Develop Reference

Redirect DNS with Traefik to container on different port

I have found many similar questions online, but I am certainly lost in this topic which is new for me and I hope somebody can guide me through my problem. In my setup, I have a docker container which runs a secure version on port 8443 and a "read-only" version on port 8080. Now I want to use Traefik as a proxy to then reroute all requests to the secure version, ignoring the read-only. While the dashboard indicates routing to the service, I am just receiving an "Unable to connect" when trying to access the webpage.
As a compose file:
version: "3.7"
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: always
ports:
- "80:80"
- "433:433"
command: --api.insecure=false --providers.docker
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/cloud/traefik.yml:/etc/traefik/traefik.yml
networks:
- traefik-network
my-service:
image: my-image
env_file: variables.env
container_name: my-image
restart: always
ports:
- "8080:8080"
- "8443:8443"
networks:
- traefik-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-service.entryPoints=websecure"
- "traefik.http.routers.my-service.rule=Host(`domain.com`)"
- "traefik.http.services.my-service.loadbalancer.server.port=8443"
networks:
traefik-network:
name: traefik-network
And the traefik.yml:
################################################################
# Provider configuration
################################################################
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # default
exposedByDefault: true # default
network: traefik-network
################################################################
# Entrypoint
################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
Maybe somebody has an idea where I went in the wrong direction.
Best

Traefik ssl containers - '500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.x.x.x

I am using traefik:v2.8.2 and containers running apache on port 80 and 443. Apache redirect the port 80 request to port 443.
Below is my traefik.yml file -
# configure logs
log:
level: DEBUG # Set to 'DEBUG' for troubleshooting
# configure entry points
entryPoints:
web:
address: ":80"
http:
redirections: # http to https redirection
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
postgres:
address: ":5432"
# configure providers
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
exposedByDefault: false # ignore containers without label 'traefik.enable=true'
file:
directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
watch: true # changes are processed immediately
# configure api service
api:
dashboard: true # enable the traefik dashboard
and below is my tls configuration
tls:
certificates:
- certFile: "/etc/traefik/certs/knandan-cert.pem"
keyFile: "/etc/traefik/certs/knandan-key.pem"
And below is my docker-compose.yml file
version: "3.8"
services:
traefik:
networks:
- d_local
image: traefik:v2.8.2
container_name: "d_traefik"
restart: unless-stopped
security_opt:
- no-new-privileges:true
command:
- --serverstransport.insecureskipverify=true
ports:
- "80:80"
- "443:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./certs/:/etc/traefik/certs/:ro
- ./static_conf.yml:/traefik.yml:ro
- ./conf/:/etc/traefik/conf/:ro
labels:
- traefik.enable=true
- traefik.docker.network=d_local
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.rule=Host(`knandan.app`)
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.service=api#internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
d_apiapp:
build:
context: apiapp
dockerfile: .docker/Dockerfile
container_name: apiapp
restart: unless-stopped
image: apiapp
domainname: api.knandan.app
ports:
- "8080:80"
networks:
- d_local
volumes:
- "./apiapp:/srv/app"
- "./certs:/etc/ssl/crt"
labels:
- traefik.enable=true
- traefik.http.routers.apiapp.entrypoints=websecure
- traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
- traefik.http.routers.apiapp.tls=true
- traefik.http.services.apiapp.loadbalancer.server.port=443
- traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
d_local:
external: true
When I run the docker-compose up I can see the traefik dashboard. But when I open the api.knandan.app I get Internal Server Error
After checking the logs I came to know that some ssl verification is failing, below is the error -
time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2"
I noticed that traefik is running my container on the container ip not on hostname
level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp#docker serverName=0 serviceName=apiapp entryPointName=websecure
Can someone please help me resolve this issue? Thanks is advance.
Below is my apache configuration - which is running behind the traefik to run the Laravel application
000-default.conf
000-default-ssl.conf

Probably Traefik is using a default auto-signed certificate, I guess that with custom certificate it is not supported wildcard certificate.
So try to add default certificate in your configuration file:
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/knandan-cert.pem
keyFile: /etc/traefik/certs/knandan-cert.key
Here is a useful link
Also you should check if the directory indicated in the apiapp volumes is correct, if apiapp is an ubuntu based image it should be /etc/ssl/certs and not /etc/ssl/crt.

Don't use underscore in container name. The container name will be used then as a host name which is not valid.

How to set a DDNS in Traefik host?

