I want run my express-gateway locally in my pc and have two services for access with my gateway, the problem is that always have the same problem "bad gateway" I test with other public api and work fine, how can do run this locally without this problem? because always show "bad gateway":
my docker-compose.yml
version: "3.4"
services:
express-gateway:
image: gateway:latest
build:
context: ./
dockerfile: Dockerfile
labels:
- "traefik.enable=true"
- "traefik.http.routers.express-gateway.rule=Host(`eg.127.0.0.1.nip.io`)"
- "traefik.http.routers.express-gateway.entrypoints=web"
- "traefik.http.services.express-gateway.loadbalancer.server.port=9090"
volumes:
- ./gateway.config.yml:/usr/src/app/config/gateway.config.yml
ingress-controller:
image: traefik:v2.0
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
this is the configuration on my express gateway. my gateway.config.yml :
http:
port: 9090
admin:
port: 9876
host: 0.0.0.0
apiEndpoints:
events:
host: "*"
paths: ["/api/events*", "/swagger*"]
methods: ["GET", "PATCH"]
eventsCreate:
host: "*"
paths: "/api/events*"
methods: ["POST", "PUT", "OPTIONS"]
auth:
host: "*"
paths: "/api/auth*"
methods: ["POST", "GET", "OPTIONS"]
serviceEndpoints:
auth:
url: "http://127.0.0.1:59868"
events:
url: "http://127.0.0.1:5000"
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
- jwt
- request-transformer
pipelines:
authPipeline:
apiEndpoints:
- auth
policies:
- cors:
- log:
action:
message: "auth ${req.method}"
- proxy:
action:
serviceEndpoint: auth
changeOrigin: true
eventsPipeline:
apiEndpoints:
- events
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- proxy:
action:
serviceEndpoint: events
changeOrigin: true
eventsCreatePipeline:
apiEndpoints:
- eventsCreate
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- jwt:
action:
secretOrPublicKey: "MORTADELAIsMyPassion321"
checkCredentialExistence: false
- proxy:
action:
serviceEndpoint: events
changeOrigin: true
Bad Gateway is usually an error raised by the Proxy policy — in such case you should be able to check the log and see the specifics, and then go from there.
Related
Stack:
serverX
docker
traefik
x-site.com
redirect :80->:443
https://x-site.com/* -> x-site docker container
wss://x-site.com/ws proxy -> ws://external.websocket.com:8083/ws HOW TO?
y-site.com
...
external.websocket.com - works perfectly with all kinds of mqtt,ws clients, except web
software: emqx
listens: ws:8083 mqtt:1883
protocol: ws, mqtt
proxy protocol support: on
docker-compose.yml
version: '3.7'
services:
router:
container_name: router
image: traefik:v2.6
restart: on-failure:5
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 8080
published: 8080
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./router:/etc/traefik
x-site:
container_name: x-site
image: backend
restart: on-failure:5
env_file:
- /.default.env
- /.server.env
- /root/env/x-site.env
labels:
traefik.enable: true
traefik.http.routers.x-site.rule: Host(`x-site.com`)
traefik.http.routers.x-site.entrypoints: web,websecure
traefik.http.routers.x-site.tls: true
# tried service loadbalancer and etc
# traefik.http.routers.ws_x-site.rule: Host(`x-site.com`) && PathPrefix(`/ws`)
# traefik.http.routers.ws_x-site.entrypoints: websecure
# traefik.http.routers.ws_x-site.service: websocket_x-site
# traefik.http.services.websocket_x-site.loadBalancer.server.url: ws://external.websocket.com:8083/ws
traefik.yaml
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
transport:
respondingTimeouts:
readTimeout: 10
writeTimeout: 10
idleTimeout: 10
lifeCycle:
requestAcceptGraceTimeout: 5
graceTimeOut: 5
websecure:
address: ":443"
transport:
respondingTimeouts:
readTimeout: 300
writeTimeout: 3600
idleTimeout: 180
lifeCycle:
requestAcceptGraceTimeout: 30
graceTimeOut: 30
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
file:
filename: /etc/traefik/cert.yaml
log:
level: ERROR
Unable to routing external ip/port
I'm following this guide and unable to route the external IP into the subdomain, resulting to nothing while internal port (installed portainer in docker) seems working. Exposing to the public is my next plan. Following is my yml config
docker-compose.yml
Exposed 80 and 443 port from the router, DNS name server also pointed on my digitalocean then pointed into my traefik-dashboard.local.example.com -> public-IP by using A-record
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
environment:
- DO_AUTH_TOKEN=TOKEN
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /root/container/traefik/data/traefik.yml:/traefik.yml:ro
- /root/container/traefik/data/traefik.yml:/traefik.yml:ro
- /root/container/traefik/data/acme.json:/acme.json
- /root/container/traefik/data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=digitalocean"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=local.example.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.example.com"
- "traefik.http.routers.traefik-secure.service=api#internal"
expose:
- 80
networks:
proxy:
external: true
data/traefik.yml
api:
dashboard: true
debug: true
insecure: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
accessLog: {}
log:
level: debug
certificatesResolvers:
digitalocean:
acme:
email: email#example.com
storage: acme.json
dnsChallenge:
provider: digitalocean
delayBeforeCheck: 0
#resolvers:
# - "1.1.1.1:53"
# - "1.0.0.1:53"
pilot:
dashboard: false
metrics:
prometheus:
entryPoint: traefik
accessLog:
filePath: "/var/log/traefik/access.log"
filters:
statusCodes:
- "400-600"
` ``api:
dashboard: true
debug: true
insecure: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
accessLog: {}
log:
level: debug
certificatesResolvers:
digitalocean:
acme:
email: email#example.com
storage: acme.json
dnsChallenge:
provider: digitalocean
delayBeforeCheck: 0
#resolvers:
# - "1.1.1.1:53"
# - "1.0.0.1:53"
pilot:
dashboard: false
metrics:
prometheus:
entryPoint: traefik
accessLog:
filePath: "/var/log/traefik/access.log"
filters:
statusCodes:
- "400-600"
The dashboard appeared with healthy server,
data/config.yml
I'm toggling this config on/off and the problem still persists.
