why are traefik acme generated certificate flagged as "Not Secure"? - docker-swarm

I'm trying to start an application with traefik. I have multiple containers setup with swarm. I can reach them in the browser but websites are tagged not secure. I tried deleting the acme.json and regenerate the ssl certificates but it didn't change anything.
From my understanding, using ACME, the certificates are generated at boot. But now, it behaves like it's a self signed certificate as I see "Fake LE Intermediate X1"
Here is my configuration:
logLevel="DEBUG"
debug=true
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[api]
address=":8080"
[docker]
endpoint="unix://var/run/docker.sock"
domain = "4yourfinance.com"
watch=true
swarmMode=true
exposedByDefault = false
[acme]
email = "serviceplatform#myfeelix.de"
storage = "/etc/traefik/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onHostRule = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "4yourfinance.com"
sans = ["nginx.4yourfinance.com", "api-wl.4yourfinance.com"]
And my docker compose
version: "3.3"
services:
traefik:
image: traefik
ports:
- 80:80
- 8080:8080
- 443:443
networks:
- traefik-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./acme:/etc/traefik/acme
configs:
- source: traefik-config
target: /etc/traefik/traefik.toml
deploy:
placement:
constraints: [engine.labels.com.role == 4yourfinance]
nginx2:
image: nginx
networks:
traefik-net:
aliases:
- nginx
deploy:
labels:
- "traefik.enable=true"
- "traefik.backend=nginx2"
- "traefik.port=80"
- "traefik.frontend.rule=Host:4yourfinance.com"
placement:
constraints: [engine.labels.com.role == 4yourfinance]
nginx:
image: nginx
networks:
traefik-net:
aliases:
- nginx
deploy:
labels:
- "traefik.enable=true"
- "traefik.backend=nginx"
- "traefik.port=80"
- "traefik.frontend.rule=Host:nginx.4yourfinance.com"
placement:
constraints: [engine.labels.com.role == 4yourfinance]
nginx3:
image: nginx
networks:
traefik-net:
aliases:
- nginx
deploy:
labels:
- "traefik.enable=true"
- "traefik.backend=api-wl"
- "traefik.port=80"
- "traefik.frontend.rule=Host:api-wl.4yourfinance.com"
placement:
constraints: [engine.labels.com.role == client-feelix]
networks:
traefik-net:
external:
name: traefik-net
configs:
traefik-config:
file: config2.toml

I was using the staging caServer instead of production. I also had to set other domains:
Replace the caServer by
caServer = "https://acme-v02.api.letsencrypt.org/directory"
and add domains doing:
[[acme.domains]]
main = "4yourfinance.com"
[[acme.domains]]
main = "nginx.4yourfinance.com"

Related

Why do my configurations of Grafana, Docker and Traefik not route my requests to Grafana's frontpage?