I am new in Traefik and I am using that to make the reverse proxy for my docker images, and I want to use my local computer like a server that could be accessed externally.
Here is what I did:
I create a DDNS pointing to my external ip in No-Ip:
Host-name: myhost.ddns.net
Target/ip: my-external-ip
Type: A
I want to use Traefik, so I want to expose the http default port (80) and https default port (443), so I made the port-forward in my router:
Doing that, I expect that http or https requests is being redirect to my internal host, that is the one which is the server of my application
Create the docker-compose.yml and traefik.yml files:
docker-compose.yml:
version: '3.7'
services:
traefik:
image: traefik:v2.0.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- external
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.myhost.ddns.net`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=*user:password*
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.myhost.ddns.net`)"
# - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
*another-services-configs...*
networks:
external:
external: true
traefik.yml:
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: my-email#hotmail.com
storage: acme.json
httpChallenge:
entryPoint: http
Finally, when I run docker-compose up -d , the application goes on, but I can not acess the traefik dashboard when I try to access traefik.myhost.ddns.net in the browser. The error message is that could not be found any web site with that host.
But, if I change the Host-name in the label to - traefik.http.routers.traefik.rule=Host('traefik.localhost')" , I can access the traefik dashboard typing traefik.localhost in the browser.
The question is, how can I use my ddns in the Host label to be able to access my traefik server externally?

Traefik dashboard only on the http port

I am trying to expose my docker services (like Heimdall, Plex, Tautulli, etc) on my host machines IP for internal purposes only, so without a domain name. I want each service to be accessible ith its own prefix like 192.168.0.100/heimdall, 192.168.0.100/tautulli, etc.
I would like to have the dashboard on a separate port, like 8080, but even after I specify an entry point for 8080 as traefik and set traefik as the entry point for the service it still goes to the port 80 named http.
Is there any issue with my config or is it an issue on traefik side?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik
container_name: traefik
ports:
- "80:80"
- "8080:8080"
restart: always
volumes:
- ./traefik:/etc/traefik
- "/var/run/docker.sock:/var/run/docker.sock:ro"
traefik.yml
entryPoints:
http:
address: ":80"
traefik:
address: ":8080"
api: {}
log:
level: "DEBUG"
providers:
file:
directory: /etc/traefik/dynamic
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
dashboard.yml
http:
routers:
api:
rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
entrypoints:
- traefik
service: api#internal

According to documentation (https://docs.traefik.io/v2.2/operations/api/#insecure), this could help:
api:
insecure: true
It should implicitly use special entrypoint traefik with port 8080.
You can also check this for more info about dashboard: https://docs.traefik.io/operations/dashboard/
EDIT
I have just tried it and it works on port 8080 with this configuration:
docker-compose.yml
version: '3'
services:
traefik:
image: traefik
container_name: traefik
restart: always
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./dockerfiles/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
- "traefik.http.routers.dashboard.entrypoints=traefik"
- "traefik.http.routers.dashboard.service=api#internal"
traefik.yml (I have used yours without file provider):
entryPoints:
http:
address: ":80"
traefik:
address: ":8080"
api: {}
log:
level: "DEBUG"
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false

Configure Traefik in front of two docker containers, all on port 80

I try to run three docker containers on one host. Traaefik is one of the containers to proxy traffic to the other containers.
My first goal is to reach each container through a dedicated hostname on port 80. Traefik ui should be available only through a hostname and on port 80 also, having some sort of authentication.
Using only a docker-compose.yml, I can reach all three containers using the hostnames, all on port 80. But to add authentication, I guess I need to introduce a traefik.toml. But this gives me troubles.
Next goal would be to introduce SSL using let's encrypt on all three hosts.But first things first...
Working solution with three hosts, all on port 80, lacking authorization for Traefik UI:
version: "2"
networks:
web:
services:
prox:
image: containous/traefik:latest # The official Traefik docker image
command: --api --docker # Enables the web UI and tells Træfik to listen to docker
restart: unless-stopped
ports:
- "80:80" # The HTTP port
labels:
- "traefik.port=8080"
- "traefik.backend=traefikception"
- "traefik.frontend.rule=Host:traefik.test.com"
- "traefik.enable=true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
networks:
- web
seafile_1:
image: seafileltd/seafile
container_name: seafile_1
restart: unless-stopped
environment:
SEAFILE_ADMIN_EMAIL: me#test.com
SEAFILE_ADMIN_PASSWORD: ####
SEAFILE_SERVER_HOSTNAME: 1.test.com
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:1.test.com
- traefik.port=80
- traefik.backend=seafile_1
- traefik.docker.network=web
volumes:
- /opt/seafile-data/ttt_1:/shared
networks:
- web
seafile_2:
image: seafileltd/seafile
container_name: seafile_2
restart: unless-stopped
environment:
SEAFILE_ADMIN_EMAIL: me#test2.com
SEAFILE_ADMIN_PASSWORD: #####
SEAFILE_SERVER_HOSTNAME: 2.test2.com
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:2.test2.com
- traefik.port=80
- traefik.backend=seafile_1
- traefik.docker.network=web
volumes:
- /opt/seafile-data/ttt_2:/shared
networks:
- web
Adding the following traefik.toml:
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.proxy]
address=":80"
[entryPoints.proxy.auth]
[entryPoints.proxy.auth.basic]
users = [
"joh:$apr1$RKdHyOKO$QDK1EKB4UJbsda7CXfPfK0",
]
[api]
entrypoint="proxy"
I get lot's of the following errors in the log, none of the containers is reachable from outside:
prox_1 | time="2018-06-17T19:23:26Z" level=fatal msg="Error preparing server: listen tcp :8080: bind: address already in use"
prox_1 | time="2018-06-17T19:24:26Z" level=error msg="Error opening listener listen tcp :8080: bind: address already in use"
prox_1 | time="2018-06-17T19:24:26Z" level=fatal msg="Error preparing server: listen tcp :8080: bind: address already in use"
I am pretty sure I need to adapt my docker-compose.yml and move settings to traefik.toml, but I cannot get my head around how to to that.
Thanks in advance!!

