Develop Reference

Traefik 2.2 unable to get letsencrypt certificate

I am having an application with a MongoDB container, a python backend service, a portainer. Traefik is used for routing to portainer and the backend (one API endpoint). The routing works perfectly. However, I want to use SSL, but Traefik 2.2 doesn't fetch the LetsEncrypt certificate.
Dockerfile (I am packing a container, to do a chmod of acme.json)
FROM traefik:v2.2
COPY traefik /etc/traefik
RUN chmod 600 /etc/traefik/acme.json
docker-compose.yml:
version: "3.3"
services:
backend:
image: registry.gitlab.com/uuuu/backend:latest
container_name: backend
ports:
- 5000
environment:
- CONNECTOR=$CONNECTOR
- CONNECTOR_MAX_WORKERS=$CONNECTOR_MAX_WORKERS
- LOGLEVEL=$LOGLEVEL
- MONGODB_URI=mongodb://scraper-db/blubb
depends_on:
- db
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.backend.rule=Host(`app.mydomain.com`)'
- 'traefik.http.routers.backend.rule=PathPrefix(`/api/bla/`)'
- 'traefik.http.routers.backend.tls=true'
- 'traefik.http.routers.backend.tls.certresolver=lets-encrypt'
- "traefik.http.routers.backend.middlewares=autocompletionreplacer"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.regex=^/api/bla/(.*)"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.replacement=/$$1"
portainer:
image: portainer/portainer:latest
container_name: portainer
ports:
- 9000
volumes:
- /etc/localtime:/etc/localtime
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`app.mydomain.com`)"
- 'traefik.http.routers.portainer.rule=PathPrefix(`/portainer/`)'
- 'traefik.http.routers.portainer.tls=true'
- 'traefik.http.routers.portainer.tls.certresolver=lets-encrypt'
- "traefik.http.routers.portainer.middlewares=portainerreplacer"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.regex=^/portainer/(.*)"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.replacement=/$$1"
proxy:
image: my-proxy:latest
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./traefik:/etc/traefik:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
build: .
db:
image: mongo:3.7
container_name: db
ports:
- 27017
/etc/traefik/traefik.toml:
[log]
level = "DEBUG"
[providers]
[providers.docker]
exposedByDefault = false
[providers.file]
directory = "/etc/traefik/dynamic"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[certificatesResolvers.lets-encrypt.acme]
storage = "/etc/traefik/acme.json"
email = "bla#mydomain.com"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
/etc/traefik/dynamic/force-https.toml:
[http.routers]
[http.routers.force-https]
entryPoints = ["http"]
middlewares = ["force-https"]
rule = "HostRegexp(`{any:.+}`)"
service = "noop"
[http.middlewares]
[http.middlewares.force-https.redirectScheme]
scheme = "https"
[http.services]
[http.services.noop.loadBalancer]
I don't see any error in the logs. However I am getting this in the browser:
ea351828037eb97754d6ed00d36a2108.e645b5289e7388055e4ecd78af554f8.traefik.default.
Fehlercode: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
Is there anything I am missing?

