Develop Reference

Bad gateway on traefik docker

I build traefik with cloudflare CDN. I used docker container run command to execute my docker container execute by Drone CI. I have an issue when I successfully built docker container which leads to bad gateway on subdomain.
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- traefik_proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:monitor.${DOMAINNAME}"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=example.com"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.auth.basic.users:${HTTP_USERNAME}:${HTTP_PASSWORD}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/traefik:/etc/traefik
- /etc/docker/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
Traefik.toml
nsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Let's encrypt configuration
[acme]
email = "example#gmail.com" #any email id will work
storage="acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 300
[[acme.domains]]
main = "example.com"
[[acme.domains]]
main = "*.example.com"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
Command I used to run the docker container execute by Drone:
docker container run -d --name example-development --restart=unless-
stopped --label "traefik.backend=example-development" --label
"traefik.frontend.rule=Host:subdomain.example.com" --label
"traefik.enable=false" --label "traefik.port=6611" --expose 6611
cloud.canister.io:5000/username/repo
My docker container is listening to http://127.0.0.1:6611
Above codes examples lead to Error 504 Gateway Timeout.

Traefik needs to have a common network with the containers it is connecting to. In this case, you need to run containers with --net=traefik_proxy.
If you're container is on multiple networks, you'll also need the label traefik.docker.network=traefik_proxy to tell traefik which of those networks to use.

Traefik - unable to obtain Let's encrypt certificate for domains => acme http challenge times out

I'm trying to secure a site which is served by trafik using let's encrypt. However, it fails when testing the acme challenge.
time="2019-02-07T23:23:35Z" level=error msg="Unable to obtain ACME certificate for domains \"git.redacted.be\" detected thanks to rule \"Host:git.redacted.be\" : unable to generate a certificate for the domains [git.redacted.be]: acme: Error -> One or more domains had a problem:\n[git.redacted.be] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://git.redacted.be/.well-known/acme-challenge/I_44HUy2IqyYZk-6GmfWxtm7Uunx_wid9rgHpXkhZcM: Error getting validation data, url: \n"
The server is publicly available (if I go to http://git.redacted.be, it get's redirected to https and I can configure my git server) from the internet, and gogs (the git server) is also made accessible via traefik and docker.
When I manually navigate to the url mentioned (.well-known/acme-challenge/...), the request times out but logging inside traefik shows: Error getting challenge for token: cannot find challenge for
I already tried some of the workarounds mentioned in https://github.com/containous/traefik/issues/2763 (disable IPv6 and use traefik:alpine)
This is my setup:
Traefik docker-compose.yml
version: '3.2'
services:
traefik:
image: traefik:alpine # The official Traefik docker image
command: --api --docker --logLevel=info # Enables the web UI and tells Tr ik to listen to docker
restart: unless-stopped
ports:
- "81:80" # The HTTP port
- "444:443"
- "18080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
networks:
- traefik
logging:
driver: "json-file"
networks:
traefik:
external:
name: traefik
Traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "redacted.be"
watch = true
exposedByDefault = false
[acme]
email = "ronald#redacted.be"
storage = "acme.json"
entryPoint = "https"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
The docker-compose of my git server:
version: '3.2'
services:
gogs:
restart: unless-stopped
image: gogs/gogs
volumes:
- ./data/db:/data/db
- ./data/git:/data/git
- ./data/gogs:/data/gogs
networks:
- gogs
- traefik
ports:
- "10022:22"
- "3000:3000"
labels:
- "traefik.port=3000"
- "traefik.frontend.rule=Host:git.redacted.be"
- "traefik.docker.network=traefik"
networks:
gogs:
traefik:
external:
name: traefik
Any idea what I'm doing wrong?

Not redirected to SSL/acme.json empty

I am using traefik as reverse proxy for cryptpad. Traefik is running in a docker container. I used this docs to solve this issue: https://github.com/xwiki-labs/cryptpad/wiki/Docker-(with-Nginx-and-Traefik)#configuring-traefik
That's what I did:
$ mkdir traefik && cd traefik
$ wget https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml
$ mv traefik.sample.toml traefik.toml
$ touch acme.json && chmod 600 acme.json
I added this to traefik.toml:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[acme]
email = "me#example.org"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Created docker-compose.yml
version: '3'
services:
traefik:
image: traefik
command: --docker
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/acme.json:/acme.json
ports:
- 80:80
- 443:443
networks:
- proxy
container_name: traefik
networks:
proxy:
external: true
And created/started traefik with docker-compose up -dll .
Well - for http it works fine so far - but I am not being redirected to https. And if I would, the connection would be reset (https://cryptpad.mydomain.org -> connection refused).
I checked if something is listening for http/https:
tcp LISTEN 0 128 :::http :::*
tcp LISTEN 0 128 :::https :::*
And tried to telnet it:
[root#cryptpad ~]# telnet localhost 443
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
What did I miss?

