I am uploading the kafka environment with SSL, until then, without problems...
it goes up normally, but when I create a MySQL connector,
the producer does not receive the config sent by the docker environment!
Any Suggestions?
---
version: '3'
services:
zookeeper:
image: confluentinc/cp-zookeeper:latest
container_name: ${ZK_HOST}
hostname: ${ZK_HOST}
ports:
- "${ZK_PORT}:${ZK_PORT}"
environment:
ZOOKEEPER_SERVER_ID: 1
ZOOKEEPER_CLIENT_PORT: ${ZK_PORT}
ZOOKEEPER_CLIENT_SECURE: 'true'
ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/zookeeper/secrets/kafka.keystore.jks
ZOOKEEPER_SSL_KEYSTORE_PASSWORD: ${SSL_SECRET}
ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/zookeeper/secrets/kafka.truststore.jks
ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: ${SSL_SECRET}
volumes:
- ./secrets:/etc/zookeeper/secrets
kafka-ssl:
image: confluentinc/cp-kafka:latest
container_name: ${BROKER_HOST}
hostname: ${BROKER_HOST}
ports:
- "${BROKER_PORT}:${BROKER_PORT}"
depends_on:
- ${ZK_HOST}
environment:
KAFKA_BROKER_ID: 1
KAFKA_ZOOKEEPER_CONNECT: '${ZK_HOST}:${ZK_PORT}'
KAFKA_ADVERTISED_LISTENERS: 'SSL://${BROKER_HOST}:${BROKER_PORT}'
KAFKA_SSL_KEYSTORE_FILENAME: kafka.keystore.jks
KAFKA_SSL_KEYSTORE_CREDENTIALS: cert_creds
KAFKA_SSL_KEY_CREDENTIALS: cert_creds
KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.truststore.jks
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: cert_creds
KAFKA_SSL_CLIENT_AUTH: 'required'
KAFKA_SECURITY_PROTOCOL: SSL
KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
volumes:
- ./secrets:/etc/kafka/secrets
schema-registry:
image: confluentinc/cp-schema-registry
container_name: ${SR_HOST}
hostname: ${SR_HOST}
depends_on:
- ${ZK_HOST}
- ${BROKER_HOST}
ports:
- "${SR_PORT}:${SR_PORT}"
environment:
SCHEMA_REGISTRY_HOST_NAME: ${SR_HOST}
SCHEMA_REGISTRY_LISTENERS: 'https://0.0.0.0:${SR_PORT}'
SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: '${ZK_HOST}:${ZK_PORT}'
SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: 'SSL://${BROKER_HOST}:${BROKER_PORT}'
SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SSL
SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/schema-registry/secrets/kafka.keystore.jks
SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/schema-registry/secrets/kafka.keystore.jks
SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD: ${SSL_SECRET}
SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: ${SSL_SECRET}
SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD: ${SSL_SECRET}
SCHEMA_REGISTRY_SSL_KEY_PASSWORD: ${SSL_SECRET}
SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/schema-registry/secrets/kafka.truststore.jks
SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/schema-registry/secrets/kafka.truststore.jks
SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: ${SSL_SECRET}
SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: ${SSL_SECRET}
SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: https
SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas
SCHEMA_REGISTRY_SSL_CLIENT_AUTH: 'true'
volumes:
- ./secrets:/etc/schema-registry/secrets
connect:
build:
context: .