I figured it out by myself. I had to add this to the docker-compose file for each service:
traefik.http.routers.fiverr-autocompletion.tls.domains[0].main=app.mydomain.com
The correct docker-compose looks like this then:
version: "3.3"
services:
backend:
image: registry.gitlab.com/uuuu/backend:latest
container_name: backend
ports:
- 5000
environment:
- CONNECTOR=$CONNECTOR
- CONNECTOR_MAX_WORKERS=$CONNECTOR_MAX_WORKERS
- LOGLEVEL=$LOGLEVEL
- MONGODB_URI=mongodb://scraper-db/blubb
depends_on:
- db
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.backend.rule=Host(`app.mydomain.com`)'
- 'traefik.http.routers.backend.rule=PathPrefix(`/api/bla/`)'
- 'traefik.http.routers.backend.tls.domains[0].main=app.mydomain.com'
- 'traefik.http.routers.backend.tls=true'
- 'traefik.http.routers.backend.tls.certresolver=lets-encrypt'
- "traefik.http.routers.backend.middlewares=autocompletionreplacer"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.regex=^/api/bla/(.*)"
- "traefik.http.middlewares.autocompletionreplacer.replacepathregex.replacement=/$$1"
portainer:
image: portainer/portainer:latest
container_name: portainer
ports:
- 9000
volumes:
- /etc/localtime:/etc/localtime
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`app.mydomain.com`)"
- 'traefik.http.routers.portainer.rule=PathPrefix(`/portainer/`)'
- 'traefik.http.routers.portainer.tls.domains[0].main=app.mydomain.com'
- 'traefik.http.routers.portainer.tls=true'
- 'traefik.http.routers.portainer.tls.certresolver=lets-encrypt'
- "traefik.http.routers.portainer.middlewares=portainerreplacer"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.regex=^/portainer/(.*)"
- "traefik.http.middlewares.portainerreplacer.replacepathregex.replacement=/$$1"
proxy:
image: my-proxy:latest
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./traefik:/etc/traefik:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
build: .
db:
image: mongo:3.7
container_name: db
ports:
- 27017
/etc/traefik/traefik.toml:

Using Traefik 2 as TCP proxy for MariaDB (Docker)

I am trying to use Traefik as a reverse proxy for MariaDB so I can connect from my Client.
Currently Traefik is working fine with HTTP and HTTPS for multiple WordPress Container but i am having trouble configuring it for MariaDB.
Here is the current config:
Traefik Compose File:
version: '3.5'
networks:
traefik:
name: traefik
services:
traefik:
image: traefik:latest
restart: always
container_name: traefik
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.toml:/traefik.toml:ro
- ./acme.json:/acme.json
ports:
- 80:80
- 443:443
- 3306:3306
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.local`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=username:$$apr1$$j994eiLb$$KmPfiii4e9VkZwTPW2/RF1"
networks:
- traefik
Traefik Configuration File (traefik.toml):
# Network traffic will be entering our Docker network on the usual web ports
# (ie, 80 and 443), where Traefik will be listening.
[entyPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address= ":443"
[entryPoints.websecure.http.tls]
certResolver = "resolver"
# [entryPoints.ssh]
# address = ":2222"
[entryPoints.mariadb]
address = ":3306"
#Redirection from HTTP to HTTPS
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
#Integration with Let's Encrypt
[certificatesResolvers.resolver.acme]
email = "service#local"
storage = "acme.json"
[certificatesResolvers.resolver.acme.tlsChallenge]
#[log]
# level = "DEBUG"
[api]
#Defaul=true
dashboard = true
# Enable retry sending request if network error
[retry]
# These options are for Traefik's integration with Docker.
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
network = "traefik"
MariaDB Compose File:
version: '3.5'
networks:
traefik:
external:
name: traefik
services:
dbtest:
image: mariadb:latest
restart: always
container_name: dbtest
environment:
- MYSQL_DATABASE=admin
- MYSQL_USER=admin
- MYSQL_PASSWORD=admin
- MYSQL_ROOT_PASSWORD=admin
networks:
- traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.tcp.routers.mariadb.entrypoints=mariadb"
- "traefik.tcp.routers.mariadb.rule=HostSNI(`test.local`)"
- "traefik.tcp.routers.mariadb.tls=true"
# - "traefik.tcp.routers.mariadb.service=dbtest"
# - "traefik.tcp.services.mariadb.loadbalancer.server.port=3306"
When I try to connect to the database from my Client it doesn't work
Anyone having experience or a good example for that?