Certificate not automatically created - Docker-Compose, Traefik, Let's Encrypt,

I have set up my first home-docker-stack:
DDNS account --> No chance to get subdomains --> Use ports.
Configure a https-proxy so that https-configuration is not required for each container --> Use traefik.
Now I have a traefik.toml with the following content:
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"
debug = true
[web]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "MY_EMAIL_ADDRESS"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
onDemand = true
OnHostRule = false
[acme.httpChallenge]
entryPoint = "http"
[docker]
domain = "MY_DOMAIN"
watch = true
And a docker-compose.yml looking as follows:
version: '3.4'
services:
db:
image: mariadb:10.1
restart: always
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=SOMEPASSWORD
env_file:
- db.env
wordpress:
image: wordpress:apache
restart: always
ports:
- "8001:80"
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_PASSWORD=SOMEPASSWORD
- WORDPRESS_DB_NAME=wordpress
depends_on:
- db
networks:
- default
- traefik-net
deploy:
replicas: 1
labels:
- "traefik.enable=true"
- "traefik.port=8001"
- "traefik.docker.network=traefik-net"
traefik:
image: traefik:1.5-alpine
restart: always
networks:
- traefik-net
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
- /home/traefik/acme:/etc/traefik/acme
privileged: true
container_name: traefik
volumes:
db:
networks:
traefik-net:
If I now try to reach my traefik-instance as follows:
https://MY_DOMAIN/
The client returns (untrusted self signed certificate):
Dem Zertifikat wird nicht vertraut, weil es vom Aussteller selbst signiert wurde.
The traefik log contains:
traefik | time="2018-03-19T13:29:29Z" level=debug msg="Looking for provided certificate to validate MY_DOMAIN..."
traefik | time="2018-03-19T13:29:29Z" level=debug msg="No provided certificate found for domains MY_DOMAIN, get ACME certificate."
traefik | time="2018-03-19T13:29:29Z" level=debug msg="Looking for an existing ACME challenge for MY_DOMAIN..."
traefik | time="2018-03-19T13:29:29Z" level=debug msg="http2: server: error reading preface from client 80.129.18.33:44700: remote error: tls: unknown certificate authority"
Why might the generation of the certificate not start? What do I have to fix?

Traefik will access your container through the docker network, in the docker network the ports you have set in the ports mapping in the docker-compose file means nothing. ports is just to map the container port to one of the hosts ports.
So the port that you should tell traefik to use (through the labels) is 80, the port that the webserver listens to. And you could remove the port mapping, because that's just to the host, if Traefik have ports open for http, it will route the requests to your container (through the exposed port, which should be 80).
As long as your container is in the network, the exposed ports will be available for all other containers in the network.
Another note:
You are in the docker-compose file using a 3.x version. All 3.x versions are swarm specific, so stick to 2.x for none-swarm files.

Traefik https not fully secure

I try to configure my server with Traefik using Docker containers. I configured Traefik so it works, I got the dashboard page. The thing is I would like to have my own GitLab server. I pulled GitLab docker image and I created a docker-compose file.
Even if GitLab container takes long time to start, it seems to work. I'm able to see the Gitlab backend from Traefik dashboard.
The problem is when I try to go on Gitlab's address, my browser (Firefox and Chrome) tells me that my page is not fully secure. Here's the exact error:
Connection is not secure. Parts of this page are not secure (such as images)
I can't find out why I'm getting this error, my configuration is really basic.
Here's my Traefik.toml config:
defaultEntryPoints = ["http", "https"]
# Web section is for the dashboard interface
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:$apr1$TF1rGQz9$OdtHJ15PT6LGWObE4tXuK0"]
# entryPoints section configures the addresses that Traefik and the proxied containers can listen on
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Acme section is for Let's Encrypt configuration
[acme]
email = "email#email.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[[acme.domains]]
main = "domain.com"
Here's my docker-compose.yml
version: '3.3'
networks:
proxy:
external: true
internal:
external: false
services:
gitlab:
image: gitlab/gitlab-ce
container_name: gitlab
labels:
- traefik.backend=gitlab
- traefik.frontend.rule=Host:git.domain.com
- traefik.docker.network=proxy
- traefik.port=80
networks:
- internal
- proxy
Here's my docker run command for Traefik container:
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/traefik.toml:/traefik.toml \
-v $PWD/acme.json:/acme.json \
-e TZ="Europe/Paris" \
-p 80:80 \
-p 443:443 \
-l traefik.frontend.rule=Host:monitor.domain.com \
-l traefik.port=8080 \
--network proxy \
--name traefik \
traefik:1.3.6-alpine --docker --logLevel=DEBUG
As you can see it's a very basic configuration, I don't get why I can't get a fully secure GitLab page. In acme.json file I see my main domain "domain.com" and my sub-domain "git.domain.com". So it should be secure.
What am I missing ? :/

I finally found out why GitLab page was insecure. It's because GitLab use avatar profile picture with insecure path as "htttp://picture_address".
If it can help someone with the same issue :)