dockerfile: Dockerfile
image: chethanuk/kafka-connect:5.3.1
hostname: ${SR_CON}
container_name: ${SR_CON}
depends_on:
- ${ZK_HOST}
- ${BROKER_HOST}
- ${SR_HOST}
ports:
- "${SR_CON_PORT}:${SR_CON_PORT}"
environment:
CONNECT_LISTENERS: 'https://0.0.0.0:${SR_CON_PORT}'
CONNECT_REST_ACCESS_CONTROL_ALLOW_METHODS: 'GET,POST,PUT,DELETE,OPTIONS'
CONNECT_REST_ACCESS_CONTROL_ALLOW_ORIGIN: '*'
CONNECT_BOOTSTRAP_SERVERS: 'SSL://${BROKER_HOST}:${BROKER_PORT}'
CONNECT_REST_ADVERTISED_HOST_NAME: ${SR_CON}
CONNECT_REST_PORT: ${SR_CON_PORT}
CONNECT_GROUP_ID: compose-connect-group
CONNECT_CONFIG_STORAGE_TOPIC: docker-connect-configs
CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 1
CONNECT_OFFSET_FLUSH_INTERVAL_MS: 10000
CONNECT_OFFSET_STORAGE_TOPIC: docker-connect-offsets
CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 1
CONNECT_STATUS_STORAGE_TOPIC: docker-connect-status
CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1
CONNECT_KEY_CONVERTER: org.apache.kafka.connect.storage.StringConverter
CONNECT_VALUE_CONVERTER: io.confluent.connect.avro.AvroConverter
CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL: https://${SR_HOST}:${SR_PORT}
CONNECT_INTERNAL_KEY_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
CONNECT_INTERNAL_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
CONNECT_ZOOKEEPER_CONNECT: '${ZK_HOST}:${ZK_PORT}'
CLASSPATH: /usr/share/java/monitoring-interceptors/monitoring-interceptors-5.2.1.jar
CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components"
CONNECT_LOG4J_LOGGERS: org.apache.zookeeper=ERROR,org.I0Itec.zkclient=ERROR,org.reflections=ERROR
CONNECT_SSL_CLIENT_AUTH: 'true'
CONNECT_SECURITY_PROTOCOL: SSL
CONNECT_SSL_KEY_PASSWORD: ${SSL_SECRET}
CONNECT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks
CONNECT_SSL_TRUSTSTORE_PASSWORD: ${SSL_SECRET}
CONNECT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks
CONNECT_SSL_KEYSTORE_PASSWORD: ${SSL_SECRET}
CONNECT_PRODUCER_SECURITY_PROTOCOL: SSL
CONNECT_PRODUCER_BOOTSTRAP_SERVERS: 'SSL://${BROKER_HOST}:${BROKER_PORT}'
CONNECT_PRODUCER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks
CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD: ${SSL_SECRET}
CONNECT_CONSUMER_SECURITY_PROTOCOL: SSL
CONNECT_CONSUMER_BOOTSTRAP_SERVERS: 'SSL://${BROKER_HOST}:${BROKER_PORT}'
CONNECT_CONSUMER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks
CONNECT_CONSUMER_SSL_TRUSTSTORE_PASSWORD: ${SSL_SECRET}
volumes:
- ./secrets:/etc/kafka/secrets
error:
[2021-05-21 05:13:50,157] INFO Requested thread factory for connector MySqlConnector, id = myql named = db-history-config-check (io.debezium.util.Threads)
[2021-05-21 05:13:50,160] INFO ProducerConfig values:
acks = 1
batch.size = 32768
bootstrap.servers = [broker:29092]
buffer.memory = 1048576
client.dns.lookup = default
client.id = myql-dbhistory
compression.type = none
connections.max.idle.ms = 540000
delivery.timeout.ms = 120000
enable.idempotence = false
interceptor.classes = []
key.serializer = class org.apache.kafka.common.serialization.StringSerializer
linger.ms = 0
max.block.ms = 10000
max.in.flight.requests.per.connection = 5
max.request.size = 1048576
metadata.max.age.ms = 300000
metric.reporters = []
metrics.num.samples = 2
metrics.recording.level = INFO
metrics.sample.window.ms = 30000
partitioner.class = class org.apache.kafka.clients.producer.internals.DefaultPartitioner
receive.buffer.bytes = 32768
reconnect.backoff.max.ms = 1000
reconnect.backoff.ms = 50
request.timeout.ms = 30000
retries = 1
retry.backoff.ms = 100
sasl.client.callback.handler.class = null
sasl.jaas.config = null
sasl.kerberos.kinit.cmd = /usr/bin/kinit
sasl.kerberos.min.time.before.relogin = 60000
sasl.kerberos.service.name = null
sasl.kerberos.ticket.renew.jitter = 0.05
sasl.kerberos.ticket.renew.window.factor = 0.8
sasl.login.callback.handler.class = null
sasl.login.class = null
sasl.login.refresh.buffer.seconds = 300
