Develop Reference

'Internal Server Error' when deploying Application with Traefik and LetsEncrypt

I'm new to SSL certificates with Traefik and have been having real trouble getting a successful deployment.
I have a server and domain that I have deployed my application on using Traefik and Http without issue. I would now like to deploy the same application, running on port 9000, to be deployed in Https using LetsEncrypt following the Traefik docs . I can verify that the certificate has been properly created using an SSL checker, however, when I try to visit the site I get Internal Server Error. There are no errors reported in either of the docker logs and I cannot figure out what to try next.
docker-compose.yml
version: '2'
services:
traefik:
image: traefik:v1.7
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
container_name: traefik
app:
image: myapp_image
container_name: app
restart: always
networks:
- web
ports:
- "9000:9000"
labels:
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.basic.frontend.rule=Host:myapp.com"
- "traefik.basic.port=9000"
- "traefik.basic.protocol=http"
- "traefik.admin.frontend.rule=Host:myapp.com"
- "traefik.admin.protocol=https"
- "traefik.admin.port=9000"
networks:
web:
external: true
traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myapp.com"
watch = true
exposedByDefault = false
[acme]
email = "myemail#email.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"

Finally was able to find a workable solution for this. I may have just been using old information but the best reference to host an application with Traefik on Https using LetsEncrypt was found here.
The working Yaml example is below. Using this example will also eliminate the need for a Toml file!
version: "3.3"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=postmaster#example.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"

Two docker containers with Traefik on one host

I'm trying to set up a server on my raspberry pi to run Nextcloud and Firefly III with traefik as a reverse proxy. I'm using docker-compose and Portainer is working fine with https (included in the code for testing), but I cannot get Nextcloud or Firefly to run at all. When I use the official documentation for Firefly I can get it to run and when I use NextcloudPi in itself I can also get that to run, but I cannot get both of them to work at the same time. FF is giving a 403 Forbidden "You don't have permission to access / on this server." error while Nextcloud is giving a "Bad Gateway" error. I'd be grateful for any help I can get regarding this as I've already read through as many sites as possible and I don't what else to do.
This is my docker-compose.yml:
version: "3.2"
services:
# Reverse Proxy and Let's Encrypt
traefik:
container_name: traefik
image: traefik:alpine
restart: always
networks:
- srv
- firefly_iii_net
- proxy-tier
ports:
- 80:80
- 443:443
volumes:
- /opt/traefik/traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/acme.json:/acme.json
# Portainer
portainer:
container_name: portainer
image: portainer/portainer
restart: always
networks:
- srv
ports:
- "9000:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/portainer:/data
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:port.skdjfgsl.club"
db:
image: postgres:alpine
restart: always
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
app:
image: nextcloud:fpm-alpine
restart: always
volumes:
- nextcloud:/var/www/html
environment:
- POSTGRES_HOST=db
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
depends_on:
- db
networks:
- proxy-tier
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:nc.skdjfgsl.club"
firefly_iii_app:
environment:
- FF_DB_HOST=firefly_iii_db
- FF_DB_NAME=firefly
- FF_DB_USER=firefly
- FF_DB_PASSWORD=firefly
- FF_APP_KEY=S0m3R#nd0mStr1ngOf32Ch#rsEx#ctly
- FF_APP_ENV=local
- FF_DB_CONNECTION=pgsql
- TZ=Europe/Amsterdam
- APP_LOG_LEVEL=debug
- TRUSTED_PROXIES=**
image: jc5x/firefly-iii
links:
- firefly_iii_db
networks:
- firefly_iii_net
volumes:
-
source: firefly_iii_export
target: /var/www/firefly-iii/storage/export
type: volume
-
source: firefly_iii_upload
target: /var/www/firefly-iii/storage/upload
type: volume
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:ff.skdjfgsl.club"
- traefik.port=443
firefly_iii_db:
environment:
- POSTGRES_PASSWORD=firefly
- POSTGRES_USER=firefly
image: "postgres:10"
networks:
- firefly_iii_net
volumes:
- "firefly_iii_db:/var/lib/postgresql/data"
networks:
srv:
firefly_iii_net:
driver: bridge
proxy-tier:
volumes:
db:
nextcloud:
firefly_iii_db: ~
firefly_iii_export: ~
firefly_iii_upload: ~
This is my traefik.toml:
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
exposedByDefault = false
watch = true
[acme]
email = "email#mydomain.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"

To go to port 443 (https) you need to adjust the protocol used by traefik to talk to the container with the following label:
- traefik.protocol=https
Bad gateway can mean traefik is trying to connect to the wrong port, wrong IP, or traefik and the container are not deployed to a common network. You can fix the first two by specifying a port and network name:
- traefik.port=80
- traefik.docker.network=project_proxy-tier
Where project is the name of your compose project (use docker network ls to see the external name of your networks).

