Traefik Reverse Proxy with Docker - docker

I have docker compose with nginx running with the following config:
version: "3"
services:
web:
image: nginx:alpine
volumes:
- ./nginx:/etc/nginx/conf.d/rainloop
ports:
- "8081:80"
labels:
- "traefik.frontend.rule=Host:www.example.com"
- "traefik.port=8081"
and traefik in docker-compose with the following config:
version: '3'
services:
reverse-proxy:
image: traefik:alpine
command: --api --docker
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- ./traefik.toml:/etc/traefik/traefik.toml
the traefik.toml is kept basic and looks like this
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
The Web UI shows the following
When calling my domain www.example.com I get a timeout.

Add the following in your traefik.toml
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
Create a network with docker network create traefik-net
Deploy traefik with
version: '3'
services:
traefik:
image: traefik:latest
command: --api
ports:
- 80:80
- 8080:8080 # Port for the web UI
networks:
- traefik-net
Deploy nginx with
version: '3'
services:
frontend:
image: nginx
networks:
- traefik-net
labels:
- "traefik.docker.network=traefik-net"
- "traefik.frontend.rule=Host:${DOMAIN}"
- "traefik.backend=nginx"
- "traefik.port=80" # you should use exposed port, not published

You need to put both container on same network.
Create a docker network inside your host machine. docker network create {network name}.
In your docker-compose use the existing network that you created to connect both containers. You can read https://docs.docker.com/compose/networking/#use-a-pre-existing-network on how to use it.
Add each service to the above network.

Related

Redirect DNS with Traefik to container on different port

I have found many similar questions online, but I am certainly lost in this topic which is new for me and I hope somebody can guide me through my problem. In my setup, I have a docker container which runs a secure version on port 8443 and a "read-only" version on port 8080. Now I want to use Traefik as a proxy to then reroute all requests to the secure version, ignoring the read-only. While the dashboard indicates routing to the service, I am just receiving an "Unable to connect" when trying to access the webpage.
As a compose file:
version: "3.7"
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: always
ports:
- "80:80"
- "433:433"
command: --api.insecure=false --providers.docker
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/cloud/traefik.yml:/etc/traefik/traefik.yml
networks:
- traefik-network
my-service:
image: my-image
env_file: variables.env
container_name: my-image
restart: always
ports:
- "8080:8080"
- "8443:8443"
networks:
- traefik-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-service.entryPoints=websecure"
- "traefik.http.routers.my-service.rule=Host(`domain.com`)"
- "traefik.http.services.my-service.loadbalancer.server.port=8443"
networks:
traefik-network:
name: traefik-network
And the traefik.yml:
################################################################
# Provider configuration
################################################################
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # default
exposedByDefault: true # default
network: traefik-network
################################################################
# Entrypoint
################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
Maybe somebody has an idea where I went in the wrong direction.
Best

Traefik routing one application to port 80, others require explicit port

I have an environment running docker containers.
This environment hosts Traefik, Nextcloud, MotionEye and Heimdall.
I also have another environment running CoreDNS in a docker container.
For some reason, I can get MotionEye to be accessible from motioneye.docker.swarm (changed the domain in here for privacy).
However, for nextcloud and Heimdall, I have to explicitly access the ports and I'm struggling to tell why.
e.g. Heimdall is gateway.docker.swarm:8091 when should be gateway.docker.swarm
When a user requests a webpage onto the local dns server X.X.X.117 it gets routed through to the traefik instance on X.X.X.106.
My traefik compose file is as follows:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.3
restart: always
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.port=8080"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:traefik.docker.swarm"
- "traefik.docker.network=traefik_default"
My Heimdall compose is as follows:
version: "3"
services:
heimdall:
image: ghcr.io/linuxserver/heimdall
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
volumes:
- /home/pi/heimdall/config:/config
ports:
- 8091:80
restart: unless-stopped
networks:
- heimdall
labels:
- "traefik.enable=true"
- "traefik.port=8091"
- "traefik.http.routers.heimdall.entrypoints=http"
- "traefik.http.routers.heimdall.rule=Host(`gateway.docker.swarm`)"
networks:
heimdall:
external:
name: heimdall
Can anyone see what I'm doing wrong here?
When you access through gateway.docker.swarm:8091 it works because you are accessing the heimdall container directly. This is possible because you defined
ports:
- 8091:80
in your docker-compose.
In order to access through traefik they must be on the same network. Also, remove the port mapping if you like this container to be only accessible through traefik. And finally correct the traefik port accordingly.
version: "3"
services:
heimdall:
image: ghcr.io/linuxserver/heimdall
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
volumes:
- /home/pi/heimdall/config:/config
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.http.routers.heimdall.entrypoints=http"
- "traefik.http.routers.heimdall.rule=Host(`gateway.docker.swarm`)"