sasl.login.refresh.min.period.seconds = 60
sasl.login.refresh.window.factor = 0.8
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = PLAINTEXT
security.providers = null
send.buffer.bytes = 131072
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
ssl.endpoint.identification.algorithm = https
ssl.key.password = null
ssl.keymanager.algorithm = SunX509
ssl.keystore.location = null
ssl.keystore.password = null
ssl.keystore.type = JKS
ssl.protocol = TLS
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.location = null
ssl.truststore.password = null
ssl.truststore.type = JKS
transaction.timeout.ms = 60000
transactional.id = null
value.serializer = class org.apache.kafka.common.serialization.StringSerializer
(org.apache.kafka.clients.producer.ProducerConfig)
[2021-05-21 05:13:50,162] WARN Couldn't resolve server broker:29092 from bootstrap.servers as DNS resolution failed for broker (org.apache.kafka.clients.ClientUtils)
[2021-05-21 05:13:50,162] INFO [Producer clientId=myql-dbhistory] Closing the Kafka producer with timeoutMillis = 0 ms. (org.apache.kafka.clients.producer.KafkaProducer)
[2021-05-21 05:13:50,162] INFO WorkerSourceTask{id=zabbix-hosts-0} Committing offsets (org.apache.kafka.connect.runtime.WorkerSourceTask)
[2021-05-21 05:13:50,162] INFO WorkerSourceTask{id=zabbix-hosts-0} flushing 0 outstanding messages for offset commit (org.apache.kafka.connect.runtime.WorkerSourceTask)
[2021-05-21 05:13:50,163] ERROR WorkerSourceTask{id=zabbix-hosts-0} Task threw an uncaught and unrecoverable exception (org.apache.kafka.connect.runtime.WorkerTask)
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:432)
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:298)
at io.debezium.relational.history.KafkaDatabaseHistory.start(KafkaDatabaseHistory.java:235)
at io.debezium.relational.HistorizedRelationalDatabaseSchema.<init>(HistorizedRelationalDatabaseSchema.java:40)
at io.debezium.connector.mysql.MySqlDatabaseSchema.<init>(MySqlDatabaseSchema.java:90)
at io.debezium.connector.mysql.MySqlConnectorTask.start(MySqlConnectorTask.java:94)
at io.debezium.connector.common.BaseSourceTask.start(BaseSourceTask.java:130)
at org.apache.kafka.connect.runtime.WorkerSourceTask.execute(WorkerSourceTask.java:208)
at org.apache.kafka.connect.runtime.WorkerTask.doRun(WorkerTask.java:177)
at org.apache.kafka.connect.runtime.WorkerTask.run(WorkerTask.java:227)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.kafka.common.config.ConfigException: No resolvable bootstrap urls given in bootstrap.servers
at org.apache.kafka.clients.ClientUtils.parseAndValidateAddresses(ClientUtils.java:88)
at org.apache.kafka.clients.ClientUtils.parseAndValidateAddresses(ClientUtils.java:47)
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:407)
... 14 more
[2021-05-21 05:13:50,164] ERROR WorkerSourceTask{id=zabbix-hosts-0} Task is being killed and will not recover until manually restarted (org.apache.kafka.connect.runtime.WorkerTask)
vars
SSL_SECRET=
ZK_HOST=zookeeper
ZK_PORT=2181
BROKER_HOST=kafka-ssl
BROKER_PORT=9092
SR_HOST=schema-registry
SR_PORT=8181
SR_CON=connect
SR_CON_PORT=8083
HOST=localhost
build and image should not be used together. You've not shown your Dockerfile, so it's unclear what you're doing there, but it may explain why no variables are actually loaded
bootstrap.servers = [broker:29092]
Somewhere in your Connect configuration, you're not using kafka-ssl:9092 as the connection string
Notice that your key and value serializers are using String, not Avro settings, too... Interceptor list is empty, SSL settings don't seem to be applied, etc
To narrow it down, I don't think you need _PRODUCER_BOOTSTRAP_SERVERS or the consumer one.
You should exec into your container and look at the templated connect-distributed.properties file that was created
Note that the Debezium images come with the mysql connector classes, so maybe you don't need your own image?