Traefik - local https not working. Unable to reach server

I tried to set up reverse-proxy using traefik for one my docker-services. When I run the services, in traefik's web UI I can see the mapping but only for http eventhough I have specified https in traefik.toml file. I am also not able to access my services directly. All the services are in the same network. So I am not sure what is causing this.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/journal.crt"
keyFile = "/certs/journal.key"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "journal.com"
watch = true
exposedbydefault = false
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: traefik
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/certs/journal.crt:/certs/journal.crt
- ./traefik/certs/journal.key:/certs/journal.key
networks:
- web
prisma:
image: prismagraphql/prisma:1.8
restart: always
ports:
- "${PRISMA_HOST_PORT}:4466"
environment:
PRISMA_CONFIG: |
port: 4466
managementApiSecret: ${PRISMA_API_SECRET}
databases:
default:
connector: postgres
host: ${PRISMA_DB_HOST}
port: ${PRISMA_DB_PORT}
database: ${PRISMA_DB}
user: ${PRISMA_DB_USER}
password: ${PRISMA_DB_PASSWORD}
migrations: ${PRISMA_ENABLE_MIGRATION}
graphql-server:
build: ./graphql-server/
ports:
- "${GRAPHQL_SERVER_PORT}:8080"
volumes:
- ./graphql-server:/usr/src/app
depends_on:
- prisma
command: ["./wait-for-it.sh", "prisma:${PRISMA_HOST_PORT}", "--", "npm", "start"]
environment:
- PRISMA_SERVICE_NAME=prisma
- PRISMA_API_SECRET
- PRISMA_HOST_PORT
- GRAPHQL_SERVER_PORT
- APOLLO_ENGINE_KEY
labels:
- "traefik.backend=graphql"
- "traefik.frontend.rule=Host:api.journal.com"
- "traefik.enable=true"
- "traefik.port=${GRAPHQL_SERVER_PORT}"
networks:
- web
react-client:
build: ./react-client/
ports:
- "${REACT_CLIENT_PORT}:3000"
volumes:
- ./react-client:/usr/src/app
depends_on:
- graphql-server
environment:
- GRAPHQL_SERVER_PORT
- REACT_CLIENT_PORT
networks:
web:
external: true
Thanks in advance.

Try to add following docker label to your graphql-server service:
traefik.frontend.entryPoints=http,https
I am facing the same problem. I have 'defaultEntryPoints = ["http", "https"]' in traefiks (v1.7) main config defined, but when docker containers come up and register within traefik the frontend is reachable only via HTTP, not HTTPS - unless i define the entrypoints directly via docker labels.
regards,
max

Traefik won't forward to backend configured with Docker labels

Here's my Traefik configuration:
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.internal]
address = ":8080"
[entryPoints.traefik]
address = ":8081"
[retry]
[api]
entryPoint = "traefik"
dashboard = true
[file]
[backends]
[backends.traefik]
[backends.traefik.servers.default]
url = "http://127.0.0.1:8081"
[frontends]
[frontends.traefik]
entryPoints = ["internal"]
backend = "traefik"
[frontends.traefik.routes.default]
rule = "Host:localhost;PathPrefixStrip:/traefik;PathPrefix:/traefik"
[docker]
domain = "example.com"
watch = true
exposedbydefault = false
As you can see, I have Traefik dashboard configured to show on localhost:8080/traefik. This works exactly as intended.
I also have very similar configuration for RabbitMQ management UI, set up with docker-compose using labels:
version: '3'
services:
traefik:
image: traefik:alpine
container_name: traefik
ports:
- "80:80"
- "443:443"
- "127.0.0.1:8080:8080"
networks:
- web
- internal
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./config/traefik/staging.toml:/etc/traefik/traefik.toml"
rabbitmq:
image: rabbitmq:3.7-management-alpine
hostname: rabbitmq
container_name: rabbitmq
networks:
- internal
- default
depends_on:
- traefik
environment:
RABBITMQ_VM_MEMORY_HIGH_WATERMARK: 128MiB
RABBITMQ_ERLANG_COOKIE: temp_cookie_secret
RABBITMQ_NODENAME: rabbit#rabbitmq
volumes:
- "rabbitmqdata:/var/lib/rabbitmq"
labels:
- "traefik.backend=rabbitmq"
- "traefik.docker.network=internal"
- "traefik.frontend.rule=Host:localhost;PathPrefixStrip:/rabbitmq;PathPrefix:/rabbitmq"
- "traefik.enable=true"
- "traefik.port=15672"
- "traefik.protocol=http"
- "traefik.domain=localhost"
networks:
internal:
web:
volumes:
rabbitmqdata
However, this doesn't work: on http://localhost:8080/rabbitmq I get 404 page not found. Traefik dashboard shows that it found my RabbitMQ container and registered rules that are very much like those for Traefik's dashboard:
Where's the mistake here that prevents my setup from working as intended?

