I'm new to SSL certificates with Traefik and have been having real trouble getting a successful deployment.
I have a server and domain that I have deployed my application on using Traefik and Http without issue. I would now like to deploy the same application, running on port 9000, to be deployed in Https using LetsEncrypt following the Traefik docs . I can verify that the certificate has been properly created using an SSL checker, however, when I try to visit the site I get Internal Server Error. There are no errors reported in either of the docker logs and I cannot figure out what to try next.
docker-compose.yml
version: '2'
services:
traefik:
image: traefik:v1.7
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
container_name: traefik
app:
image: myapp_image
container_name: app
restart: always
networks:
- web
ports:
- "9000:9000"
labels:
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.basic.frontend.rule=Host:myapp.com"
- "traefik.basic.port=9000"
- "traefik.basic.protocol=http"
- "traefik.admin.frontend.rule=Host:myapp.com"
- "traefik.admin.protocol=https"
- "traefik.admin.port=9000"
networks:
web:
external: true
traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myapp.com"
watch = true
exposedByDefault = false
[acme]
email = "myemail#email.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Finally was able to find a workable solution for this. I may have just been using old information but the best reference to host an application with Traefik on Https using LetsEncrypt was found here.
The working Yaml example is below. Using this example will also eliminate the need for a Toml file!
version: "3.3"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=postmaster#example.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"
Related
im running a gitlab-ee docker container behind a traefik v1 docker container. My gitlab is supposed to run on the domain gitlab.dev.example.com:65443 the port 65443 is being forwarded to 443 on my server within my router (i have other stuff running on my 443 and 80 port). my traefik dashboard is running on traefik.dev.example.com:65443/dashboard/
Now when i want to get a lets encrypt certificate with traefik it tries to get it for the domain gitlab.dev.example.com and fails with "Unable to obtain ACME certificate for domains "gitlab.dev.example.com" [...]"
if i visit https://gitlab.dev.example.com:65443 it opens my gitlab container but with the "Traefik Default Cert". I cannot push or pull from these gitlab repositories because the SSL Certificates are self signed hence why i want to get a lets encrypt one.
i swapped out the actual domain with "example.com" obviously
my traefik.toml:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[web]
address = ":80"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "traefik.dev.example.com" //swapped the url out
watch = true
exposedByDefault = false
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Enable retry sending a request if the network error
[retry]
# Let's encrypt configuration
[acme]
email="e#mail.com" //swapped the email out
storage="acme.json"
entryPoint="https"
acmeLogging=true
OnHostRule=true
[acme.httpChallenge]
entryPoint = "http"
now to my docker-compose files. i have a seperate docker-compose.yml for each container
my docker-compose.yml for the traefik container:
version: "3.2"
services:
reverse-proxy:
image: traefik:alpine
command: --api --docker --logLevel=error
restart: unless-stopped
container_name: docker-traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
environment:
- "TZ=Europe/Berlin"
networks:
- traefik_proxy
- default
ports:
- "443:443"
- "80:80"
logging:
driver: "json-file"
options:
max-file: "3"
max-size: "5m"
labels:
- traefik.backend=traefik-proxy
- traefik.frontend.rule=Host:traefik.dev.loropserver.de
- traefik.docker.network=traefik_proxy
- traefik.port=8080
- traefik.enable=true
- traefik.frontend.auth.basic=lorop:$$apr1$$dHnqprRX$$DjIWIaE97EnMoxwu6o/14.