Related
I have a rabbitmq container in docker and another service to send stream type messages to it. But it is only ok when the service is outside the docker, if I build the service as a container run in docker,and send stream messages, It always shows "System.Net.Sockets.SocketException (111): Connection refused ". But if you send a message of classic type, it's a success.
rabbitmq:
container_name: rabbitmq
image: rabbitmq:3-management
environment:
RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: -rabbitmq_stream advertised_host localhost
RABBITMQ_DEFAULT_USER:"admin"
RABBITMQ_DEFAULT_PASS:"admin"
RABBITMQ_DEFAULT_VHOST:"application"
ports:
- 5672:5672
- 5552:5552
- 15672:15672
volumes:
- ./conf/rabbitmq/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf
- ./conf/rabbitmq/enabled_plugins:/etc/rabbitmq/enabled_plugins
healthcheck:
test: rabbitmq-diagnostics -q ping
interval: 15s
timeout: 15s
retries: 5
env_file:
- ./.local.env
./conf/rabbitmq/rabbitmq.conf
enter code herestream.listeners.tcp.1 = 5552
stream.tcp_listen_options.backlog = 4096
stream.tcp_listen_options.recbuf = 131072
stream.tcp_listen_options.sndbuf = 131072
stream.tcp_listen_options.keepalive = true
stream.tcp_listen_options.nodelay = true
stream.tcp_listen_options.exit_on_close = true
stream.tcp_listen_options.send_timeout = 120
./conf/rabbitmq/enabled_plugins
[rabbitmq_management,rabbitmq_prometheus,rabbitmq_stream,rabbitmq_stream_management].
another service configures in docker:
# RabbitMQ
Host = "host.docker.internal",
VirtualHost = "application",
Port= 5672,
StreamPort = 5552,
User= "admin",
Password = "admin",
UseSSL = false
I'm trying to get a traefik docker instance running on my raspberry pi 4 8gb. I have everything setup, but I can't get the let's encrypt certification working. (My name registrar is Porkbun)
Here's my docker-compose :
Version: '3.4'
services:
traefik:
image: 'traefik:2.3'
restart: 'unless-stopped'
ports:
- '80:80'
- '443:443'
volumes:
- '/var/run/docker/sock:/var/run/docker.sock'
- './config_files/traefik.toml:/traefik.toml'
- './config_files/traefik_dynamic.toml:/traefik_dynamic.toml'
- './config_files/acme.json:/acme.json'
networks:
- pi
whoami:
image: 'traefik/whoami'
restart: 'unless-stopped'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.whoami.rule=PathPrefix(`/whoami{regex:$$|/.*}`)'
- 'traefik.http.services.whoami.loadbalancer.server.port=80'
networks:
pi:
external: true
And here's my traefik.toml :
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "lets-encrypt"
[api]
dashboard = true
[certificatesResolvers.lets-encrypt.acme]
email = "lucien.astie#gmail.com"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
[providers.file]
filename = "traefik_dynamic.toml"
Lastly my traefik_dynamic.toml :
[http.middlewares.simpleAuth.basicAuth]
users = [
"uberfluff:$apr1$qAWpnRq5$W94tcAy9JCKE6TN.Zy/Kp1"
]
[http.routers.api]
rule = "Host(`lulusworld.art`)"
entrypoints = ["web"]
middlewares = ["simpleAuth"]
service = "api#internal"
[http.routers.api.tls]
certResolver = "lets-encrypt"
But with all of this I get this error :
Unable to obtain ACME certificate for domains "lulusworld.art": unable to generate a certificate for the domains [lulusworld.art]: error: one or more domains had a problem:\n[lulusworld.art] acme: error: 400 :: urn:ietf:params:acme:error:dns :: no valid A records found for lulusworld.art; no valid AAAA records found for lulusworld.art, url: \n" routerName=api#file rule="Host(lulusworld.art)" providerName=lets-encrypt.acme
Here's what I did to try to fix this :
I made a A record (the record is working but not the SSL)
According to docs for wildcard certificate you need DNS challenge but I can't get porkbun working with DNS Challenge
If you have any idea how I could solve my problem it would be greatly appreciated.
I set up a traefik reverse proxy in a docker enviroment.