Traefik with docker backend leads to bad gateway

I set up a debian server where I installed docker and docker-compose.
I created in the home of my sudo user a folder with the following hierarchy:
~/docker-project
- docker-compose.yml
- /traefik/traefik.toml
I do a docker-compose up -d everything is started I can reach traefik.mydomain.com that has working ssl certificate as does the other subdomains. But if I go to any of my subdomain to reach my dockerized web service, I get a bad gateway message in my browser. If I go to my server IP adress and put the right port, I see my webservice working perfectly.
So I think I've made a mistake configuring the docker / traefik relationship but I'm unable to find where.
Here is my traefik.toml:
defaultEntryPoints = ["http", "https"]
################################################################
# Web configuration backend
################################################################
[web]
address = ":8080"
[web.auth.basic]
# User: user | Password: password
users = ["user:hashedpassword"]
################################################################
# Entry-points configuration
################################################################
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
################################################################
# Docker configuration backend
################################################################
[docker]
domain = "mydomain.com"
watch = true
exposedbydefault = false
################################################################
# Let's encrypt
################################################################
[acme]
email = "my-email#mail.com"
storageFile = "/etc/traefik/acme.json"
onDemand = false
onHostRule = true
entryPoint = "https"
Here is my docker-compose.yml:
version: '2'
services:
traefik:
restart: always
image: traefik
container_name: traefik
ports:
- '80:80'
- '443:443'
- '8080:8080'
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=8080'
- 'traefik.frontend.rule=Host:traefik.mydomain.com'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik:/etc/traefik
plex:
image: linuxserver/plex
container_name: plex
environment:
- VERSION=latest
- PUID=1000
- PGID=1000
- TZ=TZ
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=9001'
- 'traefik.frontend.rule=Host:plex.mydomain.com'
ports:
- '9001:32400'
volumes:
- 'plex:/config'
- 'plex_transcode:/transcode'
- '/home/downloader/Downloads:/data/'
plexpy:
image: linuxserver/plexpy
container_name: plexpy
environment:
- PUID=1000
- PGID=1000
- TZ=TZ
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=9002'
- 'traefik.frontend.rule=Host:plexpy.mydomain.com'
ports:
- '9002:8181'
volumes:
- 'plexpy:/config'
transmission:
image: linuxserver/transmission
container_name: transmission
environment:
- PGID=1000
- PUID=1000
- TZ=TZ
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=9003'
- 'traefik.frontend.rule=Host:bt.mydomain.com'
ports:
- '9003:9091'
- '51413:51413'
- '51413:51413/udp'
volumes:
- 'transmission:/config'
- '/home/downloader/Downloads:/downloads'
- '/home/downloader/Downloads:/watch'
volumes:
plex:
driver: local
plex_transcode:
driver: local
plexpy:
driver: local
transmission:
driver: local
Thank you for your help.

So I managed to get an answer thanks to the terrific traefik slack channel!
So my containers are all in the same docker network including my traefik container.
The problem is that I mapped all my containers port to be accessible from the host machine.
Instead I should have only mapped traefik ports to the host machine and just exposed the ports of my web services containers so that traefik can listen to them inside the docker network where they are all in.
Change : - add expose
- change traefik.port
I just had to do this changes in my docker-compose.yml:
version: '2'
services:
traefik:
restart: always
image: traefik
container_name: traefik
ports:
- '80:80'
- '443:443'
- '8080:8080'
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=8080'
- 'traefik.frontend.rule=Host:traefik.mydomain.com'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik:/etc/traefik
plex:
image: linuxserver/plex
container_name: plex
environment:
- VERSION=latest
- PUID=1000
- PGID=1000
- TZ=TZ
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=32400'
- 'traefik.frontend.rule=Host:plex.mydomain.com'
#ports:
# - '9001:32400'
expose:
- 32400
volumes:
- 'plex:/config'
- 'plex_transcode:/transcode'
- '/home/downloader/Downloads:/data/'
plexpy:
image: linuxserver/plexpy
container_name: plexpy
environment:
- PUID=1000
- PGID=1000
- TZ=TZ
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=8181'
- 'traefik.frontend.rule=Host:plexpy.mydomain.com'
#ports:
# - '9002:8181'
expose:
- 8181
volumes:
- 'plexpy:/config'
transmission:
image: linuxserver/transmission
container_name: transmission
environment:
- PGID=1000
- PUID=1000
- TZ=TZ
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=dockerplatform_default'
- 'traefik.port=9091'
- 'traefik.frontend.rule=Host:bt.mydomain.com'
#ports:
# - '9003:9091'
# - '51413:51413'
# - '51413:51413/udp'
expose:
- 9091
- 51413
volumes:
- 'transmission:/config'
- '/home/downloader/Downloads:/downloads'
- '/home/downloader/Downloads:/watch'
volumes:
plex:
driver: local
plex_transcode:
driver: local
plexpy:
driver: local
transmission:
driver: local

As Traefik v2 is out now, this question deserves an update:
The expose port defnition isn't necessary anymore.
Neither is a port mapping definition for that container.
The only thing necessary is, that something in the container is listening.
Note: If you define for e.g. an Nginx container, add the label
- 'traefik.port=9091'
but also add a server conf that listens on port 9091.