How to set up Traefik v2 with gRPC and docker - docker

I have followed the instructions for the TLS challenge and read through the grpc guide for traefik but I can't figure out how to put them together.
Currently I have the traefik dashboard at my domain working, and I could get a http server working, but I can't get the grpc service to be reachable. It shows up under HTTP Services in the dashboard, but when I attempt to hit the endpoint with a request it just times out saying it's unreachable.
my docker-compose (I don't have a TOML file):
traefik:
image: "traefik:v2.0.0"
container_name: traefik
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.grpc.address=:8090
- --providers.docker
- --api
# Lets Encrypt Resolvers
- --certificatesresolvers.leresolver.acme.email=${EMAIL}
- --certificatesresolvers.leresolver.acme.storage=/etc/acme/cert.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/etc/acme/:/etc/acme/"
labels:
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "traefik.http.routers.traefik.entrypoints=websecure"
# Auth
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=admin:xxx"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- internal
- proxied
grpc_server:
image: xxx
container_name: grpc_server
labels:
- "traefik.http.routers.grpc_server.rule=Host(`grpc.${DOMAIN}`)"
- "traefik.http.routers.grpc_server.entrypoints=grpc"
- "traefik.http.routers.grpc_server.tls=true"
- "traefik.http.routers.grpc_server.tls.certresolver=leresolver"
expose:
- 8090 # grpc server
I don't need the layer from traefik to grpc to be encrypted which is why I haven't set up the self signed cert as per the grpc example. My grpc service is running in insecure mode and words when not behind traefik.
Anything obvious that I missed?

On gRPC endpoint please use scheme as h2c then traefik will work,
gRPC connection for example in YAML:
spec:
entryPoints:
- grpc
routes:
- kind: Rule
match: Host(`xyz.com`)
services:
- name: service_name
port: 50051
scheme: h2c
tls:
options:
name: mytlsoption
secretName: secret_name

You are using port 8090 as entrypoint for grpc - in your docker compose file you don't map the port to traefik.
Assuming that you use port 80 to reach traefik it will result in a 404, if you use port 8080 it will be mapped to traefik, but traefik is not listening on that port and if you use 8090 the port is not mapped to a docker container, both resulting in a port unreachable error.

Related

I cannot publish a service in port 8080 using Traefik

I cannot publish my service in port 8080 even I redirect dasboard to another port, Traefik automatically redirect URL http://localhost:8080 to http://localhost:8080/dasboard. I need to publish in port 8080 because infrastructure out of my control.
Everything works fine if I use another port to publish my service.
My docker-compose file looks like:
version: "3.3"
services:
traefik:
image: "traefik:v2.8.1"
command:
- "--api.insecure=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.traefik.address=:9090"
- "--entrypoints.web.address=:80"
ports:
- "4000:9090"
- "8080:80" # if I put another port it works fine
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
salamandra:
image: "salamandra"
container_name: "salamandra"
ports:
- "5000:8080"
labels:
- "traefik.enable=true"
- "traefik.http.routers.salamandra.rule=Host(localhost)"
- "traefik.http.routers.salamandra.entrypoints=web
If you need that traefik service work on 8080
"--entryPoints.web.address=:8080"
and
"--entryPoints.traefik.address=:9090"
the dashboard listen on port 9090
https://doc.traefik.io/traefik/routing/entrypoints/
Regards

How to set a DDNS in Traefik host?

I am new in Traefik and I am using that to make the reverse proxy for my docker images, and I want to use my local computer like a server that could be accessed externally.
Here is what I did:
I create a DDNS pointing to my external ip in No-Ip:
Host-name: myhost.ddns.net
Target/ip: my-external-ip
Type: A
I want to use Traefik, so I want to expose the http default port (80) and https default port (443), so I made the port-forward in my router:
Doing that, I expect that http or https requests is being redirect to my internal host, that is the one which is the server of my application
Create the docker-compose.yml and traefik.yml files:
docker-compose.yml:
version: '3.7'
services:
traefik:
image: traefik:v2.0.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- external
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.myhost.ddns.net`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=*user:password*
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.myhost.ddns.net`)"
# - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
*another-services-configs...*
networks:
external:
external: true
traefik.yml:
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: my-email#hotmail.com
storage: acme.json
httpChallenge:
entryPoint: http
Finally, when I run docker-compose up -d , the application goes on, but I can not acess the traefik dashboard when I try to access traefik.myhost.ddns.net in the browser. The error message is that could not be found any web site with that host.
But, if I change the Host-name in the label to - traefik.http.routers.traefik.rule=Host('traefik.localhost')" , I can access the traefik dashboard typing traefik.localhost in the browser.
The question is, how can I use my ddns in the Host label to be able to access my traefik server externally?

