I am trying to setup traefik using a combination of this guide, and the code found here.
I am using docker-compose with Unraid, so far I have the following code:
traefik.toml:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[acme]
email = "user#domain.com"
storage = "acme.json"
entryPoint = "https"
#OnHostRule = true
#onDemand = true
[acme.dnsChallenge]
provider = "cloudflare"
[[acme.domains]]
main = "domain.name"
[[acme.domains]]
main = "*.domain.name"
docker-compose.yml:
services:
traefik:
image: traefik:latest
command: --web --docker --docker.watch --docker.domain=${DOMAIN} \
--docker.exposedbydefault=false --acme.domains=${DOMAIN}
container_name: traefik
hostname: traefik
networks:
br0:
ipv4_address: 192.168.1.253
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${CONFIG}/traefik/acme.json:/acme.json
- ${CONFIG}/traefik/traefik.toml:/etc/traefik/traefik.toml
- ${CONFIG}/traefik/.htpasswd:/etc/traefik/.htpasswd:ro
environment:
- CF_API_EMAIL=user#domain.com
- CF_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXX
labels:
traefik.enable: "true"
traefik.frontend.rule: "Host:monitor.${DOMAIN}"
traefik.port: "8080"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
ouroboros:
image: pyouroboros/ouroboros
container_name: ouroboros
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- PGID
- PUID
- TZ
- CLEANUP=true
- INTERVAL=86400 # 24hrs
- SELF_UPDATE=true
- LABELS_ONLY=true
restart: unless-stopped
plex:
image: linuxserver/plex
container_name: plex
hostname: plex
networks:
br0:
ipv4_address: 192.168.1.252
volumes:
- ${CONFIG}/plex:/config
- ${DATA}/TV:/media/tv
- ${DATA}/Movies:/media/movies
- ${DATA}/Music:/media/music
- ${DATA}/Anime:/media/anime
environment:
- PGID
- PUID
- TZ
- VERSION=latest
labels:
traefik.enable: "true"
traefik.port: "32400"
traefik.frontend.rule: "Host:plex.${DOMAIN}"
com.ouroboros.enable: "true"
restart: unless-stopped
plexpy:
image: linuxserver/tautulli:latest
container_name: tautulli
hostname: tautulli
networks:
br0:
ipv4_address: 192.168.1.251
volumes:
- ${CONFIG}/plexpy:/config
- ${CONFIG}/plex/Library/Application Support/Plex Media Server/Logs:/logs:ro
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "8181"
traefik.frontend.rule: "Host:tautulli.${DOMAIN}"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
heimdall:
image: duhio/heimdall-https:latest
container_name: heimdall
hostname: heimdall
networks:
br0:
ipv4_address: 192.168.1.250
volumes:
- ${CONFIG}/heimdall:/config
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "80"
traefik.frontend.rule: "Host:${DOMAIN}"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
ombi:
image: linuxserver/ombi
container_name: ombi
hostname: ombi
networks:
br0:
ipv4_address: 192.168.1.249
volumes:
- ${CONFIG}/ombi:/config
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "3579"
traefik.frontend.rule: "Host:ombi.${DOMAIN}"
com.ouroboros.enable: "true"
restart: unless-stopped
# br0 is an existing Unraid macvlan
networks:
br0:
external: true
When I used OnHostRule = true I could get plex.domain.name working with https but none of the other subdomains.
UPDATE: I have concluded that the issue is that the wildcard domains not working, after talking to a redditor he was not sure that the wildcards would work when manually specifying the network in the docker-compose.yml with static IP's, so far I have been unable to confirm this.
Digging further I think this may be an issue at the Cloudflare level, source here and report here.