networks:
traefik_proxy:
external:
name: traefik_proxy
# default:
# driver: bridge
my docker-compose.yml for the gitlab container:
version: '3.5'
services:
gitlab:
image: 'gitlab/gitlab-ee:latest'
container_name: gitlab
restart: unless-stopped
hostname: 'gitlab.dev.example.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.dev.example.com';
//some more configs
ports:
- '22:22'
- '5005:5005'
volumes:
- './volumes/gitlab/config:/etc/gitlab'
- './volumes/gitlab/logs:/var/log/gitlab'
- './volumes/gitlab/data:/var/opt/gitlab'
- /etc/localtime:/etc/localtime:ro
- './certs:/etc/gitlab/trusted-certs'
networks:
- traefik_proxy
labels:
- 'traefik.enable=true'
- 'traefik.port=65443'
- 'traefik.docker.network=traefik_proxy'
- 'traefik.backend=gitlab'
- 'traefik.frontend.rule=Host:gitlab.dev.example.com'
- 'traefik.http.routers.entrypoints=websecure'
networks:
traefik_proxy:
external: true
I am new to traefik and am trying to set up my containers to be reverse-proxied by traefik at the moment. It all worked fine while using traefik.frontend.rule=Host:grafana01.mydomain.com for routing requests to grafana01.mydomain.com, but due to infrastructural issues within our network I'd rather use traefik.frontend.rule=Path:/grafana01/ to redirect to mydomain.com/grafana01. Yet for some reason it does not work.
My traefik.toml file as well as my two docker-compose.yml files for traefik and grafana, respectively:
#Traefik Global Configuration
debug = false
checkNewVersion = true
logLevel = "ERROR"
#Define the EntryPoint for HTTP and HTTPS
defaultEntryPoints = ["https","http"]
#Enable Traefik Dashboard on port 8080
[web]
address = ":8080"
#Define the HTTP port 80 and
#HTTPS port 443 EntryPoint
#Enable automatically redirect HTTP to HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#Enable retry sending a request if the network error
[retry]
#Define Docker Backend Configuration
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
#Letsencrypt Registration
#Define the Letsencrypt ACME HTTP challenge
[acme]
email = "some_email"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
version: '3'
services:
traefik:
image: traefik:latest
command: --docker --docker.mydomain.com
ports:
- 80:80
- 443:443
networks:
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:mydomain.com"
- "traefik.port=8080"
- "traefik.backend=traefik"
container_name: traefik
restart: always
networks:
traefik:
external: true
version: '3'
services:
grafana01:
image: grafana/grafana
labels:
- traefik.port=3000
- traefik.backend=grafana01
- traefik.frontend.rule=Path:/grafana01/
- traefik.docker.network=traefik
networks:
- traefik
environment:
- GF_SECURITY_ADMIN_PASSWORD=secret
volumes:
- /srv/docker/grafana01/data:/var/lib/grafana
container_name: grafana01
restart: always
grafana02:
image: grafana/grafana
labels:
- traefik:port=3001
- traefik.backend=grafana02
- traefik.frontend.rule=Path:/grafana02/
- traefik.docker.network=traefik
- traefik.enable=true
networks:
- traefik
environment:
- GF_SECURITY_ADMIN_PASSWORD=secret
volumes:
- /srv/docker/grafana02/data:/var/lib/grafana
container_name: grafana02
restart: always
networks:
traefik:
external: true
I'd appreciate any help!
Changing traefik.frontend.rule=Path:/grafana01/ to
traefik.frontend.rule=PathPrefixStrip:/grafana01 as well as adding
GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s/grafana01
did the trick for me.
I was reviewing the log files/database and I noticed that when I attempted to trip the nextcloud brute force protection manually, it was recording the IP and subnet of the docker network, not the IP address I was access the login page from (Specifically 192.168.192.1 and 192.168.192.1/32)
I don't know if I have something on the traefik or Nextcloud compose files configured incorrectly or if something else is wrong wit the docker network but obliviously I would like it to detect the actual IP address of the user trying to login, not the internal docker IP information. I thought I'd start here and see if I can get any feedback before looking elsewhere.
traefik docker-compose.yml: https://pastebin.com/rjFA5ZBi
version: '3.3'
services:
traefik:
image: traefik:latest
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${USERDIR}/traefik/traefik.toml:/traefik.toml
- ${USERDIR}/traefik/acme.json:/acme.json
- /var/log/traefik:/var/log
networks:
- proxy
ports:
- 80:80
- 443:443
expose:
- 8080
command:
- --accessLog.filePath=/var/log/access.log
- --accessLog.filters.retryAttempts=true
- --accessLog.filters.minDuration=10ms
- --accessLog.filters.statusCodes=400-499
restart: always
networks:
proxy:
external: true
Nextcloud docker-compose.yml: https://pastebin.com/CjTYBZm6
db:
image: mariadb
container_name: nextcloud-mariadb
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
networks:
- proxy
volumes:
- ${USERDIR}/mysql:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=Win!