Looks like it is not possible to specify a Hostname like test.local. Instead you need to use a catchall *.
The labels I used for MariaDB are:
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.mariadb.rule=HostSNI(`*`)"
- "traefik.tcp.routers.mariadb.entrypoints=mariadb"
- "traefik.tcp.routers.mariadb.service=mariadb-svc"
- "traefik.tcp.services.mariadb-svc.loadbalancer.server.port=3306"

I use the following in a docker-compose file. Of course you can adjust port number to whatever you want.
Static Configuration:
traefik:
ports:
# db - postgres
- 5432:5432
# This override command section REPLACES the one in the docker-compose file.
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --accesslog
- --log
- --api
# These create named entry points for later use in routers.
# You don't need to specify an entrypoint if the in port = out port. It will
# automatically figure that out.
- --entryPoints.postgres.address=:5432
Dynamic Configuration:
db:
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.tcp.routers.db-tcp.rule=HostSNI(`*`)
- traefik.tcp.routers.db-tcp.entrypoints=postgres
- traefik.tcp.routers.db-tcp.service=db-proxy
- traefik.tcp.services.db-proxy.loadbalancer.server.port=5432

Your traefik.toml has a typo in line 3: [entyPoints]
I think it's missing an r

Traefik/Nextcloud not obtaining remote IP address

I was reviewing the log files/database and I noticed that when I attempted to trip the nextcloud brute force protection manually, it was recording the IP and subnet of the docker network, not the IP address I was access the login page from (Specifically 192.168.192.1 and 192.168.192.1/32)
I don't know if I have something on the traefik or Nextcloud compose files configured incorrectly or if something else is wrong wit the docker network but obliviously I would like it to detect the actual IP address of the user trying to login, not the internal docker IP information. I thought I'd start here and see if I can get any feedback before looking elsewhere.
traefik docker-compose.yml: https://pastebin.com/rjFA5ZBi
version: '3.3'
services:
traefik:
image: traefik:latest
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${USERDIR}/traefik/traefik.toml:/traefik.toml
- ${USERDIR}/traefik/acme.json:/acme.json
- /var/log/traefik:/var/log
networks:
- proxy
ports:
- 80:80
- 443:443
expose:
- 8080
command:
- --accessLog.filePath=/var/log/access.log
- --accessLog.filters.retryAttempts=true
- --accessLog.filters.minDuration=10ms
- --accessLog.filters.statusCodes=400-499
restart: always
networks:
proxy:
external: true
Nextcloud docker-compose.yml: https://pastebin.com/CjTYBZm6
db:
image: mariadb
container_name: nextcloud-mariadb
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
networks:
- proxy
volumes:
- ${USERDIR}/mysql:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=Win!
- MYSQL_PASSWORD=Win!
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
nextcloud:
image: linuxserver/nextcloud
container_name: nextcloud
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
depends_on:
- db
volumes:
- /mnt/raid/nextcloud:/data
- ${USERDIR}/nextcloud:/config
#- ${USERDIR}/nextcloud:/var/www/html
#- ${USERDIR}/nextcloud/app/config:/var/www/html/config
#- ${USERDIR}/nextcloud/app/custom_apps:/var/www/html/custom_apps
#- ${USERDIR}/nextcloud/app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=true
- traefik.backend=nextcloud
- traefik.frontend.rule=Host:upload.${DOMAIN}
- traefik.docker.network=proxy
- traefik.basic.protocol=https
- traefik.port=443
- traefik.frontend.redirect.permanent=true
- traefik.frontend.redirect.regex= https://(.*)/.well-known/(card|cal)dav
- traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.browserXSSFilter=true
- traefik.frontend.headers.contentTypeNosniff=true
- traefik.frontend.headers.forceSTSHeader=true
- traefik.frontend.headers.SSLHost=example.com
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.frameDeny=true
networks:
- proxy
expose:
- 443
restart: unless-stopped
Traefik toml: https://pastebin.com/cDUxQaLb
#logLevel = "DEBUG"
logLevel = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC"
################################################################
defaultEntryPoints = ["http", "https"]
InsecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.forwardedHeaders]
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.forwardedHeaders]
[entryPoints.https.tls]
[web]
address = ":8080"
################################################################
# Docker configuration backend
################################################################
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "xxxx.xxxxx"
watch = true
exposedbydefault = false
[acme]
email = "xxxx"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Any help is appercaited!!

