Problem
I'm running traefik to serve a python django app inside an docker container. The app is running without problems over https or http. After a unspecific time (under an hour) traefik logs says "502 Bad Gateway" and my nginx and uwsgi logs dont say anything. "docker restart djangoapp" fixed the Problem for a short time.
Setup
Internet -> traefik -> nginx -> uwsgi -> djangoapp
traefik.toml
debug = true
defaultEntryPoints = ["http", "https"]
# Access log
[traefikLog]
filePath = "/var/log/traefik/traefik.log"
format = "json"
[accessLog]
filePath = "/var/log/traefik/access.log"
format = "json"
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:XXX/"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/traefik/cert-register.stupa.pem"
keyFile = "/etc/ssl/traefik/key-register.stupa.key"
docker-compose.yml traefik
version: '2'
services:
frontproxy:
image: traefik
container_name: frontproxy
command: --api --docker --docker.domain=docker.localhost
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- /srv/ssl/certs:/etc/ssl/traefik
- /srv/frontproxy/logs:/var/log/traefik
networks:
default:
external:
name: frontproxy
docker-compose djangoapp
version: '3'
networks:
helfertoolnet:
frontproxy:
external: true
volumes:
postgresVolume:
services:
helfertool_app:
image: helfertool
hostname: helfertool_app
command: [/usr/bin/supervisord]
container_name: helfertool_app
volumes:
- /srv/helfertool/conf/nginx/helfertool.conf:/etc/nginx/sites-enabled/helfertool.conf
- /srv/helfertool/conf/helfertool/settings_local.py:/app/helfertool/helfertool/settings_local.py
- /srv/helfertool/conf/nginx/logs:/var/log/nginx
- /srv/helfertool/conf/supervisor:/etc/supervisor/conf.d
- /srv/helfertool/conf/uwsgi:/etc/uwsgi/apps-enabled
depends_on:
- "helfertool_rabbitmq"
- "helfertool_db"
labels:
- traefik.backend=helfertool
- traefik.frontend.rule=Host:XXX
- traefik.docker.network=frontproxy
- traefik.port=80
- traefik.frontend.entryPoints=http,https
networks:
- frontproxy
- helfertoolnet
helfertool_rabbitmq:
image: rabbitmq:3
hostname: helfertool_rabbitmq
container_name: helfertool_rabbitmq
environment:
- RABBITMQ_DEFAULT_USER=XXX
- RABBITMQ_DEFAULT_PASS=XXX
- RABBITMQ_DEFAULT_VHOST=XXX
networks:
- helfertoolnet
helfertool_db:
image: postgres
command: postgres -c listen_addresses='*'
hostname: helfertool_db
container_name: helfertool_db
environment:
- POSTGRES_PASSWORD=XXX
- POSTGRES_USER=XXX
volumes:
# Persist the data between container invocations
- postgresVolume:/var/lib/postgresql/data
networks:
- helfertoolnet
Logs
traefik log
{"BackendAddr":"172.18.0.7:80",
"BackendName":"backend-helfertool",
"BackendURL":
{"Scheme":"http",
"Opaque":"",
"User":null,
"Host":"172.18.0.7:80",
"Path":"",
"RawPath":"",
"ForceQuery":false,
"RawQuery":"",
"Fragment":""},
"ClientAddr":"141.60.38.168:60979",
"ClientHost":"141.60.38.168",
"ClientPort":"60979",
"ClientUsername":"-"
,"DownstreamContentSize":11,
"DownstreamStatus":502,
"DownstreamStatusLine":"502 Bad Gateway",
"Duration":1074690,
"FrontendName":"Host-register-stupa-fh-rosenheimde-0",
"OriginContentSize":11,
"OriginDuration":855550,
"OriginStatus":502,
"OriginStatusLine":"502 Bad Gateway",
"Overhead":219140,
"RequestAddr":"register.stupa.fh-rosenheim.de",
"RequestContentSize":0,
"RequestCount":27132,
"RequestHost":"register.stupa.fh-rosenheim.de",
"RequestLine":"GET / HTTP/1.1",
"RequestMethod":"GET",
"RequestPath":"/",
"RequestPort":"-",
"RequestProtocol":"HTTP/1.1",
"RetryAttempts":0,
"StartLocal":"2018-05-25T12:55:18.619598232Z",
"StartUTC":"2018-05-25T12:55:18.619598232Z",
"level":"info",
"msg":"",
"request_Accept":"text/html,application/xhtml+xml,
application/xml;q=0.9,*/*;q=0.8",
"request_Accept-Encoding":"gzip,deflate",
"request_Accept-Language":"de,en-US;q=0.7,en;q=0.3",
"request_Cache-Control":"max-age=0",
"request_Connection":"keep-alive",
"request_Cookie":"csrftoken=awELtrVSPImPNZFNph6SYs0eJuAZcjIzX462ykgUip1hQVQagaaKQxZhFUbzUrS5;
sessionid=4bcrynx0qyu2bam1nf8eewiurv0vtn5a",
"request_Referer":"http://register.stupa.fh-rosenheim.de/weinfest2018/",
"request_Upgrade-Insecure-Requests":"1",
"request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","time":"2018-05-25T12:55:18Z"}
Thank you :)
Might be the case that your uswgi container restarted and got a new ip address in docker, so nginx couldn't resolve it.