- MYSQL_PASSWORD=Win!
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
nextcloud:
image: linuxserver/nextcloud
container_name: nextcloud
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
depends_on:
- db
volumes:
- /mnt/raid/nextcloud:/data
- ${USERDIR}/nextcloud:/config
#- ${USERDIR}/nextcloud:/var/www/html
#- ${USERDIR}/nextcloud/app/config:/var/www/html/config
#- ${USERDIR}/nextcloud/app/custom_apps:/var/www/html/custom_apps
#- ${USERDIR}/nextcloud/app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=true
- traefik.backend=nextcloud
- traefik.frontend.rule=Host:upload.${DOMAIN}
- traefik.docker.network=proxy
- traefik.basic.protocol=https
- traefik.port=443
- traefik.frontend.redirect.permanent=true
- traefik.frontend.redirect.regex= https://(.*)/.well-known/(card|cal)dav
- traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.browserXSSFilter=true
- traefik.frontend.headers.contentTypeNosniff=true
- traefik.frontend.headers.forceSTSHeader=true
- traefik.frontend.headers.SSLHost=example.com
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.frameDeny=true
networks:
- proxy
expose:
- 443
restart: unless-stopped
Traefik toml: https://pastebin.com/cDUxQaLb
#logLevel = "DEBUG"
logLevel = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC"
################################################################
defaultEntryPoints = ["http", "https"]
InsecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.forwardedHeaders]
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.forwardedHeaders]
[entryPoints.https.tls]
[web]
address = ":8080"
################################################################
# Docker configuration backend
################################################################
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "xxxx.xxxxx"
watch = true
exposedbydefault = false
[acme]
email = "xxxx"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Any help is appercaited!!
Soled -
config.php for next cloud requires a trusted_proxy
"trusted_proxies" => ['10.0.0.1'],
When added the client IP address is finally relayed.
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/reverse_proxy_configuration.html
I'm trying to set up a server on my raspberry pi to run Nextcloud and Firefly III with traefik as a reverse proxy. I'm using docker-compose and Portainer is working fine with https (included in the code for testing), but I cannot get Nextcloud or Firefly to run at all. When I use the official documentation for Firefly I can get it to run and when I use NextcloudPi in itself I can also get that to run, but I cannot get both of them to work at the same time. FF is giving a 403 Forbidden "You don't have permission to access / on this server." error while Nextcloud is giving a "Bad Gateway" error. I'd be grateful for any help I can get regarding this as I've already read through as many sites as possible and I don't what else to do.
This is my docker-compose.yml:
version: "3.2"
services:
# Reverse Proxy and Let's Encrypt
traefik:
container_name: traefik
image: traefik:alpine
restart: always
networks:
- srv
- firefly_iii_net
- proxy-tier
ports:
- 80:80
- 443:443
volumes:
- /opt/traefik/traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/acme.json:/acme.json
# Portainer
portainer:
container_name: portainer
image: portainer/portainer
restart: always
networks:
- srv
ports:
- "9000:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/portainer:/data
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:port.skdjfgsl.club"
db:
image: postgres:alpine
restart: always
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
app:
image: nextcloud:fpm-alpine
restart: always
volumes:
- nextcloud:/var/www/html
environment:
- POSTGRES_HOST=db
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
depends_on:
- db
networks:
- proxy-tier
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:nc.skdjfgsl.club"
firefly_iii_app:
environment:
- FF_DB_HOST=firefly_iii_db