traefik send http over wrong port to gitlab

I'm setting up a gitlab server behind traefik proxy, but my gitlab sshd logs says traefik send http request over 22 port to gitlab, causing Internal server error.
==> /var/log/gitlab/sshd/current <==
gitlab | 2019-08-27_03:39:15.42508 Bad protocol version identification 'GET / HTTP/1.1' from 192.168.144.2 port 33462
I found there is a similar discuss here, however the answer did not work, is there any way to change gitlab backend from 22 to 80?
The following is my code and configs.
# traefik docker-compose.yaml
version: '3'
services:
traefik:
container_name: traefik
image: traefik
command: --api
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
networks:
- web
ports:
- 8080:8080
- 80:80
- 443:443
networks:
web:
external: true
# traefik.toml
debug = false
logLevel = "INFO"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
exposedByDefault = false
# gitlab docker-compose.yaml
version: '3'
services:
# expose 22 80 443
gitlab:
container_name: gitlab
image: gitlab/gitlab-ee
volumes:
- /nsrv/gitlab/config:/etc/gitlab
- /nsrv/gitlab/logs:/var/log/gitlab
- /nsrv/gitlab/data:/var/opt/gitlab
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:gitlab.mydomain.com
- traefik.prot=80
networks:
- web
restart: always
networks:
web:
external: true
Looks like you have a typo in your gitlab docker-compose.yaml file.
Replace traefik.prot by traefik.port and it should work better.

Traefik proxy ip auth

I have a traefik in docker-compose:
version: '3'
networks:
proxy:
driver: bridge
services:
traefik:
container_name: traefik
image: traefik:v1.7.9
command: --api --docker
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
networks:
- proxy
Also have nginx under mydomain.com, and I want to allow only my ip to connect to it:
nginx:
build: ./nginx
networks:
- backend
- traefik_proxy
restart: always
labels:
traefik.enable: "true"
traefik.port: "80"
traefik.frontend.headers.allowedHosts: "1.2.3.4" # MyIp
traefik.frontend.rule: "Host:mysite.com,www.mysite.com"
When I access mysite.com I got Bad Host error, and the IP in headers is my server's ip instead of my real ip.
P.S Docker in swarm mode, but nginx and traefik build using local docker-compose
The solution is to add following directives to nginx docker-compose:
traefik.frontend.whiteList.sourceRange: "1.2.3.4" # my Ip
traefik.frontend.passHostHeader: true
traefik.frontend.whiteList.useXForwardedFor: "true"

Traefik config with docker

I'm trying to use traefik in my docker-compose file. My php app is listening on port 8000
version: '3'
services:
traefik:
image: traefik:1.7.4
container_name: traefik-${PROJECT_NAME}
ports:
- ${TRAEFIK_PORT}:80
- ${TRAEFIK_PORT_HTTPS}:443
- ${TRAEFIK_DASHBOARD_PORT}:8080
volumes:
- ./traefik/traefik.toml:/etc/traefik/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
networks:
- webgateway
php-fpm:
build:
context: .
dockerfile: Dockerfile-php
container_name: php-fpm-${PROJECT_NAME}
ports:
- 8000
working_dir: /var/www/html/
volumes:
- ../app:/var/www/html
tty: true
env_file:
- ./.env
entrypoint: /entrypoint.sh
networks:
- traefik
networks:
webgateway:
driver: bridge
traefik:
external:
name: traefik_webgateway
volumes:
data-volume: {}
Trefik watch every container
[docker]
domain = "local"
watch = true
All container appear in Traefik dashboard but frontend Host do not match with IP address. I can't access the app.
But when I go directly through the container IP address, it works.
Did I missed something in the configuration?
Found it. I have added host name in my /etc/hosts file.
Works fine with that

Resources