Edit: This configuration is now out of date for Traefik 2.0 and beyond
I have wildcards working with Cloudflare. Here is my configuration:
Part of my traefik.toml file
[acme]
acmeLogging = true
email = "me#email.com"
storage = "/acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "cloudflare"
[[acme.domains]]
main = "sub.domain.com"
[[acme.domains]]
main = "*.sub.domain.com"
And then in my docker-compose.yml file from which I start my traefik service, I specify an env file:
env_file: ./traefik.env
In this file I have the following environment variables:
CLOUDFLARE_EMAIL=value1
CLOUDFLARE_API_KEY=value2
CF_API_EMAIL=value1
CF_API_KEY=value2
I hope from my examples you'll have something to experiment with and find success!
I heavily recommend adding debug=true in your traefik.toml file as it will display logs which indicate whether or not the cloudflare setup was successful and for which domains.
Related
I'm trying to set up Bookstack with traefik as a reverse proxy. traefik is already set up and running fine with Nextcloud and other services.
I'm using the image provide by linuxserver and am modifying the docker-compose file as follows:
version: "2"
services:
bookstack:
image: lscr.io/linuxserver/bookstack
container_name: bookstack
environment:
- PUID=1000
- PGID=1000
- APP_URL=my-sub.domain.com
- DB_HOST=bookstack_db
- DB_USER=dbusernamesetbyme
- DB_PASS=thedbpasswordichose
- DB_DATABASE=bookstackapp
volumes:
- /path/to/data:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- PUID=1000
- PGID=1000
- MYSQL_ROOT_PASSWORD=modifiedpassword
- TZ=Europe/Berlin
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- /path/to/data:/config
restart: unless-stopped
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
When I call my-sub.domain.com I get a Gateway Timeout. If I leave out the labels and the APP_URL, I can call bookstack via the host-ip and the port e. g. 101.101.101.101:6875 it works just fine.
Any ideas?
Best regards!
Try to move labels: from bookstack_db: to bookstack:. I set up Bookstack with Trefik locally and it worked.
You can use this docker-compose.yaml for reference:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=my-sub.domain.com
- TZ=Europe/Berlin
- DB_HOST=bookstack_db:3306
- DB_DATABASE=bookstackapp
- DB_USERNAME=dbusernamesetbyme
- DB_PASSWORD=thedbpasswordichose
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
# traefik.http.services.bookstack.loadbalancer.server.port: "80"
# traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
bookstack_db:
image: mariadb:10.9
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=modifiedpassword
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- ./bookstack/db:/var/lib/mysql
ports:
- 3306:3306
restart: unless-stopped
networks:
- nameofmyproxynetwork
networks:
nameofmyproxynetwork:
external: true
I attach also my original labels: config, just in case.
labels:
- traefik.enable=true
- traefik.http.routers.bookstack-http.entrypoints=web
- traefik.http.routers.bookstack-http.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-http.middlewares=bookstack-https
- traefik.http.middlewares.bookstack-https.redirectscheme.scheme=https
- traefik.http.routers.bookstack-https.entrypoints=websecure
- traefik.http.routers.bookstack-https.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-https.tls=true"
So, I've got some external help and got a .yml-file that worked:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=https://my-sub.domain.com
- TZ=Europe/Berlin
# - PUID= # = stat ./bookstack/app --format "%u"
# - PGID= # = stat ./bookstack/app --format "%g"
- DB_HOST=bookstack_db
- DB_DATABASE=bookstackdb
- DB_USERNAME=<dbuser>
- DB_PASSWORD=<dbpassword>
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.docker.network: "proxy"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.com`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
networks:
- default
- proxy
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=<dbrootpassword>
- MYSQL_DATABASE=bookstackdb
- MYSQL_USER=<dbuser>
- MYSQL_PASSWORD=<dbpassword>
volumes:
- ./bookstack/db:/var/lib/mysql
restart: unless-stopped
networks:
- default
networks:
default:
name: bookstack-default
proxy:
external: true
One issue of mine was, that I did not realize, that DB_USERNAME and MYSQL_USER, and DB_PASSWORD and MYSQL_PASSWORD had to contain the same variable.
Furthermore I'm going to provide my traefik.yml, as it shows that I did not use the typical labelnames.