I am new to traefik and am trying to set up my containers to be reverse-proxied by traefik at the moment. It all worked fine while using traefik.frontend.rule=Host:grafana01.mydomain.com for routing requests to grafana01.mydomain.com, but due to infrastructural issues within our network I'd rather use traefik.frontend.rule=Path:/grafana01/ to redirect to mydomain.com/grafana01. Yet for some reason it does not work.
My traefik.toml file as well as my two docker-compose.yml files for traefik and grafana, respectively:
#Traefik Global Configuration
debug = false
checkNewVersion = true
logLevel = "ERROR"
#Define the EntryPoint for HTTP and HTTPS
defaultEntryPoints = ["https","http"]
#Enable Traefik Dashboard on port 8080
[web]
address = ":8080"
#Define the HTTP port 80 and
#HTTPS port 443 EntryPoint
#Enable automatically redirect HTTP to HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#Enable retry sending a request if the network error
[retry]
#Define Docker Backend Configuration
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
#Letsencrypt Registration
#Define the Letsencrypt ACME HTTP challenge
[acme]
email = "some_email"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
version: '3'
services:
traefik:
image: traefik:latest
command: --docker --docker.mydomain.com
ports:
- 80:80
- 443:443
networks:
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:mydomain.com"
- "traefik.port=8080"
- "traefik.backend=traefik"
container_name: traefik
restart: always
networks:
traefik:
external: true
version: '3'
services:
grafana01:
image: grafana/grafana
labels:
- traefik.port=3000
- traefik.backend=grafana01
- traefik.frontend.rule=Path:/grafana01/
- traefik.docker.network=traefik
networks:
- traefik
environment:
- GF_SECURITY_ADMIN_PASSWORD=secret
volumes:
- /srv/docker/grafana01/data:/var/lib/grafana
container_name: grafana01
restart: always
grafana02:
image: grafana/grafana
labels:
- traefik:port=3001
- traefik.backend=grafana02
- traefik.frontend.rule=Path:/grafana02/
- traefik.docker.network=traefik
- traefik.enable=true
networks:
- traefik
environment:
- GF_SECURITY_ADMIN_PASSWORD=secret
volumes:
- /srv/docker/grafana02/data:/var/lib/grafana
container_name: grafana02
restart: always
networks:
traefik:
external: true
I'd appreciate any help!
Changing traefik.frontend.rule=Path:/grafana01/ to
traefik.frontend.rule=PathPrefixStrip:/grafana01 as well as adding
GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s/grafana01
did the trick for me.

Setting up Traefik with Cloudflare

I am trying to setup traefik using a combination of this guide, and the code found here.
I am using docker-compose with Unraid, so far I have the following code:
traefik.toml:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[acme]
email = "user#domain.com"
storage = "acme.json"
entryPoint = "https"
#OnHostRule = true
#onDemand = true
[acme.dnsChallenge]
provider = "cloudflare"
[[acme.domains]]
main = "domain.name"
[[acme.domains]]
main = "*.domain.name"
docker-compose.yml:
services:
traefik:
image: traefik:latest
command: --web --docker --docker.watch --docker.domain=${DOMAIN} \
--docker.exposedbydefault=false --acme.domains=${DOMAIN}
container_name: traefik
hostname: traefik
networks:
br0:
ipv4_address: 192.168.1.253
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${CONFIG}/traefik/acme.json:/acme.json
- ${CONFIG}/traefik/traefik.toml:/etc/traefik/traefik.toml
- ${CONFIG}/traefik/.htpasswd:/etc/traefik/.htpasswd:ro
environment:
- CF_API_EMAIL=user#domain.com
- CF_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXX
labels:
traefik.enable: "true"
traefik.frontend.rule: "Host:monitor.${DOMAIN}"
traefik.port: "8080"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
ouroboros:
image: pyouroboros/ouroboros
container_name: ouroboros
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- PGID
- PUID
- TZ
- CLEANUP=true
- INTERVAL=86400 # 24hrs
- SELF_UPDATE=true
- LABELS_ONLY=true
restart: unless-stopped
plex:
image: linuxserver/plex
container_name: plex
hostname: plex
networks:
br0:
ipv4_address: 192.168.1.252
volumes:
- ${CONFIG}/plex:/config
- ${DATA}/TV:/media/tv
- ${DATA}/Movies:/media/movies
- ${DATA}/Music:/media/music
- ${DATA}/Anime:/media/anime
environment:
- PGID
- PUID
- TZ
- VERSION=latest
labels:
traefik.enable: "true"
traefik.port: "32400"
traefik.frontend.rule: "Host:plex.${DOMAIN}"
com.ouroboros.enable: "true"
restart: unless-stopped
plexpy:
image: linuxserver/tautulli:latest
container_name: tautulli
hostname: tautulli
networks:
br0:
ipv4_address: 192.168.1.251
volumes:
- ${CONFIG}/plexpy:/config
- ${CONFIG}/plex/Library/Application Support/Plex Media Server/Logs:/logs:ro
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "8181"
traefik.frontend.rule: "Host:tautulli.${DOMAIN}"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
heimdall:
image: duhio/heimdall-https:latest
container_name: heimdall
hostname: heimdall
networks:
br0:
ipv4_address: 192.168.1.250
volumes:
- ${CONFIG}/heimdall:/config
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "80"
traefik.frontend.rule: "Host:${DOMAIN}"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
ombi:
image: linuxserver/ombi
container_name: ombi
hostname: ombi
networks:
br0:
ipv4_address: 192.168.1.249
volumes:
- ${CONFIG}/ombi:/config
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "3579"
traefik.frontend.rule: "Host:ombi.${DOMAIN}"
com.ouroboros.enable: "true"
restart: unless-stopped
# br0 is an existing Unraid macvlan
networks:
br0:
external: true
When I used OnHostRule = true I could get plex.domain.name working with https but none of the other subdomains.
UPDATE: I have concluded that the issue is that the wildcard domains not working, after talking to a redditor he was not sure that the wildcards would work when manually specifying the network in the docker-compose.yml with static IP's, so far I have been unable to confirm this.
Digging further I think this may be an issue at the Cloudflare level, source here and report here.
Edit: This configuration is now out of date for Traefik 2.0 and beyond
I have wildcards working with Cloudflare. Here is my configuration:
Part of my traefik.toml file
[acme]
acmeLogging = true
email = "me#email.com"
storage = "/acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "cloudflare"
[[acme.domains]]
main = "sub.domain.com"
[[acme.domains]]
main = "*.sub.domain.com"
And then in my docker-compose.yml file from which I start my traefik service, I specify an env file:
env_file: ./traefik.env
In this file I have the following environment variables:
CLOUDFLARE_EMAIL=value1
CLOUDFLARE_API_KEY=value2
CF_API_EMAIL=value1
CF_API_KEY=value2
I hope from my examples you'll have something to experiment with and find success!
I heavily recommend adding debug=true in your traefik.toml file as it will display logs which indicate whether or not the cloudflare setup was successful and for which domains.