Related
im running a gitlab-ee docker container behind a traefik v1 docker container. My gitlab is supposed to run on the domain gitlab.dev.example.com:65443 the port 65443 is being forwarded to 443 on my server within my router (i have other stuff running on my 443 and 80 port). my traefik dashboard is running on traefik.dev.example.com:65443/dashboard/
Now when i want to get a lets encrypt certificate with traefik it tries to get it for the domain gitlab.dev.example.com and fails with "Unable to obtain ACME certificate for domains "gitlab.dev.example.com" [...]"
if i visit https://gitlab.dev.example.com:65443 it opens my gitlab container but with the "Traefik Default Cert". I cannot push or pull from these gitlab repositories because the SSL Certificates are self signed hence why i want to get a lets encrypt one.
i swapped out the actual domain with "example.com" obviously
my traefik.toml:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[web]
address = ":80"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "traefik.dev.example.com" //swapped the url out
watch = true
exposedByDefault = false
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Enable retry sending a request if the network error
[retry]
# Let's encrypt configuration
[acme]
email="e#mail.com" //swapped the email out
storage="acme.json"
entryPoint="https"
acmeLogging=true
OnHostRule=true
[acme.httpChallenge]
entryPoint = "http"
now to my docker-compose files. i have a seperate docker-compose.yml for each container
my docker-compose.yml for the traefik container:
version: "3.2"
services:
reverse-proxy:
image: traefik:alpine
command: --api --docker --logLevel=error
restart: unless-stopped
container_name: docker-traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
environment:
- "TZ=Europe/Berlin"
networks:
- traefik_proxy
- default
ports:
- "443:443"
- "80:80"
logging:
driver: "json-file"
options:
max-file: "3"
max-size: "5m"
labels:
- traefik.backend=traefik-proxy
- traefik.frontend.rule=Host:traefik.dev.loropserver.de
- traefik.docker.network=traefik_proxy
- traefik.port=8080
- traefik.enable=true
- traefik.frontend.auth.basic=lorop:$$apr1$$dHnqprRX$$DjIWIaE97EnMoxwu6o/14.
networks:
traefik_proxy:
external:
name: traefik_proxy
# default:
# driver: bridge
my docker-compose.yml for the gitlab container:
version: '3.5'
services:
gitlab:
image: 'gitlab/gitlab-ee:latest'
container_name: gitlab
restart: unless-stopped
hostname: 'gitlab.dev.example.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.dev.example.com';
//some more configs
ports:
- '22:22'
- '5005:5005'
volumes:
- './volumes/gitlab/config:/etc/gitlab'
- './volumes/gitlab/logs:/var/log/gitlab'
- './volumes/gitlab/data:/var/opt/gitlab'
- /etc/localtime:/etc/localtime:ro
- './certs:/etc/gitlab/trusted-certs'
networks:
- traefik_proxy
labels:
- 'traefik.enable=true'
- 'traefik.port=65443'
- 'traefik.docker.network=traefik_proxy'
- 'traefik.backend=gitlab'
- 'traefik.frontend.rule=Host:gitlab.dev.example.com'
- 'traefik.http.routers.entrypoints=websecure'
networks:
traefik_proxy:
external: true
I'm new to SSL certificates with Traefik and have been having real trouble getting a successful deployment.