Soled -
config.php for next cloud requires a trusted_proxy
"trusted_proxies" => ['10.0.0.1'],
When added the client IP address is finally relayed.
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/reverse_proxy_configuration.html

Two docker containers with Traefik on one host

I'm trying to set up a server on my raspberry pi to run Nextcloud and Firefly III with traefik as a reverse proxy. I'm using docker-compose and Portainer is working fine with https (included in the code for testing), but I cannot get Nextcloud or Firefly to run at all. When I use the official documentation for Firefly I can get it to run and when I use NextcloudPi in itself I can also get that to run, but I cannot get both of them to work at the same time. FF is giving a 403 Forbidden "You don't have permission to access / on this server." error while Nextcloud is giving a "Bad Gateway" error. I'd be grateful for any help I can get regarding this as I've already read through as many sites as possible and I don't what else to do.
This is my docker-compose.yml:
version: "3.2"
services:
# Reverse Proxy and Let's Encrypt
traefik:
container_name: traefik
image: traefik:alpine
restart: always
networks:
- srv
- firefly_iii_net
- proxy-tier
ports:
- 80:80
- 443:443
volumes:
- /opt/traefik/traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/acme.json:/acme.json
# Portainer
portainer:
container_name: portainer
image: portainer/portainer
restart: always
networks:
- srv
ports:
- "9000:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/portainer:/data
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:port.skdjfgsl.club"
db:
image: postgres:alpine
restart: always
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
app:
image: nextcloud:fpm-alpine
restart: always
volumes:
- nextcloud:/var/www/html
environment:
- POSTGRES_HOST=db
- POSTGRES_PASSWORD=
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
depends_on:
- db
networks:
- proxy-tier
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:nc.skdjfgsl.club"
firefly_iii_app:
environment:
- FF_DB_HOST=firefly_iii_db
- FF_DB_NAME=firefly
- FF_DB_USER=firefly
- FF_DB_PASSWORD=firefly
- FF_APP_KEY=S0m3R#nd0mStr1ngOf32Ch#rsEx#ctly
- FF_APP_ENV=local
- FF_DB_CONNECTION=pgsql
- TZ=Europe/Amsterdam
- APP_LOG_LEVEL=debug
- TRUSTED_PROXIES=**
image: jc5x/firefly-iii
links:
- firefly_iii_db
networks:
- firefly_iii_net
volumes:
-
source: firefly_iii_export
target: /var/www/firefly-iii/storage/export
type: volume
-
source: firefly_iii_upload
target: /var/www/firefly-iii/storage/upload
type: volume
expose:
- 80
- 443
labels:
- traefik.enable=true
- "traefik.frontend.rule=Host:ff.skdjfgsl.club"
- traefik.port=443
firefly_iii_db:
environment:
- POSTGRES_PASSWORD=firefly
- POSTGRES_USER=firefly
image: "postgres:10"
networks:
- firefly_iii_net
volumes:
- "firefly_iii_db:/var/lib/postgresql/data"
networks:
srv:
firefly_iii_net:
driver: bridge
proxy-tier:
volumes:
db:
nextcloud:
firefly_iii_db: ~
firefly_iii_export: ~
firefly_iii_upload: ~
This is my traefik.toml:
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
exposedByDefault = false
watch = true
[acme]
email = "email#mydomain.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"

To go to port 443 (https) you need to adjust the protocol used by traefik to talk to the container with the following label:
- traefik.protocol=https
Bad gateway can mean traefik is trying to connect to the wrong port, wrong IP, or traefik and the container are not deployed to a common network. You can fix the first two by specifying a port and network name:
- traefik.port=80
- traefik.docker.network=project_proxy-tier
Where project is the name of your compose project (use docker network ls to see the external name of your networks).

