I'm trying to create a simple app using traefik to handling routing and SSL, but I'm running into issues when I want to use 'example.com' instead of 'subdomain.example.com'
If I try to include a service with a frontend rule of just 'example.com' the only rule that works is 'monitor.example.com'. 'api.example.com' won't work and returns a 404. If I comment out the frontend rule for 'example.com' then 'api.example.com' works again. But, no matter what, 'monitor.example.com' works fine. Additionally, 'example.com' always returns a 404 no matter what as well.
Here's my docker-compose file:
version: '3'
services:
reverse-proxy:
image: traefik
restart: always
command: --docker
ports:
- 80:80
- 443:443
networks:
- web
labels:
- "traefik.frontend.rule=Host:monitor.example.com"
- "traefik.port=8080"
- "traefik.enable=true"
- "traefik.docker.network=web"
- "traefik.backend=traefik"
environment:
- CLOUDFLARE_EMAIL=###
- CLOUDFLARE_API_KEY=###
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/project/traefik/traefik.toml:/traefik.toml
- /home/project/traefik/acme.json:/acme.json
container_name: traefik
api:
image: api
expose:
- 5080
restart: always
networks:
- web
container_name: api
labels:
- "traefik.frontend.rule=Host:api.example.com"
- "traefik.enable=true"
- "traefik.docker.network=web"
- "traefik.port=5080"
- "traefik.backend=api"
app:
image: app
restart: always
networks:
- web
container_name: app
labels:
- "traefik.frontend.rule=Host:example.com"
- "traefik.enable=true"
- "traefik.docker.network=web"
- "traefik.backend=app"
- "traefik.port=80"
networks:
web:
external: true
And here's my traefik configuration:
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.trdash]
address = ":8080"
[entryPoints.trdash.auth]
[entryPoints.trdash.auth.basic]
users = [
"admin:###",
]
[api]
entryPoint = "trdash"
[acme]
email = "###"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[[acme.domains]]
main = "example.com"
[[acme.domains]]
main = "*.example.com"
[acme.dnsChallenge]
provider = "cloudflare"
Any help would be appreciated, thanks!
EDIT:
Okay, I seem to have solved my own problem by disabling the 'orange cloud' on the domains I'm using on Cloudflare. Additionally I had to remove my http to https redirect rules inside of the traefik.toml file. I don't understand why this is a problem, so I'm going to leave the question open. This really seems to negate much of the value which Cloudflare provides.
It turns out the issue was enabling the Cloudflare proxy (orange cloud) without enabling the backend SSL. So long as I have SSL certs on the server (which I do via Let's Encrypt) I can turn Cloudflare SSL to 'Full (strict)' and it appears that the routing works fine now.
Thanks to Daniel Tomcej on the Traefik Slack for helping me find this answer.
Related
I struggled on this for at least the last day and didn't found a solution. I want to connect Websocket and https on the same docker. I have tried many thing.
Here is my configuration:
Traefik V2 first :
here is the docker container
version: '3'
services:
reverse-proxy:
image: traefik:v2.7.1
container_name: traefik
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/acme.json
restart: always
networks:
- web
networks:
web:
external:
name: web
~
here is my toml file
[accessLog]
[api]
dashboard = true
insecure = true
[log]
level = 'ERROR'
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
permanent = true
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "default"
[entryPoints.wss]
address = ":8000"
[providers]
[providers.docker]
watch = true
exposedByDefault = false
network = "web"
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = "contact#queel.io"
storage = "acme.json"
caServer = "https://acme-v01.api.letsencrypt.org/directory"
[certificatesResolvers.default.acme.tlsChallenge]
I want to connect on https and wss on the same node container exposing two ports
here is my docker-compose for this
node:
build: ./docker/node_api
volumes:
- ./node:/src
tty: true
networks:
- web
ports:
- ":8000"
- ":8081"
labels:
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.http.routers.node.rule=Host(`api.${HOST}`)"
- "traefik.http.routers.node.entrypoints=websecure"
- "traefik.tcp.services.node.loadbalancer.server.port=8000"
- "traefik.http.routers.wss.rule=Host(`ws.${HOST}`)"
- "traefik.tcp.services.wss.loadbalancer.server.port=8081"
#- "traefik.http.services.wss.loadBalancer.sticky.cookie=true"
# - "traefik.http.routers.wss.tls=true"
#- "traefik.http.routers.wss.tls.certResolver=default"
#- "traefik.http.routers.wss.entrypoints=wss"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
#- "traefik.http.routers.wss.tls.certresolver=default"
depends_on:
- elastic
- neo
working_dir: /src
Has you can see I tried many solutions, but none is working, maybe you should help me find the combination of the goog ones. It seems has I have seen elsewhere that the X-Forwarded-Proto is the solution. For new the wss connection is not working
Could you help me with that
The anwser is quite simple, my socket server was not started. The config stay the same for the main part and I have only to have :
- "traefik.http.routers.wss.rule=Host(`ws.${HOST}`)"
- "traefik.tcp.services.wss.loadbalancer.server.port=8081"
- "traefik.http.routers.wss.entrypoints=websecure"
entrypoint=websecure is enought for wss since it's over http.