- FF_DB_NAME=firefly
- FF_DB_USER=firefly
- FF_DB_PASSWORD=firefly
- FF_APP_KEY=S0m3R#nd0mStr1ngOf32Ch#rsEx#ctly
- FF_APP_ENV=local
- FF_DB_CONNECTION=pgsql
- TZ=Europe/Amsterdam
- APP_LOG_LEVEL=debug
- TRUSTED_PROXIES=**
image: jc5x/firefly-iii
links:
- firefly_iii_db
networks:
- firefly_iii_net
volumes:
-
source: firefly_iii_export
target: /var/www/firefly-iii/storage/export
type: volume
-
source: firefly_iii_upload
target: /var/www/firefly-iii/storage/upload
type: volume
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:ff.skdjfgsl.club"
- traefik.port=443
firefly_iii_db:
environment:
- POSTGRES_PASSWORD=firefly
- POSTGRES_USER=firefly
image: "postgres:10"
networks:
- firefly_iii_net
volumes:
- "firefly_iii_db:/var/lib/postgresql/data"
networks:
srv:
firefly_iii_net:
driver: bridge
proxy-tier:
volumes:
db:
nextcloud:
firefly_iii_db: ~
firefly_iii_export: ~
firefly_iii_upload: ~
This is my traefik.toml:
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
exposedByDefault = false
watch = true
[acme]
email = "email#mydomain.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
To go to port 443 (https) you need to adjust the protocol used by traefik to talk to the container with the following label:
- traefik.protocol=https
Bad gateway can mean traefik is trying to connect to the wrong port, wrong IP, or traefik and the container are not deployed to a common network. You can fix the first two by specifying a port and network name:
- traefik.port=80
- traefik.docker.network=project_proxy-tier
Where project is the name of your compose project (use docker network ls to see the external name of your networks).
I tried to set up reverse-proxy using traefik for one my docker-services. When I run the services, in traefik's web UI I can see the mapping but only for http eventhough I have specified https in traefik.toml file. I am also not able to access my services directly. All the services are in the same network. So I am not sure what is causing this.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/journal.crt"
keyFile = "/certs/journal.key"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "journal.com"
watch = true
exposedbydefault = false
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: traefik
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/certs/journal.crt:/certs/journal.crt
- ./traefik/certs/journal.key:/certs/journal.key
networks:
- web
prisma:
image: prismagraphql/prisma:1.8
restart: always
ports:
- "${PRISMA_HOST_PORT}:4466"
environment:
PRISMA_CONFIG: |
port: 4466
managementApiSecret: ${PRISMA_API_SECRET}
databases:
default:
connector: postgres
host: ${PRISMA_DB_HOST}
port: ${PRISMA_DB_PORT}
database: ${PRISMA_DB}
user: ${PRISMA_DB_USER}
password: ${PRISMA_DB_PASSWORD}
migrations: ${PRISMA_ENABLE_MIGRATION}
graphql-server:
build: ./graphql-server/
ports:
- "${GRAPHQL_SERVER_PORT}:8080"
volumes:
- ./graphql-server:/usr/src/app
depends_on:
- prisma
command: ["./wait-for-it.sh", "prisma:${PRISMA_HOST_PORT}", "--", "npm", "start"]
environment:
- PRISMA_SERVICE_NAME=prisma
- PRISMA_API_SECRET
- PRISMA_HOST_PORT
- GRAPHQL_SERVER_PORT
- APOLLO_ENGINE_KEY
labels:
- "traefik.backend=graphql"
- "traefik.frontend.rule=Host:api.journal.com"
- "traefik.enable=true"
- "traefik.port=${GRAPHQL_SERVER_PORT}"
networks:
- web
react-client:
build: ./react-client/
ports:
- "${REACT_CLIENT_PORT}:3000"
volumes:
- ./react-client:/usr/src/app
depends_on:
- graphql-server
environment:
- GRAPHQL_SERVER_PORT
- REACT_CLIENT_PORT
networks:
web:
external: true
Thanks in advance.
Try to add following docker label to your graphql-server service:
traefik.frontend.entryPoints=http,https
I am facing the same problem. I have 'defaultEntryPoints = ["http", "https"]' in traefiks (v1.7) main config defined, but when docker containers come up and register within traefik the frontend is reachable only via HTTP, not HTTPS - unless i define the entrypoints directly via docker labels.
regards,
max