Traefik 2 - Trying to configure my first container to use traefik

Am a n00b to traefik & linux - have been following guides at smarthomebeginner trying to use traefik2 as a reverse proxy in docker on a synology NAS. To start me easy I'm trying to run portainer and access it securely via the traefik container.
I've got traefik2 up and running and I can connect to it's dashboard at traefik.mydomain.co.uk, and when I do my browser says the certificate is valid so looks like all running ok.
I've then added portainer to my docker compose and it appears to be working as when I send my browser to LocalIP:9000 I get the portainer dashboard.
But when I visit portainer.mydomain.co.uk I get a 404 Error page not found.
I think the problem must be something to do with 'entry points' because when I visit my traefik dashboard, at the top of the page that it says there are entry points http(80) https(443) and traefik(8080). There appears to be no mention of a 9000.
I've tried adding some stuff under command: in my portainer section of the compose file but all that seems to do is stop the portainer from working even on the local IP!
Would anyone be able to look at my docker-compose file and point where I'm going wrong with this?
> version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
# networks:
# - t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
#- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth#file"
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit#file,middlewares-basic-auth#file"
# Portainer - WebUI for Containers
portainer:
container_name: portainer
image: portainer/portainer:latest
restart: unless-stopped
command: -H unix:///var/run/docker.sock
networks:
- t2_proxy
ports:
- "$PORTAINER_PORT:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
## Middlewares
# - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth#file" # No Authentication
- "traefik.http.routers.portainer-rtr.middlewares=middlewares-basic-auth#file" # Basic Authentication
# - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth#file" # Google OAuth 2.0
# - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia#file" # Authelia
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
You are right about entrypoints:
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
You missed your entrypoint for port 9000
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.portainer.address=:9000
But if you add 9000 it supposes you want to listen the 9000 port but it's probably not you want to do.
You want to go to your domain to 443 then be redirected to 9000.
If you publish the port 9000 it could resolve your problem
If you see here:
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
You should add your port 9000 like
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
- target: 9000
published: 9000
protocol: tcp
mode: host
Hope you found the answer somehow before my answer.