Traefik - local https not working. Unable to reach server

I tried to set up reverse-proxy using traefik for one my docker-services. When I run the services, in traefik's web UI I can see the mapping but only for http eventhough I have specified https in traefik.toml file. I am also not able to access my services directly. All the services are in the same network. So I am not sure what is causing this.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/journal.crt"
keyFile = "/certs/journal.key"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "journal.com"
watch = true
exposedbydefault = false
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: traefik
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/certs/journal.crt:/certs/journal.crt
- ./traefik/certs/journal.key:/certs/journal.key
networks:
- web
prisma:
image: prismagraphql/prisma:1.8
restart: always
ports:
- "${PRISMA_HOST_PORT}:4466"
environment:
PRISMA_CONFIG: |
port: 4466
managementApiSecret: ${PRISMA_API_SECRET}
databases:
default:
connector: postgres
host: ${PRISMA_DB_HOST}
port: ${PRISMA_DB_PORT}
database: ${PRISMA_DB}
user: ${PRISMA_DB_USER}
password: ${PRISMA_DB_PASSWORD}
migrations: ${PRISMA_ENABLE_MIGRATION}
graphql-server:
build: ./graphql-server/
ports:
- "${GRAPHQL_SERVER_PORT}:8080"
volumes:
- ./graphql-server:/usr/src/app
depends_on:
- prisma
command: ["./wait-for-it.sh", "prisma:${PRISMA_HOST_PORT}", "--", "npm", "start"]
environment:
- PRISMA_SERVICE_NAME=prisma
- PRISMA_API_SECRET
- PRISMA_HOST_PORT
- GRAPHQL_SERVER_PORT
- APOLLO_ENGINE_KEY
labels:
- "traefik.backend=graphql"
- "traefik.frontend.rule=Host:api.journal.com"
- "traefik.enable=true"
- "traefik.port=${GRAPHQL_SERVER_PORT}"
networks:
- web
react-client:
build: ./react-client/
ports:
- "${REACT_CLIENT_PORT}:3000"
volumes:
- ./react-client:/usr/src/app
depends_on:
- graphql-server
environment:
- GRAPHQL_SERVER_PORT
- REACT_CLIENT_PORT
networks:
web:
external: true
Thanks in advance.
Try to add following docker label to your graphql-server service:
traefik.frontend.entryPoints=http,https
I am facing the same problem. I have 'defaultEntryPoints = ["http", "https"]' in traefiks (v1.7) main config defined, but when docker containers come up and register within traefik the frontend is reachable only via HTTP, not HTTPS - unless i define the entrypoints directly via docker labels.
regards,
max

