I'm currently trying to get traefik to use multiple routers and services on a single container, which isn't working and i don't know if this is intended at all.
Why?
Specificly i'm using an gitlab omnibus container and wanted to use / access multiple services inside the omnibus container since gitlab is providing not only "the gitlab website" with it.
What did i try?
I simply tried adding another router to my docker compose file via labels
This is what i have:
labels:
- "traefik.http.routers.gitlab.rule=Host(`gitlab.example.com`)"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
This is what i want:
labels:
- "traefik.http.routers.gitlab.rule=Host(`gitlab.example.com`)"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
- "traefik.http.routers.registry.rule=Host(`registry.gitlab.example.com`)"
- "traefik.http.services.registry.loadbalancer.server.port=5000"
This doesn't work since traefik probably getting confused with what to route to which service and i couldn't find a mechanism that tells traefik exactly which router goes to which service in a case like this.
Is this even possible or am i just missing a little bit of traefik magic?
I found the solution to my Question.
There's indeed a little bit i missed:
traefik.http.routers.myRouter.service=myService
With this Label i can point a Router to a specific Service and should be able to add multiple services to one container:
labels:
- "traefik.http.routers.gitlab.rule=Host(`gitlab.example.com`)"
- "traefik.http.routers.gitlab.service=gitlab"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
- "traefik.http.routers.registry.rule=Host(`registry.gitlab.example.com`)"
- "traefik.http.routers.registry.service=registry"
- "traefik.http.services.registry.loadbalancer.server.port=5000"
Here each router is pointed to a specific service explicitly which normally happens implicitly.
Related
we are experimenting with JAEGER as a tracing-tool for our traefik routing environment. We also use an ecapsulated docker network .
The goal is to accumulate requests on our api's per department and also some other monitoring.
We are using traefik 2.8 as a docker service. Also all our services run behind this traefik instance.
We added basic tracing configuration to our .toml file and startet a jaeger-instance, also as docker service. On our websecure endpoint we added forwardedHeaders.insecure = true
Jaeger is working fine, but we only get the docker internal host ip of the service, not the visitor ip from the user accessing a client with the browser or app.
I googled around and I am not sure, but it seems that this is a problem due to our setup and can't be fixed - except by using network="host". But unfortunately thats not an option.
But I want to be sure, so I hope someone here has a tip for us to configure docker/jaeger correctly or knows if it is even possible.
A different tracing tool suggestion (for example like tideways, but more python and wasm and c++ compatible) is also appreciated.
Thanks
I'm pretty new to docker world and more to Traefik, so maybe I'm asking silly questions.
We have a docker-compose file with a lamp stack and many vhost to route them.
Yesterday I found traefik, and looks good!, but I have so many questions. First is my docker machine has to have more containers than my own pages (for example a thumbor instance), that why I look into traekif, but also I want to have my page1.mydomain.es and page2.mydomain.es and so on.
I can configure Traefik to route to my thumbor container, but the problem is with my Apache sites. How can I route so many domains to the Apache container, and that my Apache understand and give me the right site?
I know that if I make every site a container, I have fixed that, but I don't like. Just think about having 15 sites and every one of them is an Apache container instance drives me nuts.
i answer my self:
labels:
traefik.http.routers.apache.rule: Host(`vhost1.local`,`vhost2.local`)
This makes 2 routes to the same service, traefik send the right header and Apache vhost returns the right site.
But this has some problems for me. With that approach, you can generate some Lets Encrypt certs, but it will give ONE cert with vhost1.local as the main SNI and the rest as a secondary.
To fix that, you need to add as many routes as you want, like this:
labels:
traefik.http.routers.apache1.rule: Host(`vhost1.local`)
traefik.http.routers.apache2.rule: Host(`vhost2.local`)
This will give 2 certs, each with the host as main SNI
I'm using docker in swarm mode for the services in my application and traefik to handle, well, the traffic. My goal is to make a separate service for each API section my application has (so for example requests on domain.com/api/foo_api go to the foo_api service and requests on domain.com/api/bar_api go to the bar_api service.
Now all this is pretty straightforward with traefik. However, I'm also using the API services with other internal services not related to the API. They use a websocket connection to the internal docker URL, so currently it's ws://api:api_port/ws. However, if I split up the API part I'd need something like ws://foo_api:foo_api_port/ws which obviously leaves the service only access to the foo_api, not every other one.