Getting 502 Bad Gateway when trying to configure HTTPS on Traefik

I got a basic Traefik 2 setup working for HTTP here...
Now I'm trying to get HTTPS working, and basic auth for the dashboard with TLS and redirects...
docker_compose.yml:
version: '3.8'
networks:
myweb:
external: true
services:
proxy:
image: traefik:v2.3.0-rc4-windowsservercore-1809
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
# Mount the certs drive
- ./traefik-ssl-certs/:c:/certs/
# Mount the config folder
- ./traefik-config/:c:/config/
# Mount the host docker engine pipe ("docker volume ls")
- source: '\\.\pipe\docker_engine'
target: '\\.\pipe\docker_engine'
type: npipe
command:
- "--api.insecure=true"
# Register the traefik config directory as per: https://docs.traefik.io/providers/file/#directory
- --providers.file.directory=c:/config/
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# Redirect http to https
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
# Configure Docker provider
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.endpoint=npipe:////./pipe/docker_engine"
- "--providers.docker.network=myweb"
- "--providers.docker.watch=true"
networks:
- myweb
labels:
- traefik.http.routers.api.service=api#internal
- traefik.enable=true
- traefik.docker.network=myweb
remoteling:
image: remoteling:latest
container_name: remoteling
networks:
- myweb
labels:
- traefik.enable=true
- traefik.docker.network=myweb
- traefik.http.middlewares.http2https.redirectscheme.scheme=https
- traefik.http.routers.remoteling-http.middlewares=http2https
- traefik.http.routers.remoteling-http.rule=Host(`example.com`) || Host(`example.example.com`)
- traefik.http.routers.remoteling-http.entrypoints=web
- traefik.http.services.remoteling.loadbalancer.server.port=443
- traefik.http.routers.remoteling-https.rule=Host(`example.com`) || Host(`example.example.com`)
- traefik.http.routers.remoteling-https.entrypoints=websecure
- traefik.http.routers.remoteling-https.tls=true
depends_on:
- proxy
From powershell I'm running:
docker network create -d nat myweb
docker-compose -p myweb up
In my working dir I have the following file structure:
./docker-compose.yml
./traefik-config/traefik.yml
./traefik-ssl-certs/example.com.crt
./traefik-ssl-certs/example.com.key
./traefik-ssl-certs/example.example.com.key
./traefik-ssl-certs/example.example.com.key
And the traefik.yml file looks like this:
tls:
certificates:
- certFile: c:/certs/example.example.com.crt
keyFile: c:/certs/example.example.com.key
- certFile: c:/certs/example.com.crt
keyFile: c:/certs/example.com.key
The traefik dashboard shows my service defined as a loadbalancer, which is good (is there any other type of service other than loadbalancer? I'm not sure how else to define the port other than via a loadbalancer). Clicking on the service gives me the local network IP - and when I visit that IP my site loads just fine (albeit with an SSL cert mismatch warning - expected).
However when I try to visit https://example.com or https://example.example.com - I get a 502 Bad Gateway. Any idea why I'd be getting this?
The browser shows the SSL certs are valid, with no warnings, so I assume my certificates config is fine.
The http to https redirect seems to be working, if I visit http://example.com it forwards me to https://example.com
What is wrong with my routing config to cause these Bad Gateways?
I have solved my problem! There were a few issues:
I had configured a TLS cert in my Dockerfile, back from when I was running the image as a single service on my server. So my image already had port 443 bound with the TLS cert. I think that caused issues when the Traefik router tried to configure TLS for the service. So I had to rebuild my image, removing the TLS. I also removed the code that required HTTPS attributes too, that is now the responsibility of traefik.
Image only needs to expose 1 port: My understanding now is that my web application should only run through port 80 (e.g. don't even need port 443 exposed in the image's firewall) and the Traefik router configures and handles the TLS/443 etc through port 80.
I hadn't actually defined my HTTP and HTTPS services properly. I have shared my docker-compose.yml file below - notice for both traefik and my other service I have separated the labels into sections: defining the service, routing for HTTP, routing for HTTPS, redirect middleware, and basic auth for the traefik dashboard. I couldn't find any good documentation or tutorials that really broke down the necessary aspects for traefik 2.0 and categorized them clearly.
The service definition label / loadbalancer port should point to whatever port the image's service is hosted from, e.g. port 80 in most cases, or in the case of the traefik service 8080. But crucially it doesn't need to also point to 443 for https.
In summary my (verbose) learning notes afterall are, you need to:
Define the service again as a label: Didn't work for me without the service definition label. I had to add a service label pointing to the name of the service under which the image is defined.
Define routers for http and https: Whatever text you put after the traefik.http.routers.YOUR_ROUTER_NAME becomes your router. It wasn't clear to me I needed separate routers for both http and https. You must do this for each service (e.g. traefik, whoami, remoteling, etc.)