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "./dynamic_conf.yml"
certificatesResolvers:
http:
acme:
email: username#domain.com
storage: acme.json
httpChallenge:
entryPoint: http
Hope that helps somebody else!
im running a gitlab-ee docker container behind a traefik v1 docker container. My gitlab is supposed to run on the domain gitlab.dev.example.com:65443 the port 65443 is being forwarded to 443 on my server within my router (i have other stuff running on my 443 and 80 port). my traefik dashboard is running on traefik.dev.example.com:65443/dashboard/
Now when i want to get a lets encrypt certificate with traefik it tries to get it for the domain gitlab.dev.example.com and fails with "Unable to obtain ACME certificate for domains "gitlab.dev.example.com" [...]"
if i visit https://gitlab.dev.example.com:65443 it opens my gitlab container but with the "Traefik Default Cert". I cannot push or pull from these gitlab repositories because the SSL Certificates are self signed hence why i want to get a lets encrypt one.
i swapped out the actual domain with "example.com" obviously
my traefik.toml:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[web]
address = ":80"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "traefik.dev.example.com" //swapped the url out
watch = true
exposedByDefault = false
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Enable retry sending a request if the network error
[retry]
# Let's encrypt configuration
[acme]
email="e#mail.com" //swapped the email out
storage="acme.json"
entryPoint="https"
acmeLogging=true
OnHostRule=true
[acme.httpChallenge]
entryPoint = "http"
now to my docker-compose files. i have a seperate docker-compose.yml for each container
my docker-compose.yml for the traefik container:
version: "3.2"
services:
reverse-proxy:
image: traefik:alpine
command: --api --docker --logLevel=error
restart: unless-stopped
container_name: docker-traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
environment:
- "TZ=Europe/Berlin"
networks:
- traefik_proxy
- default
ports:
- "443:443"
- "80:80"
logging:
driver: "json-file"
options:
max-file: "3"
max-size: "5m"
labels:
- traefik.backend=traefik-proxy
- traefik.frontend.rule=Host:traefik.dev.loropserver.de
- traefik.docker.network=traefik_proxy
- traefik.port=8080
- traefik.enable=true
- traefik.frontend.auth.basic=lorop:$$apr1$$dHnqprRX$$DjIWIaE97EnMoxwu6o/14.
networks:
traefik_proxy:
external:
name: traefik_proxy
# default:
# driver: bridge
my docker-compose.yml for the gitlab container:
version: '3.5'
services:
gitlab:
image: 'gitlab/gitlab-ee:latest'
container_name: gitlab
restart: unless-stopped
hostname: 'gitlab.dev.example.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.dev.example.com';
//some more configs
ports:
- '22:22'
- '5005:5005'
volumes:
- './volumes/gitlab/config:/etc/gitlab'
- './volumes/gitlab/logs:/var/log/gitlab'
- './volumes/gitlab/data:/var/opt/gitlab'
- /etc/localtime:/etc/localtime:ro
- './certs:/etc/gitlab/trusted-certs'
networks:
- traefik_proxy
labels:
- 'traefik.enable=true'
- 'traefik.port=65443'
- 'traefik.docker.network=traefik_proxy'
- 'traefik.backend=gitlab'
- 'traefik.frontend.rule=Host:gitlab.dev.example.com'
- 'traefik.http.routers.entrypoints=websecure'
networks:
traefik_proxy:
external: true
I was reviewing the log files/database and I noticed that when I attempted to trip the nextcloud brute force protection manually, it was recording the IP and subnet of the docker network, not the IP address I was access the login page from (Specifically 192.168.192.1 and 192.168.192.1/32)
I don't know if I have something on the traefik or Nextcloud compose files configured incorrectly or if something else is wrong wit the docker network but obliviously I would like it to detect the actual IP address of the user trying to login, not the internal docker IP information. I thought I'd start here and see if I can get any feedback before looking elsewhere.