The goal is to redirect traffic to different servers (not containers) based on URL/Host.
After fiddling around, I got traefik to work. I can now see the backend.
But if I try to access a server, I get "404 page not found" from traefik.
Also the tcp.routers and tcp.services don't show up in traefik-backend.
Are there limitations when mixing docker-compose and traefik.toml as configuration? If I start traefik it says, that it uses traefik.toml.
Another problem is, that user authentication for traefik-backend isn't used - there is no question for username/password.
Or does traefik ignore the whole configuration, because it can't get certificates (it's just dev and not in production right now).
docker-compose.yml:
version: "3.3"
services:
traefik:
restart: always
image: "traefik:latest"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- traefik_proxy
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./17/traefik.toml:/etc/traefik/traefik.toml
- ./shared:/shared
command:
- "--api=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=traefik_proxy"
networks:
traefik_proxy:
external: true
traefik.toml:
[global]
sendAnonymousUsage = false
[log]
level = "DEBUG"
[api]
dashboard = true
insecure = true
[entryPoints]
[entryPoints.traefik]
address = ":8080"
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[http]
[http.routers]
[http.routers.mymiddleware]
entryPoints = ["websecure"]
rule = "Host(`cmw.domain.de`) || Host(`sync.domain.de`)"
certResolver = "myresolver"
service = "mymiddleware"
[http.routers.owncloud]
entryPoints = ["websecure"]
rule = "Host(`cloud.domain.de`)"
certResolver = "myresolver"
service = "owncloud"
[http.routers.dashboard]
entryPoints = ["traefik"]
rule = "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
service = "api#internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
usersFile="shared/.htpasswd"
[tcp.services]
[tcp.services.mymiddleware]
[[tcp.services.mymiddleware.loadBalancer.servers]]
address = "192.168.92.14"
[tcp.service.owncloud]
[[tcp.services.owncloud.loadBalancer.servers]]
address = "192.168.92.10"
[certificatesResolvers.myresolver.acme]
email = "webmaster#domain.de"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"
I think the problem is with mixing http routers with tcp services. Traefik will search for http service named mymiddleware, but there is no such service defined. Vice versa, for your tcp services, there is no tcp router defined. I guess this could be simply fixed by changing your tcp.services to http.services.
But there was a nother problem, which is more important:
It's a "must" to seperate dynamic and static configuration.
So I ended up with:
docker-compose.yml
version: "3.3"
services:
traefik:
restart: always
image: "traefik:latest"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- traefik_proxy
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./traefik/traefik.toml:/etc/traefik/traefik.toml
- ./shared:/shared
networks:
traefik_proxy:
external: true
traefik/traefik.toml
[global]
sendAnonymousUsage = false
[log]
level = "DEBUG"
[api]
dashboard = true
# insecure = true
[providers.file]
filename = "shared/config.toml"
[entryPoints]
[entryPoints.traefik]
address = ":8080"
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[certificatesResolvers.myresolver.acme]
email = "webmaster#domain.de"
storage = "shared/acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"
shared/config.toml
[http]
[http.routers]
[http.routers.cudgelmiddleware]
entryPoints = ["websecure"]
rule = "Host(`cmw.domain.de`) || Host(`sync.domain.de`)"
certResolver = "myresolver"
service = "mymiddleware"
[http.routers.owncloud]
entryPoints = ["websecure"]
rule = "Host(`cloud.otherdomain.com`)"
certResolver = "myresolver"
service = "owncloud"
[http.routers.dashboard]
entryPoints = ["traefik"]
rule = "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
service = "api#internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
usersFile="shared/.htpasswd"
[http.services]
[http.services.mymiddleware]
[[http.services.mymiddleware.loadBalancer.servers]]
url = "http://192.168.92.14"
[http.service.owncloud]
[[http.services.owncloud.loadBalancer.servers]]
url = "http://192.168.92.10"
This probably a newbie question regarding traefik and the SSL configuration.