Define the routers' entrypoints: AFAIK the name you put after the entrypoint in the traefik command defines a new entrypoint that you can use for other services. So in the traefik service definition you'd have --entrypoints.WEBNAME.address=:80 and --entrypoints.WEBSECURENAME.address=:443 (replacing those caps with your own name to use throughout the docker-compose.yml file.
Define the routers' domain names to capture: Just like you define routers for each http and https you must define the domains to capture for both of these routers, even just the same domain/path.
Add tls for https router: For the https router you need the tls.true label.
Separate middleware redirection definitions for traefik and each of your services: I've read that you can declare a global one, but AFAIK each service must opt-in by assigning the middleware to the http router.
Providing your own SSL certs on Docker for Windows: There was precious little information about running Docker for Windows with your own SSL certs. I have a batch script in my 'traefik' working dir with a subfolder containing the SSL certs (crt and key files). I mount this as the first volume, - ./traefik-ssl-certs/:c:/certs/. Then, in my working dir I have another folder called traefik-config containing my traefik.yml file (details in the question above). In linux everyone seems to just mount the config file directly, but mounting files doesn't work in Windows so I had to mount as a folder instead, then I used the command providers.file.directory=c:/config/, which tells traefik to look for the config file in there. The config file provides the location of the SSL certs for traefik to load. If you enable TLS for a router, Traefik will automatically use any cert that matches the domain you've specified on that router.
Basic Auth: Must define the middleware as one label, and then assign that middleware to your https router. And I suppose if you're not using HTTPS redirect then you could assign it to your http router but it wouldn't be secure obviously.
docker-compose.yml:
version: '3.8'
networks:
myweb:
external: true
services:
proxy:
image: traefik:v2.3.0-rc4-windowsservercore-1809
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
# Mount the certs drive
- ./traefik-ssl-certs/:c:/certs/
# Mount the config folder
- ./traefik-config/:c:/config/
# Mount the host docker engine pipe ("docker volume ls")
- source: '\\.\pipe\docker_engine'
target: '\\.\pipe\docker_engine'
type: npipe
command:
- --api=true
- --api.dashboard=true
- --api.insecure=false
# Register the traefik config directory as per: https://docs.traefik.io/providers/file/#directory
- --providers.file.directory=c:/config/
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# Configure Docker provider
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.endpoint=npipe:////./pipe/docker_engine
- --providers.docker.network=myweb
- --providers.docker.watch=true
networks:
- myweb
labels:
- traefik.enable=true
- traefik.docker.network=myweb
# Define the service
- traefik.http.services.proxy.loadbalancer.server.port=8080
# Routing for dashboard HTTP
- traefik.http.routers.dash-http.service=api#internal
- traefik.http.routers.dash-http.rule=Host(`example.com`)
- traefik.http.routers.dash-http.entrypoints=web
# Routing for dashboard HTTPS
- traefik.http.routers.dash-https.service=api#internal
- traefik.http.routers.dash-https.rule=Host(`example.com`)
- traefik.http.routers.dash-https.entrypoints=websecure
- traefik.http.routers.dash-https.tls=true
# Http-to-Https redirect Middleware
- traefik.http.middlewares.dash-http2https.redirectscheme.scheme=https
- traefik.http.middlewares.dash-http2https.redirectscheme.permanent=true
- traefik.http.routers.dash-http.middlewares=dash-http2https
# BasicAuth for dashboard
# Windows doesn't have htpasswd command so I generated one here: https://hostingcanada.org/htpasswd-generator/
# As per Traefik documentation, escaped single $ char with $$ for the yml parser
# user/pass = admin/testpassword
- traefik.http.middlewares.api-auth.basicauth.users=admin:$$2y$$10$$mfWQ11K16V6gVK.8Y6q1Eeh765NZscmjCrjJlAtaWubEsjU8HLYOO
- traefik.http.routers.dash-https.middlewares=api-auth
remoteling:
image: remoteling:latest
container_name: remoteling
networks:
- myweb
labels:
- traefik.enable=true
- traefik.docker.network=myweb
# Define the service
- traefik.http.services.remoteling.loadbalancer.server.port=80
# Routing for remoteling HTTP
- traefik.http.routers.remoteling-http.service=remoteling
- traefik.http.routers.remoteling-http.entrypoints=web
- traefik.http.routers.remoteling-http.rule=Host(`services.example.com`)
# Routing for remoteling HTTPS
- traefik.http.routers.remoteling-https.service=remoteling
- traefik.http.routers.remoteling-https.entrypoints=websecure
- traefik.http.routers.remoteling-https.rule=Host(`services.example.com`)
- traefik.http.routers.remoteling-https.tls=true
# Http-to-Https redirect Middleware
- traefik.http.middlewares.remoteling-http2https.redirectscheme.scheme=https
- traefik.http.middlewares.remoteling-http2https.redirectscheme.permanent=true
- traefik.http.routers.remoteling-http.middlewares=remoteling-http2https
depends_on:
- proxy
Hopefully someone else finds that useful.