I have a server and domain that I have deployed my application on using Traefik and Http without issue. I would now like to deploy the same application, running on port 9000, to be deployed in Https using LetsEncrypt following the Traefik docs . I can verify that the certificate has been properly created using an SSL checker, however, when I try to visit the site I get Internal Server Error. There are no errors reported in either of the docker logs and I cannot figure out what to try next.
docker-compose.yml
version: '2'
services:
traefik:
image: traefik:v1.7
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
container_name: traefik
app:
image: myapp_image
container_name: app
restart: always
networks:
- web
ports:
- "9000:9000"
labels:
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.basic.frontend.rule=Host:myapp.com"
- "traefik.basic.port=9000"
- "traefik.basic.protocol=http"
- "traefik.admin.frontend.rule=Host:myapp.com"
- "traefik.admin.protocol=https"
- "traefik.admin.port=9000"
networks:
web:
external: true
traefik.toml
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myapp.com"
watch = true
exposedByDefault = false
[acme]
email = "myemail#email.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Finally was able to find a workable solution for this. I may have just been using old information but the best reference to host an application with Traefik on Https using LetsEncrypt was found here.
The working Yaml example is below. Using this example will also eliminate the need for a Toml file!
version: "3.3"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=postmaster#example.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"
I'm trying to set up a server on my raspberry pi to run Nextcloud and Firefly III with traefik as a reverse proxy. I'm using docker-compose and Portainer is working fine with https (included in the code for testing), but I cannot get Nextcloud or Firefly to run at all. When I use the official documentation for Firefly I can get it to run and when I use NextcloudPi in itself I can also get that to run, but I cannot get both of them to work at the same time. FF is giving a 403 Forbidden "You don't have permission to access / on this server." error while Nextcloud is giving a "Bad Gateway" error. I'd be grateful for any help I can get regarding this as I've already read through as many sites as possible and I don't what else to do.
This is my docker-compose.yml:
version: "3.2"
services:
# Reverse Proxy and Let's Encrypt
traefik:
container_name: traefik
image: traefik:alpine
restart: always
networks:
- srv
- firefly_iii_net
- proxy-tier
ports:
- 80:80
- 443:443
volumes:
- /opt/traefik/traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/acme.json:/acme.json
# Portainer
portainer:
container_name: portainer
image: portainer/portainer
restart: always
networks:
- srv
ports:
- "9000:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/portainer:/data
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:port.skdjfgsl.club"
db:
image: postgres:alpine
restart: always
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
app:
image: nextcloud:fpm-alpine
restart: always
volumes:
- nextcloud:/var/www/html
environment:
- POSTGRES_HOST=db
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
depends_on:
- db
networks:
- proxy-tier
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:nc.skdjfgsl.club"
firefly_iii_app:
environment:
- FF_DB_HOST=firefly_iii_db
- FF_DB_NAME=firefly
- FF_DB_USER=firefly
- FF_DB_PASSWORD=firefly
- FF_APP_KEY=S0m3R#nd0mStr1ngOf32Ch#rsEx#ctly
- FF_APP_ENV=local
- FF_DB_CONNECTION=pgsql
- TZ=Europe/Amsterdam
- APP_LOG_LEVEL=debug
- TRUSTED_PROXIES=**
image: jc5x/firefly-iii
links:
- firefly_iii_db
networks:
- firefly_iii_net
volumes:
-
source: firefly_iii_export
target: /var/www/firefly-iii/storage/export
type: volume
-
source: firefly_iii_upload
target: /var/www/firefly-iii/storage/upload
type: volume
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:ff.skdjfgsl.club"
- traefik.port=443
firefly_iii_db:
environment:
- POSTGRES_PASSWORD=firefly
- POSTGRES_USER=firefly
image: "postgres:10"
networks:
- firefly_iii_net
volumes:
- "firefly_iii_db:/var/lib/postgresql/data"
networks:
srv:
firefly_iii_net:
driver: bridge
proxy-tier:
volumes:
db:
nextcloud:
firefly_iii_db: ~
firefly_iii_export: ~
firefly_iii_upload: ~
This is my traefik.toml:
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
exposedByDefault = false
watch = true
[acme]
email = "email#mydomain.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
To go to port 443 (https) you need to adjust the protocol used by traefik to talk to the container with the following label:
- traefik.protocol=https
Bad gateway can mean traefik is trying to connect to the wrong port, wrong IP, or traefik and the container are not deployed to a common network. You can fix the first two by specifying a port and network name:
- traefik.port=80
- traefik.docker.network=project_proxy-tier
Where project is the name of your compose project (use docker network ls to see the external name of your networks).
