Develop Reference

Why doesn't traefik find the project?

I have a laravel project running through docker containers. One of the docker containers is a traefik, but when I try to run the docker-compose up command, it returns a single log: msg="Failed to read new account, ACME data conversion is not available : permissions 755 for acme.json are too open, please use 600". I tried to change permissions for asme.json on my ssh, but even after chmod 600 acme.json it returns this log again. On top of that, when I try to connect to the site via https, there is an error 404 page not found, I got a similar error when I set up the nginx container, because I incorrectly specified the path to the project, but I don’t know what to do now. There are my
1)traefik.tom
logLevel = "ERROR"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
[ping]
# Enable Docker configuration backend
[docker]
network = "nginx-proxy"
domain = "mysite"
watch = true
exposedByDefault = false
[acme]
email = "my#gmail.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0```
And 2) docker-compose.traefik.yml
---
version: "3.6"
networks:
default:
name: nginx-proxy
external: true
services:
traefik:
image: "traefik:v1.7.14"
container_name: ${COMPOSE_PROJECT_NAME}.traefik
restart: unless-stopped
ports:
- 80:80
- 443:443
expose:
# traefik dashboard port
- 8080
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`mysite`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.port=8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./docker/traefik/traefik.toml:/etc/traefik/traefik.toml
- ./docker/traefik/:/acme.json
environment:
- CF_API_EMAIL=myapifemail
- CF_API_KEY=myapikey

based on what I see, you are using a volume to store the acme certificates as described here. But it seems you misread the volume binding and wrote
- ./docker/traefik/:/acme.json
instead of
- ./docker/traefik/acme.json:/acme.json
Doing so the folder is mounted as a file and end up with wrong permissions. Correcting the line should make it works.

Traefik started but my services are not using it

I'm using a VPS with Debian 10 on it. I also have one domain name.
My goal is to self-host a few services, like FreshRSS or Nextcloud. To deploy these services, I'm using Docker and Docker Compose. I have one folder per service.
Because I would like to get a reverse proxy and assign subdomains to services (for example : cloud.domainname.com to Nextcloud), I installed Traefik yesterday. However, I cannot get the service to work. This is probably bad configuration from me, as I'm a total beginner in setting up reverse proxies. For example, I'm trying to get it to work with ArchiveBox, which runs on the port 8000. I would like Traefik to map my subdomain archive.domainname.com to the port 8000 of my VPS.
These are the steps I did yesterday:
Installed ArchiveBox on my VPS with Docker Compose and configured it. It's working successfully.
Created a new network for traefik: sudo docker network create --driver=bridge --subnet=192.168.0.0/16 traefik_lan
Installed Traefik with Docker Compose, added dynamic configuration by following tutorials.
Added the labels and the network to the Docker Compose file of ArchiveBox.
Started both. However, ArchiveBox creates a new network and does not seems to use the Traefik one. I can also still access directly ArchiveBox at domainname.com:8000.
Below are the config files.
ArchiveBox
ArchiveBox docker-compose.yml
# Usage:
# docker-compose up -d
# docker-compose run archivebox init
# echo "https://example.com" | docker-compose run archivebox archivebox add
# docker-compose run archivebox add --depth=1 https://example.com/some/feed.rss
# docker-compose run archivebox config --set PUBLIC_INDEX=True
# Documentation:
# https://github.com/ArchiveBox/ArchiveBox/wiki/Docker#docker-compose
version: '3.7'
services:
archivebox:
# build: .
image: ${DOCKER_IMAGE:-archivebox/archivebox:latest}
command: server 0.0.0.0:8000
stdin_open: true
tty: true
ports:
- 8000:8000
environment:
- USE_COLOR=True
- SHOW_PROGRESS=False
- SEARCH_BACKEND_ENGINE=sonic
- SEARCH_BACKEND_HOST_NAME=sonic
- SEARCH_BACKEND_PASSWORD=SecretPassword
volumes:
- ./data:/data
depends_on:
- sonic
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_lan"
- "traefik.http.routers.archiveboxnotls.rule=Host(`${ARCHIVE_URL}`)"
- "traefik.http.routers.archiveboxnotls.entrypoints=webinsecure"
- "traefik.http.routers.archiveboxnotls.middlewares=tlsredir#file"
- "traefik.http.routers.archivebox.rule=Host(`${ARCHIVE_URL}`)"
- "traefik.http.routers.archivebox.entrypoints=websecure"
- "traefik.http.routers.archivebox.tls=true"
- "traefik.http.routers.archivebox.tls.certresolver=letsencrypt"
networks:
- traefik_lan
# Run sonic search backend
sonic:
image: valeriansaliou/sonic:v1.3.0
ports:
- 1491:1491
environment:
- SEARCH_BACKEND_PASSWORD=SecretPassword
volumes:
- ./etc/sonic/config.cfg:/etc/sonic.cfg
- ./data:/var/lib/sonic/store/
networks:
traefik_lan:
external: true
I'm then expected to run it like so:
sudo ARCHIVE_URL=archive.mydomain.com docker-compose up -d
Traefik
This is the structure of my /traefik folder in /home.
.
├── config
│   ├── acme.json
│   ├── dynamic-conf
│   │   ├── dashboard.toml
│   │   ├── tlsredir.toml
│   │   └── tls.toml
│   └── traefik.toml
└── docker-compose.yml
docker-compose.yml
version: '3'
services:
reverse-proxy:
container_name: traefik
image: traefik:v2.4
restart: unless-stopped
ports:
- "80:80"
- "443:443"
networks:
- traefik_lan
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config:/etc/traefik:ro
- ./config/acme.json:/acme.json
networks:
traefik_lan:
external: true
traefik.toml
[api]
dashboard = true
[providers]
[providers.docker]
exposedByDefault = false
[providers.file]
directory = "/etc/traefik/dynamic-conf"
watch = true
[entryPoints]
[entryPoints.websecure]
address = ":443"
[entryPoints.webinsecure]
address = ":80"
[entryPoints.dot]
address = ":853"
[certificatesResolvers.letsencrypt.acme]
email = "myemail#gmail.com"
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
#caServer: "https://acme-v02.api.letsencrypt.org/directory"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.tlsChallenge]
[accessLog]
format = "json"
[accessLog.fields]
defaultMode = "drop"
[accessLog.fields.names]
"ClientAddr" = "keep"
"RequestAddr" = "keep"
"RequestMethod" = "keep"
"RequestPath" = "keep"
"DownstreamStatus" = "keep"
dashboard.toml
[http.routers.api]
rule = "Host(`traefik.domain.tld`)"
entrypoints = ["webinsecure"]
service = "api#internal"
middlewares = ["tlsredir#file"]
[http.routers.api-secure]
rule = "Host(`traefik.domain.tld`)"
entrypoints = ["websecure"]
service = "api#internal"
middlewares = ["secured"]
[http.routers.api-secure.tls]
certResolver = "letsencrypt"
tlsredir.toml
[http.middlewares]
[http.middlewares.tlsredir.redirectScheme]
scheme = "https"
permanent = true
tls.toml
[tls]
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
]
curvePreferences = ["CurveP521","CurveP384"]
Thank you in advance for you help.