I didn't manage to use the two service in a single container so i swapped the container in two container.
I'm new to SSL certificates with Traefik and have been having real trouble getting a successful deployment.
I have a server and domain that I have deployed my application on using Traefik and Http without issue. I would now like to deploy the same application, running on port 9000, to be deployed in Https using LetsEncrypt following the Traefik docs . I can verify that the certificate has been properly created using an SSL checker, however, when I try to visit the site I get Internal Server Error. There are no errors reported in either of the docker logs and I cannot figure out what to try next.
docker-compose.yml
version: '2'
services:
traefik:
image: traefik:v1.7
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
container_name: traefik
app:
image: myapp_image
container_name: app
restart: always
networks:
- web
ports:
- "9000:9000"
labels:
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.basic.frontend.rule=Host:myapp.com"
- "traefik.basic.port=9000"
- "traefik.basic.protocol=http"
- "traefik.admin.frontend.rule=Host:myapp.com"
- "traefik.admin.protocol=https"
- "traefik.admin.port=9000"
networks:
web:
external: true
traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myapp.com"
watch = true
exposedByDefault = false
[acme]
email = "myemail#email.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Finally was able to find a workable solution for this. I may have just been using old information but the best reference to host an application with Traefik on Https using LetsEncrypt was found here.
The working Yaml example is below. Using this example will also eliminate the need for a Toml file!
version: "3.3"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=postmaster#example.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"
I am new to traefik and am trying to set up my containers to be reverse-proxied by traefik at the moment. It all worked fine while using traefik.frontend.rule=Host:grafana01.mydomain.com for routing requests to grafana01.mydomain.com, but due to infrastructural issues within our network I'd rather use traefik.frontend.rule=Path:/grafana01/ to redirect to mydomain.com/grafana01. Yet for some reason it does not work.
My traefik.toml file as well as my two docker-compose.yml files for traefik and grafana, respectively:
#Traefik Global Configuration
debug = false
checkNewVersion = true
logLevel = "ERROR"
#Define the EntryPoint for HTTP and HTTPS
defaultEntryPoints = ["https","http"]
#Enable Traefik Dashboard on port 8080
[web]
address = ":8080"
#Define the HTTP port 80 and
#HTTPS port 443 EntryPoint
#Enable automatically redirect HTTP to HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#Enable retry sending a request if the network error
[retry]
#Define Docker Backend Configuration
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
#Letsencrypt Registration
#Define the Letsencrypt ACME HTTP challenge
[acme]
email = "some_email"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
version: '3'
services:
traefik:
image: traefik:latest
command: --docker --docker.mydomain.com
ports:
- 80:80
- 443:443
networks:
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:mydomain.com"
- "traefik.port=8080"
- "traefik.backend=traefik"
container_name: traefik
restart: always
networks:
traefik:
external: true
version: '3'
services:
grafana01:
image: grafana/grafana
labels:
- traefik.port=3000
- traefik.backend=grafana01
- traefik.frontend.rule=Path:/grafana01/
- traefik.docker.network=traefik
networks:
- traefik
environment:
- GF_SECURITY_ADMIN_PASSWORD=secret
volumes:
- /srv/docker/grafana01/data:/var/lib/grafana
container_name: grafana01
restart: always
grafana02:
image: grafana/grafana
labels:
- traefik:port=3001
- traefik.backend=grafana02
- traefik.frontend.rule=Path:/grafana02/
- traefik.docker.network=traefik
- traefik.enable=true
networks:
- traefik
environment:
- GF_SECURITY_ADMIN_PASSWORD=secret
volumes:
- /srv/docker/grafana02/data:/var/lib/grafana
container_name: grafana02
restart: always
networks:
traefik:
external: true
I'd appreciate any help!
Changing traefik.frontend.rule=Path:/grafana01/ to
traefik.frontend.rule=PathPrefixStrip:/grafana01 as well as adding
GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s/grafana01
did the trick for me.
Final stage before my website can finally go live --> SSL.
I'm using a Jekyll site, with Traefic as a reverse proxy, Docker to prevent "it works on my machine" and Let's Encrypt for SSL. Looking at the docs this should be a walk in the park, but (as everything in software development) it is harder then it seems.
My current Traefic configuration:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
permanent = true
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "johanvergeer.com"
watch = true
exposedByDefault = true
usebindportip = true
swarmMode = true
[acme]
email = "johanvergeer#gmail.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[[acme.domains]]
main = "johanvergeer.com"
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
And the docker-compose file
version: "3.6"
services:
site:
ports:
- 4000:4000
image: registry.gitlab.com/johanvergeer/redgyro/site:latest
deploy:
labels:
- traefik.site.port=4000
- traefik.enable=true
- traefik.frontend.rule=Host:johanvergeer.com
- traefik.frontend.entryPoints=http,https
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
networks:
- traefik-net
reverse-proxy:
image: traefik # The official Traefik docker image
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/etc/traefik/acme.json
deploy:
labels:
- traefik.site.port=80
- traefik.logLevel=DEBUG
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
networks:
- traefik-net
networks:
traefik-net:
name: traefik-net
At this moment I don't even receive anything in the Traefic logs, while it is set on DEBUG.