With the help of traefik support on slack I was able to solve this.
you may not have more than one entryPoint per Port
The Authorization can be configured in the docker-compose.yml
add acme.json and configure https and Let's encrypt only in traefik.toml
In /opt/traefik put the following three files:
acme.json:
may be empty but must be well secured:
touch acme.json
chmod 600 acme.json
docker-compose.yml:
version: "2"
networks:
web:
services:
prox:
image: containous/traefik:latest # The official Traefik docker image
command: --api --docker # Enables the web UI and tells Træfik to listen to docker
restart: unless-stopped
ports:
- "80:80"
- "443:443"
# - "8080:8080" # Don't want this port open (on all hostnames!)
labels:
- "traefik.port=8080"
- "traefik.backend=traefikception"
- "traefik.frontend.rule=Host:traefik.example.me"
- "traefik.enable=true"
- "traefik.frontend.auth.basic=admin:$$ert2$$RKdHyOKO$$QDK1EKB4UJbsda7CXfPfK0"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
- "./traefik.toml:/traefik.toml"
- "./acme.json:/acme.json"
networks:
- web
seafile_org1:
image: seafileltd/seafile
container_name: seafile_org1
restart: unless-stopped
environment:
SEAFILE_ADMIN_EMAIL: mail#mail.me
SEAFILE_ADMIN_PASSWORD: ####
SEAFILE_SERVER_HOSTNAME: org1.example.me
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:org1.example.me
- traefik.port=80
- traefik.backend=seafile_org1
- traefik.docker.network=web
volumes:
- /opt/seafile-data/org1:/shared
networks:
- web
seafile_org2:
image: seafileltd/seafile
container_name: seafile_org2
restart: unless-stopped
environment:
SEAFILE_ADMIN_EMAIL: mail#mail.com
SEAFILE_ADMIN_PASSWORD: ####
SEAFILE_SERVER_HOSTNAME: org2.example.com
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:org2.example.com
- traefik.port=80
- traefik.backend=seafile_org2
- traefik.docker.network=web
volumes:
- /opt/seafile-data/org2:/shared
networks:
- web
get what you need to put as value to traefik.frontend.auth.basic issuing:
htpasswd -n admin
traefik.toml:
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[api]
dashboard = true
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]
email = "you#mail.com"
storage = "acme.json"
entryPoint = "https"
# If true, display debug log messages from the acme client library.
# acmeLogging = true
# Enable certificate generation on frontends host rules.
onHostRule = true
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# Use a HTTP-01 ACME challenge.
# Optional (but recommended)
[acme.httpChallenge]
entryPoint = "http"
This uses Let's encrypt staging environment to get you three certs. Comment the line with caServer to get the real certs! Recreate an empty acme.json as well!
The seafile-data is stored in
/opt/seafile-data/org1
and
/opt/seafile-data/org2
respectively.
In /opt/traefik you can start the system:
docker-compose up -d
and watch the logs with
docker-compose logs
Startup takes some time on first run to setup seafile, get the certs,...
Your hosts should be reachable, giving no SSL errors or warnings on
http://traefik.example.me (Asking your credentials to see the page)
http://org1.example.me
http://org2.example.com
What's left to do is to edit the ccnet.conf file in each of the seafile installation directories (/opt/seafile-data/org1/seafile/conf/ccnet.conf) and change the protocol to "http" and remove the port ":8000" from SERVICE_URL so that shared links are correct for that setup as well. The line should read:
SERVICE_URL = https://org1.example.me

You can do it all in the Docker Stacks file:
version: "3.7"
services:
traefik:
image: traefik:1.7.13
command: >
--api
--docker
--docker.swarmmode
--docker.watch
--docker.exposedbydefault=false
# --debug=true
--loglevel=error # debug
--defaultentrypoints=https,http
--entryPoints="Name:http Address::80 Redirect.EntryPoint:https"
--entryPoints="Name:https Address::443 TLS"
--retry
--acme=true
--acme.entrypoint=https
--acme.httpchallenge
--acme.httpchallenge.entrypoint=http
--acme.domains="..."
--acme.email="..."
--acme.storage=/certs/acme.json
ports:
- 80:80 # HTTP
- 443:443 # HTTPS
- 8080:8080 # The Web UI (enabled by --api)
volumes:
- acme:/certs
- /var/run/docker.sock:/var/run/docker.sock:ro
whoami:
image: containous/whoami
deploy:
labels:
traefik.frontend.rule: Path:/whoami
traefik.enable: "true"
traefik.port: 80
volumes:
acme: