Dockware with Traefik - traefik

I try to proxy a dockware container through traefik.
The error is an internal server error (500).
Is it necessary to change the domainname at all? If so, how can I change the domain name?
Docker compose for shopware
version: "3"
services:
shopwaretest:
image: dockware/play:latest
container_name: shopwaretest
restart: always
volumes:
- "db_shopwaretest:/var/lib/mysql"
- "shopwaretest:/var/www/html"
- ./hosts:/etc/hosts
networks:
- proxy
environment:
- XDEBUG_ENABLED=0
- PHP_VERSION=8.0
labels:
- "traefik.enable=true"
- "traefik.http.routers.shopwaretest-http.rule=Host(`example.com`)"
- "traefik.http.routers.shopwaretest-http.entrypoints=http"
- "traefik.http.routers.shopwaretest-http.service=shopwaretest-http-service"
- "traefik.http.services.shopwaretest-http-service.loadbalancer.server.port=80"
- "traefik.http.routers.shopwaretest-https.rule=Host(`example.com`)"
- "traefik.http.routers.shopwaretest-https.entrypoints=https"
- "traefik.http.routers.shopwaretest-https.service=shopwaretest-https-service"
- "traefik.http.services.shopwaretest-https-service.loadbalancer.server.port=80"
- "traefik.http.routers.shopwaretest-https.tls=true"
- "traefik.http.routers.shopwaretest-http.middlewares=redirect#file"
- "traefik.http.routers.shopwaretest-https.tls.certresolver=http"
volumes:
db_shopwaretest:
driver: local
shopwaretest:
driver: local
networks:
proxy:
external: true


If you get an internal server error, please check the server logs.
You can manually change the domain name in the sales_channel_domain table.
The problem might be, that SSL is terminated on traefik and Shopware does not detect this - if this is the problem, you might need to set the TRUESTED_PROXIES variable to the IP of your traefik server/container.

Related

Trouble starting influxdb & chronograf with certificates. [open /etc/letsencrypt/certs/influx.domain.com.crt: no such file or directory]

While trying to run part of the TICK stack (influx and chronograf) through a nginx proxy with letsencrypt certificates i am getting an error that the certs files are not found.
Here is my docker-compose file:
version: '3'
services:
influxdb:
container_name: influxdb
image: quay.io/influxdb/influxdb:v2.0.2
restart: always
ports:
- '8086:8086'
volumes:
- './data:/root/.influxdbv2'
- /root/new/letsencrypt/certs:/etc/letsencrypt/certs:ro
environment:
- INFLUXD_TLS_CERT=/etc/letsencrypt/certs/influx.lizardsolutions.com.crt
- INFLUXD_TLS_KEY=/etc/letsencrypt/certs/influx.lizardsolutions.com.key
chronograf:
image: chronograf:1.7.14
container_name: chronograf
restart: always
hostname: chronograf
network_mode: bridge
ports:
- 3000:8888/tcp
volumes:
- /var/lib/chronograf:/var/lib/chronograf
- /root/new/letsencrypt/certs:/etc/letsencrypt/certs:ro
environment:
- VIRTUAL_HOST=influx.lizardsolutions.com# adjust to match your domain name
- VIRTUAL_PROTO=https
- VIRTUAL_PORT=3000
- LETSENCRYPT_HOST=influx.lizardsolutions.com # adjust to match your domain name -
- LETSENCRYPT_EMAIL=admin#lizardsolutions.com # adjust to match your email
- BOLT_PATH=/var/lib/chronograf/chronograf-v1.db
- CANNED_PATH=/usr/share/chronograf/canned
- RESOURCES_PATH=/usr/share/chronograf/resources
- PROTOBOARDS_PATH=/usr/share/chronograf/protoboards
# - INFLUXDB_URL=http://127.0.0.1:8086
#INFLUX_CREDENTIALS
# - INFLUXDB_USERNAME=grafanam9k5bXbBj7GPGdf3
# - INFLUXDB_PASSWORD=k9H4TV8ifRo7E6mNyv3L
- TLS_CERTIFICATE=/etc/letsencrypt/certs/influx.domain.com.crt
- TLS_PRIVATE_KEY=/etc/letsencrypt/certs/influx.domain.com.key
- REPORTING_DISABLED='false'
# Set the logging level. Valid values: debug | info | error
- LOG_LEVEL=info
- TOKEN_SECRET=hxDEXBPAc49muW3gLoot7YamJ
- AUTH_DURATION=0
- PUBLIC_URL=https://ec-influx.domain.com
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx
restart: always
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx/html:/usr/share/nginx/html
- ./nginx/vhost.d:/etc/nginx/vhost.d
- /root/new/letsencrypt/certs:/etc/nginx/certs:ro
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: letsencrypt
restart: always
environment:
- NGINX_PROXY_CONTAINER=nginx-proxy
- REUSE_PRIVATE_KEYS=true
volumes_from:
- nginx-proxy
volumes:
- /root/new/letsencrypt/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
Here is the error from chronograf:
chronograf | time="2022-08-29T00:22:02Z" level=error msg="open /etc/letsencrypt/certs/influx.domain.com.crt: no such file or directory" component=server
chronograf | 2022/08/29 00:22:02 open /etc/letsencrypt/certs/influx.domain.com.crt: no such file or directory
The same error shows for influxdb as well
From where can i start debuging ? While navigating to the mounted volume (./letsencrypt/certs/) i can confirm the key and cert file is there.

How to use ssl with docker desktop on windows

I have a dev Environment in docker and I'm using Nifi 1.13.2 and it's working fine (http).
I did an upgrade of Nifi to use version 1.15.3 that starts up with HTTPS only and it isn't working anymore.
docker-compose :
services:
nifi:
image: apache/nifi:1.15.3
container_name: nifi
environment:
- JAVA_TOOL_OPTIONS=-Dfile.encoding=utf8
- NIFI_WEB_HTTPS_PORT=8443
ports:
- 10000:8443
- "9001-9100:9001-9100"
volumes:
- ./data/nifi/content:/opt/nifi/nifi-current/content_repository:rw
- ./data/nifi/database:/opt/nifi/nifi-current/database_repository:rw
- ./data/nifi/flowfile:/opt/nifi/nifi-current/flowfile_repository:rw
- ./data/nifi/provenance:/opt/nifi/nifi-current/provenance_repository:rw
- ./data/nifi/state:/opt/nifi/nifi-current/state:rw
- ./data/db/driver:/opt/driver
Logs from nifi-app.log :
nifi-app_2022-03-16_14.0.log:36362:2022-03-16 14:36:43,370 INFO [main] org.apache.nifi.web.server.JettyServer Created HostHeaderHandler [HostHeaderHandler for 2dec0477131a:8443}]
nifi-app_2022-03-16_14.0.log:139435:2022-03-16 14:37:07,253 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector#36b53f08{SSL, (ssl, http/1.1)}{2dec0477131a:8443}
nifi-app_2022-03-16_14.0.log:139933:2022-03-16 14:37:07,292 INFO [main] org.apache.nifi.web.server.JettyServer https://2dec0477131a:8443/nifi
Error in logs when I go to https://localhost:10000/nifi :
2022-03-16 14:39:15,572 WARN [NiFi Web Server-16] o.a.nifi.web.server.HostHeaderHandler Request host header [localhost:10000] different from web hostname [2dec0477131a(:8443)]. Overriding to [2dec0477131a:8443/nifi]
2022-03-16 14:39:15,655 WARN [NiFi Web Server-20] o.a.nifi.web.server.HostHeaderHandler Request host header [localhost:10000] different from web hostname [2dec0477131a(:8443)]. Overriding to [2dec0477131a:8443/favicon.ico]
[![enter image description here][1]][1]
I see that on docker desktop when I do open in browser it opens http://localhost:10000/nifi , how can I change this url ?
Update1 :
I found this article : https://www.javahelps.com/2022/01/run-apache-nifi-in-docker-with-ssl.html so my docker-compose looks like this :
services:
nifi:
image: apache/nifi:1.15.3
container_name: nifi
environment:
- JAVA_TOOL_OPTIONS=-Dfile.encoding=utf8
- NIFI_WEB_HTTPS_PORT=8443
- SINGLE_USER_CREDENTIALS_USERNAME=jhiihihhu
- SINGLE_USER_CREDENTIALS_PASSWORD=e9o6dQhlEDusiq6oKUpzp8ZtW/Bjim6q2U0SxyBO6JA
- NIFI_SENSITIVE_PROPS_KEY=rHkWR1gDNW3R
- NIFI_WEB_PROXY_HOST=0.0.0.0:8443
- NIFI_WEB_HTTPS_HOST=0.0.0.0
- NIFI_CLUSTER_ADDRESS=0.0.0.0
- NIFI_REMOTE_INPUT_HOST=0.0.0.0
- AUTH=tls
- KEYSTORE_PATH=/opt/certs/keystore.jks
- KEYSTORE_TYPE=JKS
- KEYSTORE_PASSWORD=cjwC2UU/ZBxhlNyjFbK1QCE/bqNxq9WONwCPq8HbyRk
- TRUSTSTORE_PATH=/opt/certs/truststore.jks
- TRUSTSTORE_TYPE=JKS
- TRUSTSTORE_PASSWORD=1ab4TYRgYw7HMY4Dr+7s+7gVDrPBbZPGp4g/t5VhJG4
- NIFI_SECURITY_USER_AUTHORIZER=single-user-authorizer
- NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
ports:
- 10000:8443
- "9001-9100:9001-9100"
volumes:
- ./data/nifi/content:/opt/nifi/nifi-current/content_repository:rw
- ./data/nifi/database:/opt/nifi/nifi-current/database_repository:rw
- ./data/nifi/flowfile:/opt/nifi/nifi-current/flowfile_repository:rw
- ./data/nifi/provenance:/opt/nifi/nifi-current/provenance_repository:rw
- ./data/nifi/state:/opt/nifi/nifi-current/state:rw
- ./data/db/driver:/opt/driver
- ./keystore.jks:/opt/certs/keystore.jks
- ./truststore.jks:/opt/certs/truststore.jks
I still have the same error .
[1]: https://i.stack.imgur.com/OGqE6.png
Update 2:
It worked with the following docker compose :
services:
nifi:
image: apache/nifi:1.15.3
container_name: nifi
environment:
- JAVA_TOOL_OPTIONS=-Dfile.encoding=utf8
- NIFI_WEB_HTTPS_PORT=8443
- SINGLE_USER_CREDENTIALS_USERNAME=khiuiuiuh
- SINGLE_USER_CREDENTIALS_PASSWORD=e9o6dQhlEDusiq6oKUpzp8ZtW/Bjim6q2U0SxyBO6JA
- NIFI_SENSITIVE_PROPS_KEY=rHkWR1gDNW3R
- NIFI_WEB_PROXY_HOST='localhost:8443,localhost:10000'
- NIFI_WEB_HTTPS_HOST=0.0.0.0
- NIFI_CLUSTER_ADDRESS=0.0.0.0
- NIFI_REMOTE_INPUT_HOST=0.0.0.0
- AUTH=tls
- KEYSTORE_PATH=/opt/certs/keystore.jks
- KEYSTORE_TYPE=JKS
- KEYSTORE_PASSWORD=cjwC2UU/ZBxhlNyjFbK1QCE/bqNxq9WONwCPq8HbyRk
- TRUSTSTORE_PATH=/opt/certs/truststore.jks
- TRUSTSTORE_TYPE=JKS
- TRUSTSTORE_PASSWORD=1ab4TYRgYw7HMY4Dr+7s+7gVDrPBbZPGp4g/t5VhJG4
- NIFI_SECURITY_USER_AUTHORIZER=single-user-authorizer
- NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
ports:
- 8443:8443
- "9001-9100:9001-9100"
volumes:
- ./data/nifi/content:/opt/nifi/nifi-current/content_repository:rw
- ./data/nifi/database:/opt/nifi/nifi-current/database_repository:rw
- ./data/nifi/flowfile:/opt/nifi/nifi-current/flowfile_repository:rw
- ./data/nifi/provenance:/opt/nifi/nifi-current/provenance_repository:rw
- ./data/nifi/state:/opt/nifi/nifi-current/state:rw
- ./data/db/driver:/opt/driver
- ./keystore.jks:/opt/certs/keystore.jks
- ./truststore.jks:/opt/certs/truststore.
Update 30/03/2022:
I've been using the new version for few days now and each time I start Nifi, I have the error message : The supplied username and password are not valid.
I have to run docker-compose and start all over.
Also I want to enable anonymous authentication and it's not working even if I set NIFI_SECURITY_ALLOW_ANONYMOUS_AUTHENTICATION to true .

Try adding NIFI_WEB_PROXY_HOST=localhost:8443 in the environment section in docker-compose. Also, you have to check if you can use port 10000 for Nifi.

How do I know if a plugin actually runs or not?

I'm trying out traefik and developing a dummy plugin right now. After countless of errors, I finally get rid all of the errors and don't get any error anymore.
But, the plugin doesn't work as intended. It doesn't throw errors, but it doesn't seem to work either. Is there any way to confirm that the Plugin actually runs? By "running", I mean that I configure it properly, but the function just doesn't return what I want.
This is the output after running the docker compose.
echo-server | Echo server listening on port 8080.
traefik-proxy | time="2022-03-21T07:58:28Z" level=info msg="Configuration loaded from flags."
That's just it. No errors, no exit. And it throws a GET log after refreshing the web page, so I assume there are no errors blocking the code. But I'm still not what's wrong. Is it the plugin code or the configuration?
If this is necessary, this is some of my codes:
# docker-compose.yml
version: "3.3"
networks:
traefik-proxy:
volumes:
traefik-proxy:
services:
traefik-proxy:
image: "traefik:latest"
container_name: "traefik-proxy"
networks:
- traefik-proxy
command:
# - "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--experimental.localPlugins.traefik-denyuseragent.modulename=github.com/xxx/denyuseragent"
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./plugins-local/:/plugins-local/
echo-server:
image: "xxx/echo-server"
container_name: "echo-server"
networks:
- traefik-proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.echoserver.rule=Host(`echoserver.localhost`)"
- "traefik.http.routers.echoserver.entrypoints=web"
- "traefik.http.routers.echoserver.middlewares=traefik-denyuseragent"
# .traefik.yml
displayName: Plugin
type: middleware
import: github.com/xxx/denyuseragent
summary: 'Example'
testData:
userAgent:
- Firefox
- Mozilla/5.0
# traefik.yml
experimental:
localPlugins:
traefik-denyuseragent:
modulename: "github.com/xxx/denyuseragent"
# config.yml
http:
routers:
my-router:
rule: host(`echoserver.localhost`)
service: service-echoserver
entryPoints:
- web
middlewares:
- traefik-denyuseragent
services:
service-echoserver:
loadBalancer:
servers:
- url: http://127.0.0.1:5000
middlewares:
traefik-denyuseragent:
plugin:
traefik-denyuseragent:
userAgent:
- Mozilla/5.0
Anyone can confirm if it could work properly or not? Is there some kinds of code I can run to make sure if the Plugin is configured properly or not? Because it'd be great if it is so I can move on to another task, I've spent days just try to configure it.
I just wanna know if the problem is on the plugin or the configuration.

Portainer doesn't show icons anymore since upgrading to v2 (Traefik Proxy)

Since upgrading to Portainer v2, the icons would suddenly not load anymore. I can still access Portainer (which is proxied by Traefik), but after a bit of testing, I noticed, only / would be forwarded. If a path was given, Traefik would throw a 404 error. This is a problem because Portainer loads the fonts from eg. /b15db15f746f29ffa02638cb455b8ec0.woff2.
There is one issue about this on Github, but I don't really know what to do with that information: https://github.com/portainer/portainer/issues/3706
My Traefik configuration
version: "2"
# Manage domain access to services
services:
traefik:
container_name: traefik
image: traefik
command:
- --api.dashboard=true
- --certificatesresolvers.le.acme.email=${ACME_EMAIL}
- --certificatesresolvers.le.acme.storage=acme.json
# Enable/Disable staging by commenting/uncommenting the next line
# - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --global.sendAnonymousUsage
- --log.level=INFO
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=traefik_proxy
restart: always
networks:
- traefik_proxy
ports:
- "80:80"
- "443:443"
dns:
- 1.1.1.1
- 1.0.0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
# - ./acme-staging.json:/acme.json
environment:
CF_API_EMAIL: ${CLOUDFLARE_EMAIL}
CF_API_KEY: ${CLOUDFLARE_API_KEY}
labels:
- traefik.enable=true
- traefik.http.routers.traefik0.entrypoints=http
- traefik.http.routers.traefik0.rule=Host(`${TRAEFIK_URL}`)
- traefik.http.routers.traefik0.middlewares=to_https
- traefik.http.routers.traefik.entrypoints=https
- traefik.http.routers.traefik.rule=Host(`${TRAEFIK_URL}`)
- traefik.http.routers.traefik.middlewares=traefik_auth
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=le
- traefik.http.routers.traefik.service=api#internal
# Declaring the user list
#
# Note: all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
- traefik.http.middlewares.traefik_auth.basicauth.users=${TRAEFIK_USERS}
# Standard middleware for other containers to use
- traefik.http.middlewares.to_https.redirectscheme.scheme=https
- traefik.http.middlewares.to_https_perm.redirectscheme.scheme=https
- traefik.http.middlewares.to_https_perm.redirectscheme.permanent=true
networks:
traefik_proxy:
external: true
And my Portainer configuration
version: "2"
# Manage docker containers
services:
portainer:
container_name: portainer
image: portainer/portainer-ce
restart: always
networks:
- traefik_proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/:/data/
labels:
- traefik.enable=true
- traefik.http.services.portainer.loadbalancer.server.port=9000
- traefik.http.routers.portainer0.entrypoints=http
- traefik.http.routers.portainer0.rule=Host(`${PORTAINER_URL}`)
- traefik.http.routers.portainer0.middlewares=to_https
- traefik.http.routers.portainer.entrypoints=https
- traefik.http.routers.portainer.rule=Host(`${PORTAINER_URL}`)
- traefik.http.routers.portainer.tls=true
- traefik.http.routers.portainer.tls.certresolver=le
networks:
traefik_proxy:
external: true
What do I have to change to make Traefik be able to forward the paths so that Portainer can load the icons?

Could you try flush your DNS Cache?
In Chrome 'chrome://net-internals/#dns' into URL bar and pressed enter.
Then click on 'Clear host cache'
Then refresh your portainer page

I noticed that there is also an Alpine version of Portainer.
After switching to that (image: portainer/portainer-ce:alpine), the icons seem to be working again. I don't know what the issue is with the regular image, but this solves it for now.
PS: I had tried to use the Access-Control header on Traefik, but that didn't help. I guess it's a problem with Portainer's code itself.

If someone else is facing this issue, I resolved this by deleting my Browser Cache or just do a full Refresh with CTRL+Shift+R

400 Error HTTP GET Request between Docker Containers with HTTPURLConnection

I got two Containers defined in a docker-compose file:
tomcat_webserver_api:
image: tomcat:8
volumes:
- ./API/Docker/API.war:/usr/local/tomcat/webapps/API.war
ports:
- "8080:8080"
depends_on:
- mysql_database
tomcat_webserver_anwendung:
image: tomcat:8
ports:
- "8081:8080"
volumes:
- ./Anwendung/Docker/Anwendung.war:/usr/local/tomcat/webapps/Anwendung.war
depends_on:
- tomcat_webserver_api
environment:
API_HOST: tomcat_webserver_api
API_PORT: 8080
Now i want to access the URL http://tomcat_webserver_api:8080/API/restaurants/Wochentag from Inside the Java Web Application with an HttpURLConnection.
Issue: It returns an 400 Error
java.io.IOException: Server returned HTTP response code: 400 for URL: http://tomcat_webserver_api:8080/API/restaurants/Wochentag
The Code is like that (The Headers are nearly the same when i try to connect to the URL via curl - this works inside the container huh):
URL api = UriBuilder.fromUri("http://" + "tomcat_webserver_api" + ":" + "8080" +"/API/restaurants/RestaurantSpeisen").build().toURL();
System.setProperty("http.agent", "curl/7.52.1");
HttpURLConnection connection = (HttpURLConnection) api.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Host", "localhost");
connection.setRequestProperty("User-Agent", "curl/7.52.1");
connection.connect();
BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream(), "UTF-8"));
If i try to connect to http://172.20.0.3:8080/API/restaurants/Wochentag i got an 200-ok HTTP Response Code and the JSON-Data.
If i exec the API Container and inspect the logs i can see the 400 GET-Request.
Why is this happen?
http://172.20.0.3:8080/API/restaurants/Wochentag - Works
http://tomcat_webserver_api:8080/API/restaurants/Wochentag - Won't Work but not with an 404 Error

I have had the same issue as you, apparently underscore are not allowed as virtualhost, try to remove it, for example, use just tomcatwebserverapi, that should fix your problem.
See Can (domain name) subdomains have an underscore "_" in it? for more information about valid letters in hostnames.

Please give explicit container names a try:
tomcat_webserver_api:
image: tomcat:8
container_name: tomcat_webserver_api
volumes:
- ./API/Docker/API.war:/usr/local/tomcat/webapps/API.war
ports:
- "8080:8080"
depends_on:
- mysql_database
tomcat_webserver_anwendung:
container_name: tomcat_webserver_app
image: tomcat:8
ports:
- "8081:8080"
volumes:
- ./Anwendung/Docker/Anwendung.war:/usr/local/tomcat/webapps/Anwendung.war
depends_on:
- tomcat_webserver_api
environment:
API_HOST: tomcat_webserver_api
API_PORT: 8080
The "local only" configuration needs explicit container names to activate Docker's name lookup mechanism. In Swarm mode you wouldn't need to set container names.