traefik docker-compose.yml: https://pastebin.com/rjFA5ZBi
version: '3.3'
services:
traefik:
image: traefik:latest
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${USERDIR}/traefik/traefik.toml:/traefik.toml
- ${USERDIR}/traefik/acme.json:/acme.json
- /var/log/traefik:/var/log
networks:
- proxy
ports:
- 80:80
- 443:443
expose:
- 8080
command:
- --accessLog.filePath=/var/log/access.log
- --accessLog.filters.retryAttempts=true
- --accessLog.filters.minDuration=10ms
- --accessLog.filters.statusCodes=400-499
restart: always
networks:
proxy:
external: true
Nextcloud docker-compose.yml: https://pastebin.com/CjTYBZm6
db:
image: mariadb
container_name: nextcloud-mariadb
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
networks:
- proxy
volumes:
- ${USERDIR}/mysql:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=Win!
- MYSQL_PASSWORD=Win!
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
nextcloud:
image: linuxserver/nextcloud
container_name: nextcloud
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
depends_on:
- db
volumes:
- /mnt/raid/nextcloud:/data
- ${USERDIR}/nextcloud:/config
#- ${USERDIR}/nextcloud:/var/www/html
#- ${USERDIR}/nextcloud/app/config:/var/www/html/config
#- ${USERDIR}/nextcloud/app/custom_apps:/var/www/html/custom_apps
#- ${USERDIR}/nextcloud/app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=true
- traefik.backend=nextcloud
- traefik.frontend.rule=Host:upload.${DOMAIN}
- traefik.docker.network=proxy
- traefik.basic.protocol=https
- traefik.port=443
- traefik.frontend.redirect.permanent=true
- traefik.frontend.redirect.regex= https://(.*)/.well-known/(card|cal)dav
- traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.browserXSSFilter=true
- traefik.frontend.headers.contentTypeNosniff=true
- traefik.frontend.headers.forceSTSHeader=true
- traefik.frontend.headers.SSLHost=example.com
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.frameDeny=true
networks:
- proxy
expose:
- 443
restart: unless-stopped
Traefik toml: https://pastebin.com/cDUxQaLb
#logLevel = "DEBUG"
logLevel = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC"
################################################################
defaultEntryPoints = ["http", "https"]
InsecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.forwardedHeaders]
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.forwardedHeaders]
[entryPoints.https.tls]
[web]
address = ":8080"
################################################################
# Docker configuration backend
################################################################
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "xxxx.xxxxx"
watch = true
exposedbydefault = false
[acme]
email = "xxxx"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Any help is appercaited!!
Soled -
config.php for next cloud requires a trusted_proxy
"trusted_proxies" => ['10.0.0.1'],
When added the client IP address is finally relayed.
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/reverse_proxy_configuration.html
I'm trying to start an application with traefik. I have multiple containers setup with swarm. I can reach them in the browser but websites are tagged not secure. I tried deleting the acme.json and regenerate the ssl certificates but it didn't change anything.