Port forwarding with Traefik on docker v2.2

I have a service running on port 8080 that accepts both http and gRPC. I understand that there are some limitations with gRPC in traefik, so here is the ultimate goal.
Accept ipWhitelisted traffic on port 8080
Accept traffic from :80 /graphql and route to :8080 /graphql
Eventually I would like to accept this on route / and route to /graphql
Accept ipWhitelisted traffic from :80 /admin/schema and route to :8080 /admin/schema
Eventually I would like to accept this on route /admin and route to /graphql
If I get this working, I believe I can get the next part done:
Enable https with letsencrypt and accept traeffic from :443 to the /graphql and /admin endpoints.
For configuration I am using a docker compose file.
version: "3.2"
services:
reverse-proxy:
image: traefik:v2.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.dgraph.address=:8080"
ports:
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# there is another service here `zero` that is not using traefik so I ommitted its config.
alpha:
image: dgraph/dgraph:master
volumes:
- /dgraph/data:/dgraph
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.adminIps.ipwhitelist.sourcerange=1.1.1.1" # my ip address instead of 1.1.1.1
- "traefik.http.routers.alpha.rule=Host(`api.mydomain.com`) && Path(`/graphql`)"
- "traefik.http.routers.alpha.entrypoints=dgraph"
- "traefik.http.routers.schema.rule=Host(`api.mydomain.com`) && Path(`/admin/schema`)"
- "traefik.http.routers.schema.middlewares=adminIps#docker"
- "traefik.http.routers.schema.entrypoints=dgraph"
- "traefik.http.routers.all.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.all.middlewares=adminIps#docker"
- "traefik.http.routers.all.entrypoints=dgraph"
restart: always
command: dgraph alpha --my=alpha:7080 --zero=zero:5080 --whitelist 172.0.0.0:172.254.254.254
I have tried creating another entry point on port 80 and then use that in the routers and added a loadbalancer, but that does not seem to work. Here is that modified config:
version: "3.2"
services:
reverse-proxy:
image: traefik:v2.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.dgraph.address=:8080"
- "--entrypoints.web.address=:80"
ports:
- "8080:8080"
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# there is another service here `zero` that is not using traefik so I ommitted its config.
alpha:
image: dgraph/dgraph:master
volumes:
- /dgraph/data:/dgraph
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.adminIps.ipwhitelist.sourcerange=1.1.1.1" # my ip address instead of 1.1.1.1
- "traefik.http.routers.alpha.rule=Host(`api.mydomain.com`) && Path(`/graphql`)"
- "traefik.http.routers.alpha.entrypoints=web"
- "traefik.http.services.alpha.loadbalancer.server.port=80"
- "traefik.http.routers.schema.rule=Host(`api.mydomain.com`) && Path(`/admin/schema`)"
- "traefik.http.routers.schema.middlewares=adminIps#docker"
- "traefik.http.routers.schema.entrypoints=dgraph"
- "traefik.http.routers.all.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.all.middlewares=adminIps#docker"
- "traefik.http.routers.all.entrypoints=dgraph"
restart: always
command: dgraph alpha --my=alpha:7080 --zero=zero:5080 --whitelist 172.0.0.0:172.254.254.254
The first docker-compose.yml file above works. By works I mean that it correctly applies the routing, rules, and middleware all on port 8080.
The second docker-compose.yml file above I expect to open port 80 and apply the rules to route http api.mydomain.com/graphql to alpha:8080/graphql. This does not happen though. I do not get any errors when I push it up with docker-compose up -d but when I use yougetsignal.com and check for open port 80 I get the response that port 80 is closed, and when I try to use port 8080 that was working before with route all (api.mydomain.com:8080), I get the response in the browser "Bad Gateway"
You said your service alpha is listening on 8080, so you should use that in loadbalancer:
"traefik.http.services.alpha.loadbalancer.server.port=8080"
You can think of it like this: entrypoint is incoming connection and loadbalancer is where Traefik redirects the requests.

Resources