The browser shows an error Your connection is not private and NET::ERR_CERT_AUTHORITY_INVALID.
Does anyone know how to solve this?
httpChallenge does not accept a provider param. You could try removing that.
If that doesn't work and you're running on DigitalOcean try doing a dnsChallenge instead of an httpChallenge. To do so modify your traefik.toml from this:
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
To this:
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
And pass in the DO_AUTH_TOKEN environment variable as specified here. If you anticipate adding subdomains later DNS challenge with wildcard domains is the way to go.
Also consider removing caServer from your config so you default to production in case you've hit the Let's Encrypto Rate Limit for staging.
You could also try asking for help on the Let's Encrypt Community Support forum if you haven't yet.
I've a problem who drive me mad, please help me.
I want to access all my apps from one free no-ip subdomain, so I think traefik can do that for me, I want to access all my apps like that:
mysubdomain.no-ip.com/emby
mysubdomain.no-ip.com/pydio
mysubdomain.no-ip.com/adminer...
Here is my docker compose:
version: "2"
services:
db:
image: linuxserver/mariadb
restart: always
environment:
MYSQL_ROOT_PASSWORD: "test"
labels:
- "traefik.enable=false"
volumes:
- ./config/mariadb:/etc/mysql/
ports:
- '3306:3306'
adminer:
image: adminer
restart: always
labels:
- "traefik.enable=true"
- "traefik.backend=adminer"
- "traefik.frontend.rule=PathPrefixStrip:/dbadmin"
- "traefik.backend.port=8080"
volumes:
- ./config/adminer:/config
emby:
image: emby/embyserver:latest
restart: always
labels:
- "traefik.enable=true"
- "traefik.backend=emby"
- "traefik.frontend.rule=PathPrefixStrip:/media"
- "traefik.backend.port=8096"
volumes:
- ./config/emby:/config
cloud:
image: linuxserver/pydio:latest
restart: always
environment:
PGID: "1000"
PUID: "1000"
labels:
- "traefik.enable=true"
- "traefik.backend=cloud"
- "traefik.frontend.rule=PathPrefixStrip:/cloud"
- "traefik.backend.port=443"
- "traefik.protocol=https"
volumes:
- ./config/cloud:/config
- ./data/test:/data
organizr:
image: lsiocommunity/organizr
restart: always
environment:
PGID: "1000"
PUID: "1000"
TZ: "Europe/Paris"
labels:
- "traefik.enable=true"
- "traefik.backend=organizr"
- "traefik.frontend.rule=PathPrefixStrip:/"
- "traefik.backend.port=80"
volumes:
- ./config/organizr:/config
- ./data/organizr:/data
traefik:
image: traefik:1.3.3
command: --web --docker --docker.domain=traefik --logLevel=DEBUG #-c /dev/null --web --docker --logLevel=INFO
restart: always
ports:
- '80:80'
- '443:443'
- '8080:8080'
labels:
- "traefik.enable=false"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./config/traefik/data:/data
- ./config/traefik/sslcerts:/ssl
My traefik.toml
# defaultEntryPoints must be at the top because it should not be in any table below
defaultEntryPoints = ["http", "https"]
InsecureSkipVerify = true
[web]
# Port for the status page
address = ":8080"
# Entrypoints, http and https
[entryPoints]
# http should be redirected to https
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
# https is the default
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
[retry]
# Enable ACME (Let's Encrypt): automatic SSL
# [acme]
# # caServer = "https://acme-staging.api.letsencrypt.org/directory"
# email = "test#gmail.com"
# storage = "acme.json" # or "traefik/acme/account" if using KV store
# entryPoint = "https"
# onDemand = false
# OnHostRule = true
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "localhost"
watch = true
exposedbydefault = false
So I have only 1 app who work like a charm: emby.
Adminer semms to work correctly, load css and others assets, but when I submit the form, it send me to localhost/server=db&username=test it should send me to localhost/dbadmin/server=db&username=test
When I access to localhost/cloud/ it load me a blank page, if I open console of Chrome:
pydio.material.min.css Failed to load resource: the server responded with a status of 404 () pydio.boot.min.js Failed to load resource: the server responded with a status of 404 ()
cloud:18 Uncaught ReferenceError: PydioBootstrap is not defined at cloud:18 pydio.material.min.css Failed to load resource: the server responded with a status of 404 ()
In fact it try to load plugins from localhost/plugins and not from localhost/cloud/plugins ...
I see a lot of issue on github related to this but it seems to be corrected in 1.3.3 version, I try 1.3.3, latest...
Do pydio and adminer needs to support reverse-proxy?
Sorry for my bad english.
In traefik, PathPrefixStrip and redirects in the entrypoint do not currently work together. So if your request goes to http instead of https, you'll get an error.
In my own demo, I just setup nginx on port 80 to send the redirect as a short term workaround until the above issue gets fixed.