http:
routers:
pihole:
entryPoints:
- "https"
rule: "Host(`pihole.local.example.com`)"
middlewares:
- default-headers
- addprefix-pihole
tls: {}
service: pihole
services:
pihole:
loadBalancer:
servers:
- url: "http://192.168.0.20:80"
passHostHeader: true
middlewares:
addprefix-pihole:
addPrefix:
prefix: "/admin"
https-redirect:
redirectScheme:
scheme: https
default-headers:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
Already assigned A record in pi-hole, dns, seems doesn't do anything magic, the pihole.local.example.com still appeared blank.
Let me know if there's anything wrong with my config.
Attached below is my log
https://pastebin.com/raw/R1w9jR7U
I have tried to set up a docker-mail server on my server after that I tried to integrate with Mozilla Thunderbird and it worked
Than i try to use roundcube as mail client but it give response error with log like this:
Jul 13 05:24:28 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.18.0.1, lip=172.18.0.2, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<YSq2c/rGtLusEgAB>
There is my docker-compose.yml of roundcube
version: '2'
services:
roundcubemail:
image: roundcube/roundcubemail:latest
container_name: roundcubemail
volumes:
- ./www:/var/www/html
networks:
- database-network
- proxy
environment:
- ROUNDCUBEMAIL_DB_TYPE=mysql
- ROUNDCUBEMAIL_DB_HOST=${DB_HOST}
- ROUNDCUBEMAIL_DB_PORT=${DB_PORT}
- ROUNDCUBEMAIL_DB_NAME=${DB_DATABASE}
- ROUNDCUBEMAIL_DB_USER=${DB_USERNAME}
- ROUNDCUBEMAIL_DB_PASSWORD=${DB_PASSWORD}
- ROUNDCUBEMAIL_SKIN=elastic
- ROUNDCUBEMAIL_DEFAULT_HOST=ssl://${APP_HOST}
- ROUNDCUBEMAIL_DEFAULT_PORT=993
- ROUNDCUBEMAIL_SMTP_SERVER=ssl://${APP_HOST}
- ROUNDCUBEMAIL_SMTP_PORT=465
labels:
- "traefik.enable=true"
- "traefik.http.routers.roundcubemail.entrypoints=http"
- "traefik.http.routers.roundcubemail.rule=Host(`${APP_HOST}`)"
- "traefik.http.middlewares.roundcubemail-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.roundcubemail.middlewares=roundcubemail-https-redirect"
- "traefik.http.routers.roundcubemail-secure.entrypoints=https"
- "traefik.http.routers.roundcubemail-secure.rule=Host(`${APP_HOST}`)"
- "traefik.http.routers.roundcubemail-secure.tls=true"
- "traefik.http.routers.roundcubemail-secure.tls.certresolver=http"
- "traefik.http.routers.roundcubemail-secure.service=roundcubemail"
- "traefik.http.services.roundcubemail.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
database-network:
external: true
proxy:
external: true
Configure your roundcube to accept self signed certificates because by default it does not. You will have to make the ca.crt available to the roundcube server (enable cafile parameter)or disable peer verification (and leave cafile parameter commented), edit the config['imap_conn_options'] variable:
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
// 'verify_depth' => 3,
// 'cafile' => '/etc/openssl/certs/ca.crt',
),
);
solution confirmed here: https://www.roundcubeforum.net/index.php?topic=25321.0
I am running the WSO2is version 5.8.0 in Docker-Swarm, i script a compose for this mapping the files:
deployment.toml, wsocarbon.jks and directory in servers.
