor
option http-server-close
frontend https
bind *:8080 ssl crt /usr/local/etc/ssl/website.org
http-request redirect scheme https code 301 if !{ ssl_fc }
default_backend nextcloud
timeout client 1h
backend nextcloud
server app1 app:80
timeout server 1h
The nextcloud logs:
{"reqId":"GoyJSJ8Jl1xAUf9xARf6","level":2,"time":"2020-09-11T23:41:54+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
{"reqId":"A4n1pk3sU8Bsh0pkMjfB","level":2,"time":"2020-09-11T23:43:27+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo3 (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
As you can see, in only getting the ip address from the haproxy container. I already did add
option forwardfor to haproxy.cfg and did add
'trusted_proxies' => array('172.29.0.3'),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
and restarted but nothing worked. I need this to make fail2ban work.
What am i missing?

I had to make the proxy-tier network static so my networks look like this:
networks:
proxy-tier:
ipam:
config:
- subnet: 174.20.0.0/24
and the app and haproxy container i had to put this:
networks:
proxy-tier:
ipv4_address: 174.20.0.x
and now add the haproxy container ip address:
environment:
- TRUSTED_PROXIES=174.20.0.x
now it works!

How to make websocket work with traefik and docker?

I've read through all of the related traefik / websocket issues here and other forums, but I wasn't able to solve the problem for my setup.
I'm trying to run Dataiku DSS behind Traefik as reverse proxy. But I'm still new to Traefik and can't figure out how to make websockets for my service work via Traefik.
I'm using the following config:
traefik.yml:
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: admin#example.com
storage: acme.json
httpChallenge:
entryPoint: http
traefik/docker-compose.yml:
version: '3'
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=<USER>:<PW>"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
networks:
proxy:
external: true
dataiku/docker-compose.yml:
version: '3.7'
services:
dataiku:
build:
context: .
dockerfile: Dockerfile
restart: on-failure
volumes:
- dss_data:/home/dataiku/dss
labels:
- traefik.enable=true
- traefik.http.routers.dataiku.entrypoints=http
- traefik.http.routers.dataiku.rule=Host(`dataiku.example.com`)
#- traefik.http.middlewares.dataiku-https-redirect.redirectscheme.scheme=https
#- traefik.http.routers.dataiku.middlewares=dataiku-https-redirect
#- traefik.http.routers.dataiku-secure.entrypoints=https
#- traefik.http.routers.dataiku-secure.rule=Host(`dataiku.example.com`)
#- traefik.http.routers.dataiku-secure.tls=true
#- traefik.http.routers.dataiku-secure.tls.certresolver=http
#- traefik.http.routers.dataiku-secure.service=dataiku
- traefik.http.services.dataiku.loadbalancer.server.port=10000
- traefik.docker.network=proxy
volumes:
dss_data:
networks:
proxy:
external: true
However, when I run dataiku, I see that the websocket connections fail. In Firefox, I see that right after the WS connection is attempted, I get the following error: XSRF validation failed.
On Chrome, I see the following: Error during WebSocket handshake: Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received
The request headers looks like this:
Host: example.com
User-Agent: ...
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: http://example.com
Sec-WebSocket-Protocol: dummy, xsrf-7646db48d09813bbe5038c1aa2967e0a9712f81a24b156731f88bde5d3c4d8a5
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: 3sSlW9J6GN6d4+bhFr1IIQ==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
The response headers looks like this:
HTTP/1.1 101 Switching Protocols
Connection: upgrade
Date: Sat, 06 Jun 2020 15:18:08 GMT
Sec-Websocket-Accept: x29WLUMyl5OmRfhZOncdLE65lOU=
Server: nginx
Upgrade: WebSocket
Both errors indicate to me, that the response is missing a correct Sec-WebSocket-Protocol header. But I don't know how to fix that. Initially I thought it might have something to do with TLS, that's why I commented out the secure entrypoint and redirect. But it still exists.
I've previously had no issues with a nginx config like this one:
server {
# Host/port on which to expose Data Science Studio to users
listen 80;
server_name dss.example.com;
location / {
# Base url of the Data Science Studio installation
proxy_pass http://DSS_HOST:DSS_PORT/;
proxy_redirect off;
# Allow long queries
proxy_read_timeout 3600;
proxy_send_timeout 600;
# Allow large uploads
client_max_body_size 0;
# Allow protocol upgrade to websocket
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Does anyone have an idea how to solve this?

Nextcloud in Docker with Caddy proxy

I’m trying to install Nextcloud on my server with Docker using a Caddy reverse proxy. Caddy is working for other services so I will just copy the Caddyfile here.
There are 3 ways I tried accessing it on the Docker host machine:
localhost:8080 - working
IP of host machine - it says it is not a trusted domain
domain - 502 Bad Gateway
Please help I’ve already tried multiple configurations but can not get it working.
Caddyfile:
{domain} {
tls {email}
tls {
dns godaddy
}
# Enable basic compression
gzip
# Service discovery via well-known
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
proxy / http://nextcloud:8080 {
# X-Forwarded-For, etc...
transparent
# Nextcloud best practices and security
header_downstream Strict-Transport-Security "max-age=15552000;"
header_downstream Referrer-Policy "strict-origin-when-cross-origin"
header_downstream X-XSS-Protection "1; mode=block"
header_downstream X-Content-Type-Options "nosniff"
header_downstream X-Frame-Options "SAMEORIGIN"
}
}
docker-compose file:
version: '3.7'
services:
db:
container_name: nextcloud-db
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- db:/var/lib/mysql
env_file:
- ./nextcloud/config/db.env
environment:
- MYSQL_ROOT_PASSWORD={pw}
networks:
- db
app:
container_name: nextcloud
image: nextcloud
ports:
- 8080:80
volumes:
- nextcloud:/var/www/html
env_file:
- ./nextcloud/config/db.env
environment:
- MYSQL_HOST=db
- NEXTCLOUD_TRUSTED_DOMAINS="localhost {host ip} {domain}"
restart: always
networks:
- proxy
- db
depends_on:
- db
volumes:
db:
nextcloud:
networks:
db:

Figured it out.
In the Caddyfile the nextcloud port should be 80 instead of 8080 as it is in the inner network.