Jira & Docker & Traefik Setup

I'm first time Traefik user and I successfully configured this docker compose setup for Jira with Traefik and Let's Encrypt Cert.
My problem is that Jira must be able to connect to his self. Their are some Jira Services like Gadgets that loads it's data via JavaScript from via his own address over http. This typ of service does not work for me. Their is a support documents that describes this problems and also shows solutions for this. But I don't know how to setup this up correctly with Traefik/Docker. https://confluence.atlassian.com/jirakb/how-to-fix-gadget-titles-showing-as-__msg_gadget-813697086.html
Your help would be great. Thanks a lot!
version: '3'
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --docker # Enables the web UI and tells Traefik to listen to docker --api
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
- "8081:8080" # The Web UI (enabled by --api)
hostname: traefik
restart: unless-stopped
domainname: ${DOMAINNAME}
networks:
- frontend
- backend
labels:
- "traefik.enable=false"
- "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /etc/compose/traefik:/etc/traefik
- /etc/compose/shared:/shared
jira:
image: dchevell/jira-software:${JIRAVERSION}
ports:
- 8080:8080
networks:
- backend
restart: unless-stopped
volumes:
- /data/files/jira/data:/var/atlassian/application-data/jira
environment:
- JVM_MAXIMUM_MEMORY=2048m
- JVM_MINIMUM_MEMORY=768m
- CATALINA_CONNECTOR_PROXYNAME=jira.${DOMAINNAME}
- CATALINA_CONNECTOR_PROXYPORT=443
- CATALINA_CONNECTOR_SCHEME=https
- CATALINA_CONNECTOR_SECURE=true
depends_on:
- jira-postgresql
links:
- "jira-postgresql:database"
labels:
- "traefik.enable=true"
- "traefik.backend=jira"
- "traefik.frontend.rule=Host:jira.${DOMAINNAME}"
- "traefik.port=8080"
jira-postgresql:
image: postgres:9.6.11-alpine
networks:
- backend
ports:
- 5432:5432
restart: unless-stopped
volumes:
- /data/index/postgresql/data/:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=jira
- POSTGRES_USER=jira
- POSTGRES_DB=jira
labels:
- "traefik.enable=false"
# Portainer
portainer:
image: portainer/portainer
container_name: portainer
restart: always
ports:
- 9000:9000
command: -H unix:///var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./etc-portainer/data:/data
environment:
TZ: ${TZ}
labels:
- "traefik.enable=false"
networks:
frontend:
external:
name: frontend
backend:
driver: bridge

Configuration I got working with apps over secure - not super intuitive, but it looks like it accepts redirects secure traffic properly. I've got mine using acme on godaddy for certs, and it appears to be functioning properly over https with a forced recirect:
Forced redirect for reference:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
And the dockerfile that I made to get things deployed properly:
version: '3'
services:
jira:
image: dchevell/jira-software:8.1.0
deploy:
restart_policy:
condition: on-failure
labels:
- traefik.frontend.rule=Host:jira.mydomain.com
- traefik.enable=true
- traefik.port=8080
ports:
- "8080"
networks:
- traefik-pub
- jiranet
environment:
- CATALINA_CONNECTOR_PROXYNAME=jira.mydomain.com
- CATALINA_CONNECTOR_PROXYPORT=443
- CATALINA_CONNECTOR_SCHEME=https
- CATALINA_CONNECTOR_SECURE=true
jira-postgresql:
image: postgres:11.2-alpine
networks:
- jiranet
ports:
- "5432"
volumes:
- jira-postgres-data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=supersecret
- POSTGRES_USER=secret_user
- POSTGRES_DB=jira_db
labels:
- "traefik.enable=false"
volumes:
jira-postgres-data:
networks:
traefik-pub:
external: true
jiranet:
driver: overlay
This still required manual configuration of the database - I may one day take the time to build my own jira dockerfile that accepts the database config already, but with this one working, I don't see much point in pre-configuring the database connection when it's 20 seconds of extra work vs. rebuilding a dockerfile that I haven't written myself.