Can't get multiple services running behind traefik on the same host

I have two services as shown below:
version: '3'
services:
# reverse proxy
traefik:
image: traefik:1.7-alpine
ports:
- 8080:8080 # Access through port 8080 e.g. localhost:8080 -> traefik dashboard
- 9000:80 # Access through port 9000 e.g. localhost:9000 -> actual service (flask and any others)
- 9001:80 # Access through port 9001 e.g. localhost:9001 -> actual service (flask and any others)
- 443:443 # Access through port 443 e.g. localhost:443 -> unused until we get https going
networks:
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - ./acme.json:/acme.json # ignored for production version
# - ./traefik.toml:/traefik.toml # ignored for production version
container_name: traefik
command: --docker --api --docker.domain=local.docker
restart: unless-stopped
# flask app 1
flaskapp1:
# build the Dockerfile
build:
context: ./flaskapp1
dockerfile: Dockerfile
container_name: flaskapp1
restart: always
command: >
gunicorn -b 0.0.0.0:5000
--access-logfile -
--timeout=1200
--reload
"flaskapp1.app:create_app()"
volumes:
- '.:/flaskapp1'
networks:
- traefik
# exposing a port to the other services (note, this is not publishing the port to the world)
expose: ['5000']
# these labels override the traefik configure file so we can setup traefik here, and not deal with a .toml file
labels:
- traefik.enable=true
- traefik.backend=flaskapp1
- traefik.docker.network=traefik
- traefik.frontend.rule=Host:localhost
- traefik.flaskapp1.port=5000
# flask app 2
flaskapp2:
# build the Dockerfile
build:
context: ./flaskapp2
dockerfile: Dockerfile
container_name: flaskapp2
restart: always
command: >
gunicorn -b 0.0.0.0:5000
--access-logfile -
--timeout=600
--reload
"hairByElli.app:create_app()"
volumes:
- '.:/flaskapp2'
networks:
- traefik
# exposing a port to the other docker services (note, this is not publishing the port to the world)
expose: ['5000']
# these labels override the traefik config file so we can setup traefik here, and not deal with a .toml file
labels:
- traefik.enable=true
- traefik.backend=flaskapp2
- traefik.docker.network=traefik
- traefik.frontend.rule=Host:localhost:9001
# - traefik.frontend.rule=Host:localhost;PathPrefixStrip:/app2
- traefik.flaskapp2.port=5000
networks:
traefik:
external: false
As you can see, this is my localhost testing machine. Ubuntu 18.04. So I'm currently trying to get to localhost:9000 and localhost:9001 as my entry points whilst I get this working properly.
My flaskapp1 works perfectly. My flaskapp2 is giving a 404 error.
Here is my toml:
defaultEntryPoints = ["http", "https"]
logLevel = "error"
debug = false
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
dashboard = false
address = ":8080"
# Connection to docker host system (docker.sock)
[docker]
domain = "local.docker"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":9000"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.http]
address = ":9001"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
What am I doing wrong here? I mean, I don't mind if it comes in at 9000 / 9001 or some other entry point. It's just so I can test them on the same machine until going live. At which point I'll have separate domains pointing to them.
Any help would be greatly appreciated.