From my understanding, using ACME, the certificates are generated at boot. But now, it behaves like it's a self signed certificate as I see "Fake LE Intermediate X1"
Here is my configuration:
logLevel="DEBUG"
debug=true
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[api]
address=":8080"
[docker]
endpoint="unix://var/run/docker.sock"
domain = "4yourfinance.com"
watch=true
swarmMode=true
exposedByDefault = false
[acme]
email = "serviceplatform#myfeelix.de"
storage = "/etc/traefik/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onHostRule = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "4yourfinance.com"
sans = ["nginx.4yourfinance.com", "api-wl.4yourfinance.com"]
And my docker compose
version: "3.3"
services:
traefik:
image: traefik
ports:
- 80:80
- 8080:8080
- 443:443
networks:
- traefik-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./acme:/etc/traefik/acme
configs:
- source: traefik-config
target: /etc/traefik/traefik.toml
deploy:
placement:
constraints: [engine.labels.com.role == 4yourfinance]
nginx2:
image: nginx
networks:
traefik-net:
aliases:
- nginx
deploy:
labels:
- "traefik.enable=true"
- "traefik.backend=nginx2"
- "traefik.port=80"
- "traefik.frontend.rule=Host:4yourfinance.com"
placement:
constraints: [engine.labels.com.role == 4yourfinance]
nginx:
image: nginx
networks:
traefik-net:
aliases:
- nginx
deploy:
labels:
- "traefik.enable=true"
- "traefik.backend=nginx"
- "traefik.port=80"
- "traefik.frontend.rule=Host:nginx.4yourfinance.com"
placement:
constraints: [engine.labels.com.role == 4yourfinance]
nginx3:
image: nginx
networks:
traefik-net:
aliases:
- nginx
deploy:
labels:
- "traefik.enable=true"
- "traefik.backend=api-wl"
- "traefik.port=80"
- "traefik.frontend.rule=Host:api-wl.4yourfinance.com"
placement:
constraints: [engine.labels.com.role == client-feelix]
networks:
traefik-net:
external:
name: traefik-net
configs:
traefik-config:
file: config2.toml
I was using the staging caServer instead of production. I also had to set other domains:
Replace the caServer by
caServer = "https://acme-v02.api.letsencrypt.org/directory"
and add domains doing:
[[acme.domains]]
main = "4yourfinance.com"
[[acme.domains]]
main = "nginx.4yourfinance.com"
I tried to set up reverse-proxy using traefik for one my docker-services. When I run the services, in traefik's web UI I can see the mapping but only for http eventhough I have specified https in traefik.toml file. I am also not able to access my services directly. All the services are in the same network. So I am not sure what is causing this.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/journal.crt"
keyFile = "/certs/journal.key"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "journal.com"
watch = true
exposedbydefault = false
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: traefik
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/certs/journal.crt:/certs/journal.crt
- ./traefik/certs/journal.key:/certs/journal.key
networks:
- web
prisma:
image: prismagraphql/prisma:1.8
restart: always
ports:
- "${PRISMA_HOST_PORT}:4466"
environment:
PRISMA_CONFIG: |
port: 4466
managementApiSecret: ${PRISMA_API_SECRET}
databases:
default:
connector: postgres
host: ${PRISMA_DB_HOST}
port: ${PRISMA_DB_PORT}
database: ${PRISMA_DB}
user: ${PRISMA_DB_USER}
password: ${PRISMA_DB_PASSWORD}
migrations: ${PRISMA_ENABLE_MIGRATION}
graphql-server:
build: ./graphql-server/
ports:
- "${GRAPHQL_SERVER_PORT}:8080"
volumes:
- ./graphql-server:/usr/src/app
depends_on:
- prisma
command: ["./wait-for-it.sh", "prisma:${PRISMA_HOST_PORT}", "--", "npm", "start"]
environment:
- PRISMA_SERVICE_NAME=prisma
- PRISMA_API_SECRET
- PRISMA_HOST_PORT
- GRAPHQL_SERVER_PORT
- APOLLO_ENGINE_KEY
labels:
- "traefik.backend=graphql"
- "traefik.frontend.rule=Host:api.journal.com"
- "traefik.enable=true"
- "traefik.port=${GRAPHQL_SERVER_PORT}"
networks:
- web
react-client:
build: ./react-client/
ports:
- "${REACT_CLIENT_PORT}:3000"
volumes:
- ./react-client:/usr/src/app
depends_on:
- graphql-server
environment:
- GRAPHQL_SERVER_PORT
- REACT_CLIENT_PORT
networks:
web:
external: true
Thanks in advance.
Try to add following docker label to your graphql-server service:
traefik.frontend.entryPoints=http,https
I am facing the same problem. I have 'defaultEntryPoints = ["http", "https"]' in traefiks (v1.7) main config defined, but when docker containers come up and register within traefik the frontend is reachable only via HTTP, not HTTPS - unless i define the entrypoints directly via docker labels.
regards,
max