I'd like to use my own (self-signed, company, ...) certificates with traefik. I tried to follow the documentation, but I keep on getting the following message:
... level=debug msg="No default certificate, generating one"
My traefik.tomllooks like this:
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[log]
level = "DEBUG"
[api]
insecure = true
dashboard = true
[providers.docker]
exposedByDefault = false
[[tls]]
entryPoints = ["websecure"]
[[tls.certificate]]
certFile = "/certs/cert.crt"
keyFile = "/certs/cert.key"
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/cert/cert.crt"
keyFile = "/cert/cert.key"
and my docker-compose.yml looks like this:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.2
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/shared/traefik/etc/traefik.toml:/etc/traefik/traefik.toml
- $PWD/shared/traefik/ssl:/certs/
whoami:
# A container that exposes an API to show its IP address
image: containous/whoami
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.basic-auth-whoami.basicauth.users=***:***"
- "traefik.http.middlewares.strip-whoami.stripprefix.prefixes=/whoami"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.middlewares=basic-auth-whoami#docker,strip-whoami#docker"
- "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`) && Host(`<mydomain>`)"
- "traefik.http.services.whoami-poc-traefik.loadbalancer.server.port=80"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
- "traefik.http.routers.whoami.tls=true"
I am quite sure this is something trivial but I can't figure it out (both the toml syntax and traefik concepts being a too much to swallow at once).
I finally found out what was not working by following this blog
I had to:
Add file provider for dynamic configuration to my traefik.toml file:
[providers.file]
filename = "/tls-certs.toml"
Add a volume mapping to my docker-compose.yml file:
- $PWD/shared/traefik/etc/tls-certs.toml:/tls-certs.toml
Provide a tls-certs.toml file:
[[tls.certificates]] #first certificate
certFile = "/certs/cert.crt"
keyFile = "/certs/cert.key"
I am trying to serve a dockerized version of phantombot with traefik and let traefik handle the certificates for ssl.
Since phantombot uses a websocket, the websocket itself can only be accessed via wss when connecting externally but on the internal network it is listet as ws since phantombot runs in http mode.
I have tried to create an entrypoint at port 82 for wss which looks like this in the toml:
[entryPoints.panel]
adress = ":82"
[entryPoints.panel.tls]
[[entryPoints.panel.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
And the corresponding labels in the bot's docker-compose:
- traefik.panel.frontend.rule=Host:my.domain.com
- traefik.panel.frontend.entryPoints=panel
- traefik.panel.frontend.protocol=ws
- traefik.panel.port=82
Exposed ports on the container for the bot:
expose:
- 80
- 81
- 82
I have tried changing the protocols, making a catchall but nothing seems to work. Everytime I try to connect, I get an error-message in the browser stating that wss://my.domain.com:82/ is not answering and a HTTP(500): Broken Pipe in the bot's interface.
I am at my wits' end.
It would be nice if someone could help me :)
Edit: docker-compose of traefik
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8080:8080"
- "81:81"
- "82:82"
networks:
- web
volumes:
- ./traefik.toml:/etc/traefik/traefik.toml
- ./traefik.log:/etc/traefik/traefik.log
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/letsencrypt/live/my.domain.com/cert.pem:/cert.pem
- /etc/letsencrypt/live/my.domain.com/privkey.pem:/privkey.pem
labels:
- traefik.frontend.rule=Host:monitor.my.domain.com
- traefik.port=8080
- traefik.docker.network=web
- traefik.enable=true
- traefik.frontend.auth.basic.users=user:pass
networks:
web:
external: true
Traefik Toml:
# uncomment this line to get debug info with "docker logs":
#debug = true
defaultEntryPoints = ["https","http"]
[traefikLog]
filePath = "/etc/traefik/traefik.log"
format = "json"
# The syntax is somewhat esoteric so this is mostly copy-paste
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[entryPoints.ytplayer]
adress = ":81"
[entryPoints.ytplayer.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
sniStrict = true
OSCPMustStaple = true
[[entryPoints.ytplayer.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[entryPoints.panel]
adress = ":82"
[entryPoints.panel.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
sniStrict = true
OSCPMustStaple = true
[[entryPoints.panel.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "morellenoir.de"
watch = true
exposedbydefault = false
# enable web configuration backend.
[web]
# Web administration port, proxied in docker-compose.yml
address = ":8080"
#traefik configuration
defaultEntryPoints = ["https","http"]
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true