I tried to set up reverse-proxy using traefik for one my docker-services. When I run the services, in traefik's web UI I can see the mapping but only for http eventhough I have specified https in traefik.toml file. I am also not able to access my services directly. All the services are in the same network. So I am not sure what is causing this.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/journal.crt"
keyFile = "/certs/journal.key"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "journal.com"
watch = true
exposedbydefault = false
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: traefik
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/certs/journal.crt:/certs/journal.crt
- ./traefik/certs/journal.key:/certs/journal.key
networks:
- web
prisma:
image: prismagraphql/prisma:1.8
restart: always
ports:
- "${PRISMA_HOST_PORT}:4466"
environment:
PRISMA_CONFIG: |
port: 4466
managementApiSecret: ${PRISMA_API_SECRET}
databases:
default:
connector: postgres
host: ${PRISMA_DB_HOST}
port: ${PRISMA_DB_PORT}
database: ${PRISMA_DB}
user: ${PRISMA_DB_USER}
password: ${PRISMA_DB_PASSWORD}
migrations: ${PRISMA_ENABLE_MIGRATION}
graphql-server:
build: ./graphql-server/
ports:
- "${GRAPHQL_SERVER_PORT}:8080"
volumes:
- ./graphql-server:/usr/src/app
depends_on:
- prisma
command: ["./wait-for-it.sh", "prisma:${PRISMA_HOST_PORT}", "--", "npm", "start"]
environment:
- PRISMA_SERVICE_NAME=prisma
- PRISMA_API_SECRET
- PRISMA_HOST_PORT
- GRAPHQL_SERVER_PORT
- APOLLO_ENGINE_KEY
labels:
- "traefik.backend=graphql"
- "traefik.frontend.rule=Host:api.journal.com"
- "traefik.enable=true"
- "traefik.port=${GRAPHQL_SERVER_PORT}"
networks:
- web
react-client:
build: ./react-client/
ports:
- "${REACT_CLIENT_PORT}:3000"
volumes:
- ./react-client:/usr/src/app
depends_on:
- graphql-server
environment:
- GRAPHQL_SERVER_PORT
- REACT_CLIENT_PORT
networks:
web:
external: true
Thanks in advance.
Try to add following docker label to your graphql-server service:
traefik.frontend.entryPoints=http,https
I am facing the same problem. I have 'defaultEntryPoints = ["http", "https"]' in traefiks (v1.7) main config defined, but when docker containers come up and register within traefik the frontend is reachable only via HTTP, not HTTPS - unless i define the entrypoints directly via docker labels.
regards,
max
I have 3 services up and running.
A mariadb & nextcloud instance:
version: '2.1'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=my_root_password
- MYSQL_PASSWORD=my_password
- MYSQL_DATABASE=my_database
- MYSQL_USER=my_user
app:
image: nextcloud
restart: always
networks:
- web
- default
ports:
- 9000
labels:
- "traefik.backend=app"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:my_host"
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.default.protocol=http"
networks:
web:
external: true
And a traefik service:
version: '2'
services:
traefik:
image: traefik:1.5.4
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
container_name: traefik
networks:
web:
external: true
This traefik instance is using this config file:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my_host"
watch = true
exposedByDefault = false
[acme]
email = "my_email"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Now when I goto my host, it redirects to HTTPS but then it just displays bad gateway and nothing else. It should display the nextcloud web application. Anyone know why this is happening? I am running the compose files using the docker-compose up -d command.
It might be too late now but I also ran into this issue myself, so posting an answer to what resolved it for me.
Nextcloud exposes port 80 on the container's IP address which Traefik is trying to connect to. So you incorrectly specified the port for 'traefik.port' label. Change it from 9000 to 80.