So my question is: Can I route this websocket traffic with traefik similiar to how I do it externally, but internally in the docker net?
Traefik is a north-south reverse proxy. Most people historically in traditional infrastructure would use NGINX or Apache to address inbound - good to see you using a more modern tool. What you are describing is an east-west pattern of communication inside your firewall behind traefik (assuming you control all ingress through traefik).
Have you considered using service discovery and registry capabilities with tools like Hashicorp Consul - https://consul.io?
The idea of having service discovery is so that your containers / services inside the swarm can be discovered and made available through the registry and referenced in proximation to each other by name without the pains of manual labor in building and maintaining complicated name-IP-lookups. Most understand this historically in a more persistent model behind DNS SRV which requires external query. Consul can still support that legacy reference integration as well.
This site might help you along: https://attx-project.github.io/Consul-for-Service-Discovery-on-Docker-Swarm.html
They appear to have addressed a similar case to yours. And the work is likely reusable with a few tweaks.
I'm running traefik as a reverse proxy on my unraid (6.6.6)
Apps like, sonarr/radarr, nzbget, organizr, all work fine. But that's mostly due to the fact that these are super easy to set up. You only need 4 traefik specific labels and that's it.
traefik.enable=true
traefik.backend=radarr
traefik.frontend.rule=PathPrefix: /radarr
traefik.port=7878
traefik.frontend.auth.basic.users=username:password
So far so good, everything is using ssl and working great.
But as soon as I have to configure some extra stuff for the containers to work behind a reverse proxy I get lost. I've read dozens of guides regarding nextcloud, but I can't get it to work.
Currently I'm using the linuxserver/nextcloud docker and from my internal network it's working great. I got everything set up, added users and smb shares and everybody can connect fine. But I can't get it to work behind traefik using a subdirectory. It's probably just some traefik labels I need to add to the nextcloud container, but I'm simply too much of a newb to know which ones I need.
My first issue was that nextcloud forces https, which traefik doesn't like unless you configure some stuff. So for now I'm just using the traefik.frontend.auth.forward.tls.insecureSkipVerify=true label to work around this. I know it's potentially a security issue, but if I'm not mistaken it only opens up the possibility of a man in the middle attack. Which shouldn't be too much of an issue since both traefik and nextcloud are running on the same machine (and besides everything else is going over http).
So now that I got that working I get a Error 500 message when I try to open mydomain.tld/nextcloud.
The traefik log says "Error calling . Cause: Get : unsupported protocol scheme \"\""
I tried adding some labels I found in a guide (https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/#NextCloud_Your_Own_Cloud_Storage)
"traefik.frontend.headers.SSLRedirect=true"
"traefik.frontend.headers.STSSeconds=315360000"
"traefik.frontend.headers.browserXSSFilter=true"
"traefik.frontend.headers.contentTypeNosniff=true"
"traefik.frontend.headers.forceSTSHeader=true"
"traefik.frontend.headers.SSLHost=mydomain.tld"
"traefik.frontend.headers.STSPreload=true"
"traefik.frontend.headers.frameDeny=true"
I just thought I'd try it, maybe I get lucky.
Sadly I didn't. Still Error 500.
In your traefik logs enable using:
loglevel = "DEBUG"
More info here:https://docs.traefik.io/configuration/logs/
After doing this I realized that my docker label was not correctly applying the InsecureSkipVerify = true line in my config. The error I was able to see in the logs was:
500 Internal Server Error' caused by: x509: cannot validate certificate for 172.17.0.x because it doesn't contain any IP SANs"
To work around this I had to add InsecureSkipVerify = true directly to the traefik.toml file for this to work correctly.
i have successfully configured traefik 1.5.4 to work and talk with rancher.
I'd like to add a few more services to rancher by configuring the services labels.
One service has a different domain (not mine) as the others with a SSL Cert i get from the owner of that domain.
So how do i configure that with Rancher Labels.
I know how to do this in the traefik.toml but im curious if theres a way to configure that without touching the toml file everytime.
Also i think it quite elegant if the services are the owner of their configuration.
Any Ideas ?
Got it,
Label "traefik.frontend.rule" can take multiple Destinaations e.g.
"Host: a.url.cloud,b.url.cloud"