Bad gateway on traefik docker

I build traefik with cloudflare CDN. I used docker container run command to execute my docker container execute by Drone CI. I have an issue when I successfully built docker container which leads to bad gateway on subdomain.
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- traefik_proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:monitor.${DOMAINNAME}"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=example.com"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.auth.basic.users:${HTTP_USERNAME}:${HTTP_PASSWORD}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/traefik:/etc/traefik
- /etc/docker/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
Traefik.toml
nsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Let's encrypt configuration
[acme]
email = "example#gmail.com" #any email id will work
storage="acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 300
[[acme.domains]]
main = "example.com"
[[acme.domains]]
main = "*.example.com"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
Command I used to run the docker container execute by Drone:
docker container run -d --name example-development --restart=unless-
stopped --label "traefik.backend=example-development" --label
"traefik.frontend.rule=Host:subdomain.example.com" --label
"traefik.enable=false" --label "traefik.port=6611" --expose 6611
cloud.canister.io:5000/username/repo
My docker container is listening to http://127.0.0.1:6611
Above codes examples lead to Error 504 Gateway Timeout.

Traefik needs to have a common network with the containers it is connecting to. In this case, you need to run containers with --net=traefik_proxy.
If you're container is on multiple networks, you'll also need the label traefik.docker.network=traefik_proxy to tell traefik which of those networks to use.

Traefik - unable to obtain Let's encrypt certificate for domains => acme http challenge times out

I'm trying to secure a site which is served by trafik using let's encrypt. However, it fails when testing the acme challenge.
time="2019-02-07T23:23:35Z" level=error msg="Unable to obtain ACME certificate for domains \"git.redacted.be\" detected thanks to rule \"Host:git.redacted.be\" : unable to generate a certificate for the domains [git.redacted.be]: acme: Error -> One or more domains had a problem:\n[git.redacted.be] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://git.redacted.be/.well-known/acme-challenge/I_44HUy2IqyYZk-6GmfWxtm7Uunx_wid9rgHpXkhZcM: Error getting validation data, url: \n"
The server is publicly available (if I go to http://git.redacted.be, it get's redirected to https and I can configure my git server) from the internet, and gogs (the git server) is also made accessible via traefik and docker.
When I manually navigate to the url mentioned (.well-known/acme-challenge/...), the request times out but logging inside traefik shows: Error getting challenge for token: cannot find challenge for
I already tried some of the workarounds mentioned in https://github.com/containous/traefik/issues/2763 (disable IPv6 and use traefik:alpine)
This is my setup:
Traefik docker-compose.yml
version: '3.2'
services:
traefik:
image: traefik:alpine # The official Traefik docker image
command: --api --docker --logLevel=info # Enables the web UI and tells Tr ik to listen to docker
restart: unless-stopped
ports:
- "81:80" # The HTTP port
- "444:443"
- "18080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
networks:
- traefik
logging:
driver: "json-file"
networks:
traefik:
external:
name: traefik
Traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "redacted.be"
watch = true
exposedByDefault = false
[acme]
email = "ronald#redacted.be"
storage = "acme.json"
entryPoint = "https"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
The docker-compose of my git server:
version: '3.2'
services:
gogs:
restart: unless-stopped
image: gogs/gogs
volumes:
- ./data/db:/data/db
- ./data/git:/data/git
- ./data/gogs:/data/gogs
networks:
- gogs
- traefik
ports:
- "10022:22"
- "3000:3000"
labels:
- "traefik.port=3000"
- "traefik.frontend.rule=Host:git.redacted.be"
- "traefik.docker.network=traefik"
networks:
gogs:
traefik:
external:
name: traefik
Any idea what I'm doing wrong?