Traefik + Nextcloud results in bad gateway

I have 3 services up and running.
A mariadb & nextcloud instance:
version: '2.1'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=my_root_password
- MYSQL_PASSWORD=my_password
- MYSQL_DATABASE=my_database
- MYSQL_USER=my_user
app:
image: nextcloud
restart: always
networks:
- web
- default
ports:
- 9000
labels:
- "traefik.backend=app"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:my_host"
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.default.protocol=http"
networks:
web:
external: true
And a traefik service:
version: '2'
services:
traefik:
image: traefik:1.5.4
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
container_name: traefik
networks:
web:
external: true
This traefik instance is using this config file:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my_host"
watch = true
exposedByDefault = false
[acme]
email = "my_email"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Now when I goto my host, it redirects to HTTPS but then it just displays bad gateway and nothing else. It should display the nextcloud web application. Anyone know why this is happening? I am running the compose files using the docker-compose up -d command.
It might be too late now but I also ran into this issue myself, so posting an answer to what resolved it for me.
Nextcloud exposes port 80 on the container's IP address which Traefik is trying to connect to. So you incorrectly specified the port for 'traefik.port' label. Change it from 9000 to 80.

Traefik won't forward to backend configured with Docker labels

Here's my Traefik configuration:
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.internal]
address = ":8080"
[entryPoints.traefik]
address = ":8081"
[retry]
[api]
entryPoint = "traefik"
dashboard = true
[file]
[backends]
[backends.traefik]
[backends.traefik.servers.default]
url = "http://127.0.0.1:8081"
[frontends]
[frontends.traefik]
entryPoints = ["internal"]
backend = "traefik"
[frontends.traefik.routes.default]
rule = "Host:localhost;PathPrefixStrip:/traefik;PathPrefix:/traefik"
[docker]
domain = "example.com"
watch = true
exposedbydefault = false
As you can see, I have Traefik dashboard configured to show on localhost:8080/traefik. This works exactly as intended.
I also have very similar configuration for RabbitMQ management UI, set up with docker-compose using labels:
version: '3'
services:
traefik:
image: traefik:alpine
container_name: traefik
ports:
- "80:80"
- "443:443"
- "127.0.0.1:8080:8080"
networks:
- web
- internal
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./config/traefik/staging.toml:/etc/traefik/traefik.toml"
rabbitmq:
image: rabbitmq:3.7-management-alpine
hostname: rabbitmq
container_name: rabbitmq
networks:
- internal
- default
depends_on:
- traefik
environment:
RABBITMQ_VM_MEMORY_HIGH_WATERMARK: 128MiB
RABBITMQ_ERLANG_COOKIE: temp_cookie_secret
RABBITMQ_NODENAME: rabbit#rabbitmq
volumes:
- "rabbitmqdata:/var/lib/rabbitmq"
labels:
- "traefik.backend=rabbitmq"
- "traefik.docker.network=internal"
- "traefik.frontend.rule=Host:localhost;PathPrefixStrip:/rabbitmq;PathPrefix:/rabbitmq"
- "traefik.enable=true"
- "traefik.port=15672"
- "traefik.protocol=http"
- "traefik.domain=localhost"
networks:
internal:
web:
volumes:
rabbitmqdata
However, this doesn't work: on http://localhost:8080/rabbitmq I get 404 page not found. Traefik dashboard shows that it found my RabbitMQ container and registered rules that are very much like those for Traefik's dashboard:
Where's the mistake here that prevents my setup from working as intended?

Resources