After change the keystore i receive the error on login admin:
System error while Authenticating/Authorizing User : Error when handling event : PRE_AUTHENTICATION
removing the mapping, the SSL Cert is not valid, but i login.
PS: i use traefik to redirect to container.
The stack deploy file:
#IS#
is-hml:
image: wso2/wso2is:5.8.0
ports:
- 4763:4763
- 4443:9443
volumes:
#- /docker/release-hml/wso2/full-identity-server-volume:/home/wso2carbon/wso2is-5.8.0
- /docker/release-hml/wso2/identity-server:/home/wso2carbon/wso2-config-volume
extra_hosts:
- "wso2-hml.valecard.com.br:127.0.0.1"
networks:
traefik_traefik:
aliases:
- is-hml
configs:
#- source: deployment.toml
# target: /home/wso2carbon/wso2is-5.8.0/repository/conf/deployment.toml
#
- source: wso2carbon.jks
target: /home/wso2carbon/wso2is-5.8.0/repository/resources/security/wso2carbon.jks
#- source: catalina-server.xml
# target: /home/wso2carbon/wso2is-5.8.0/repository/conf/tomcat/catalina-server.xml
- source: carbon.xml
target: /home/wso2carbon/wso2is-5.8.0/repository/conf/carbon.xml
#environment:
# - "CATALINA_OPTS=-Xmx2g -Xms2g -XX:MaxPermSize=1024m"
# - "JVM_OPTS=-Xmx2g -Xms2g -XX:MaxPermSize=1024m"
# - "JAVA_OPTS=-Xmx2g -Xms2g"
deploy:
#endpoint_mode: dnsrr
resources:
limits:
cpus: '2'
memory: '4096M'
replicas: 1
labels:
- "traefik.docker.network=traefik_traefik"
- "traefik.backend=is-hml"
- "traefik.port=4443"
- "traefik.frontend.entryPoints=http,https"
- "traefik.frontend.rule=Host:wso2-hml.valecard.com.br"
configs:
deployment.toml:
file: ./wso2-config/deployment.toml
catalina-server.xml:
file: ./wso2-config/catalina-server.xml
wso2carbon.jks:
file: ../../certs/wso2carbon-valecard.jks
carbon.xml:
file: ./wso2-config/carbon.xml
networks:
traefik_traefik:
external: true
The password is some from the deployment.toml
Thz.
i am trying to declare https redirect inside the traefik.yml file. For now i tried to add those rules inside the traefik service in docker-compose.yml. That worked like a charm. Although i'd prefer to configure this global and middleware redirect inside the traefik.yml file and then just reference it in the traefik service on docker-compose.yml.
What i had before
version: '3'
networks:
web:
external: true
services:
traefik:
image: traefik:v2.1
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./.traefik/traefik.yml:/traefik.yml
- ./.traefik/acme.json:/acme.json
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`$HOSTNAME`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.certresolver=le"
- "traefik.http.routers.traefik.entrypoints=https"
# Global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# Middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
That worked easily and redirected all other domains from http to https.
What i want now
I want to declare those redirects inside the traefik.yml.
So far i have done this.
api: {}
entryPoints:
http:
address: ":80"
https:
address: ":443"
log:
level: DEBUG
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: web
http:
# Global redirect to https
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)"
entrypoints:
http
middlewares:
- redirect-to-https
# Middleware redirect
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
certificatesResolvers:
le:
acme:
email: john#doe.com
storage: acme.json
# Activate for Development: Certificate will not be valid. It's only for testing if it can be obtained.
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
httpChallenge:
entryPoint: http
As you can see i declared the http settings.
My question is now how can i reference those settings into my traefik service?
I tried it with
- "traefik.http.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https"
- "traefik.http.middlewares.traefik=redirect-to-https#file"
None of them work. Some show the middleware in the dashboard but it is not linked to any settings.
Did anyone find a solution to this? I can't get out anything from the docs about this. I think it must be linked somehow to the #file.
Thank you
#file means that the middleware was defined in the file provider.
You can add a file provider like this in traefik.yml.
providers:
file:
directory: "/path/to/dynamic/conf"
Create a file in that directory with the middleware.
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
You can now reference redirect-to-https#file in your labels.
- "traefik.http.middlewares.traefik=redirect-to-https#file"
NOTE: Some of your configuration in traefik.yml might need to be moved to your new yml file. I am new to Traefik and have not full knownlegde of why yet.
See the following sections in documentation:
https://docs.traefik.io/middlewares/overview/#provider-namespace
https://docs.traefik.io/providers/file/
In fact, you don't need to set this middleware to traefik in labels block. If you have such configuration in your traefik.yml:
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
It means - all traffic which came to entrypoint http should use middleware redirect-to-https and be redirected to another entrypoint: https. This configuration is globally.
So, you just have to set your container to https entrypoint (as you did, in your example)
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.ua`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api#internal"