I have a problem with Traefik. All my services are OK, Traefik does his job, retrieves the certificates of Lets Encrypt, makes Load blancing between my different applications.
My problem is that I can't access the Dashboard, it asks me a login/password, yet I informed it in the docker-compose.
version: "3.7"
services:
traefik:
image: traefik:chevrotin
command:
--entrypoints.http.address=:80
--entrypoints.https.address=:443
--providers.docker=true
--api=true
--certificatesresolvers.letsencrypt.acme.httpchallenge=true
--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http
--certificatesresolvers.letsencrypt.acme.email=mymail#mail.com
--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
# Redirect all HTTP traffic to HTTPS
- traefik.http.routers.to-https.rule=Host(`traefik.mydomain.com`)
- traefik.http.routers.to-https.entrypoints=http
- traefik.http.routers.to-https.middlewares=to-https
- traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.middlewares=auth
- traefik.http.routers.traefik.service=api#internal
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.middlewares.to-https.redirectscheme.scheme=https
- traefik.http.middlewares.auth.basicauth.users=MyLogin:MyPassword
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /docker/letsencrypt:/letsencrypt
if you have a idea. Thanks
I find. I'm not encoded my password.
I use this website : https://www.web2generators.com/apache-tools/htpasswd-generator
to encoded my password.
"traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj
Note: all dollar signs in the hash need to be doubled for escaping
Related
I have setup traefik in docker and use let's encrypt on the domain example.tld with some
services:
traefik:
image: "traefik:2.8.2"
container_name: "traefik"
hostname: "traefik"
restart: always
command:
- "--serverstransport.insecureskipverify=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=mail#example.tld"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--providers.file.filename=/etc/traefik/rules.yml"
- "--providers.file.watch=true"
ports:
- "443:443"
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./volumes/traefik/log:/etc/traefik/log"
- "./volumes/traefik/rules.yml:/etc/traefik/rules.yml"
- "./volumes/traefik/letsencrypt/:/letsencrypt/"
whoami:
image: "traefik/whoami"
container_name: "simple-service"
restart: always
labels:
- "traefik.enable=true"
- 'traefik.http.routers.whoami.tls.certresolver=letsencrypt'
- "traefik.http.routers.whoami.rule=Host(`whoami.example.tld`)"
This all functions, but now I wanted to add a OpenConnect VPN on the same port.
So in a file provider:
http:
routers:
router-vpn:
entryPoints:
- websecure
rule: Host(`vpn.example.tld`) # (same domain)
service: service-vpn
store: default
services:
service-vpn:
loadBalancer:
servers:
- url: "https://ocserver:3334"
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/log/certs/cert.pem
keyFile: /etc/traefik/log/certs/key.pem
certificates:
- certFile: /etc/traefik/log/certs/cert.pem
keyFile: /etc/traefik/log/certs/key.pem
The cert is copied from the OpenConnect server. The problem is that the OCC (OpenConnect Client) and the OCS (OpenConnect Server) connect over http CONNECT (the OCS receives the request) and use the public shown cert for encryption, but because traefik show's the lets encrypt cert the server can't decrypt the answer of the client and so does fail.
So now my question is how can i (on the same domain) force traefik to use the cert file (no matter if valid) for vpn.example.tld and for the rest of the domains use the LE cert?
Traefik currently only supports SNI based cert matching when the cert is valid and even this implementation is unreliable. I suggest using tls-passthrough as per documentation.
Now I set my IP in duckdns panel with domain 'domainname.duckdns.org'
And I want to set my Traefik web panel with Let's Encrypt SSL
And I installed Traefik with dockers stacks command
version: "3.3"
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=MYEMAIL ADDRESS"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--pilot.token=MY PILOT TOKEN"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.port=8080"
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`domainname.duckdns.org`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=myresolver"
And When I run with this command, still I can access web panel with 8080 port with domainname.duckdns.org (Not a subdomain) But when I access with https://domainname.duckdns.org, it shows and error 'Bad Gateway' But can connect with SSL. But in my web panel it seems that SSL certificate is already applied.
Is there any problem in my docker-compose file?
I would like to access a Keycloak server that is on the internet and not on my docker network. I want to hide the domain of the Keycloak server behind my own domain. So if I go to http://localhost/auth/ then the page from the Keycloak server should be displayed. I don't want to have a redirect to the actual Keycloak server.
I have tried the following configuration but it does not work. When I go to http://localhost/auth I get a "404 page not found". I hope you can help me. Thank you very much for your help :)
docker-compose.yml
version: "3.7"
services:
proxy:
image: traefik:v2.2
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.file=true"
- "--providers.file.filename=/etc/traefik/rules.yml"
- "--entrypoints.web.address=:80"
ports:
- 80:80
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./rules.yml:/etc/traefik/rules.yml
website:
image: containous/whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.website.rule=Host(`localhost`)"
- "traefik.http.routers.website.entrypoints=web"
rules.yml
http:
routers:
my-route:
rule: "Host(`localhost`) && PathPrefix(`/auth`)"
service: my-keycloak-server
services:
my-keycloak-server:
loadBalancer:
servers:
- url: "https://keycloak.domain.com/auth"
Change:
- ./rules.yml:/etc/traefik/rules.yml
to:
- /etc/traefik/rules.yml:/etc/traefik/rules.yml
That should do it!
P.S.
Thanks for the question; really enjoyed learning about Traefik and Keycloak!
I'm trying to setup Traefik and Portainer but seem to be hitting some issues. I think mainly around Traefik and setting up new containers.
Everything looks correct to me but I seem to be getting an error when I point to my subdomain
ERR_TOO_MANY_REDIRECTS
If I point to the IP address and Port, the Portainer dashboard is displayed, it just seems to be that when pointing to my sub-domain, there is some recursive redirection I'm assuming.
My docker compose looks like this:-
version: '3'
services:
portainer:
image: portainer/portainer:latest
container_name: portainer-new
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
ports:
- 8000:8000
- 9000:9000
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.rule=Host(`MY_URL`)"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`MY_URL`)"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.tls.certresolver=http"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
Any ideas?
Okay, so I figured out my issue.
The above is correct and valid. I use CloudFlare for proxy/DNS etc... I had added my subdomain to my DNS settings, but my Proxy Status was Proxied rather than DNS ONLY. After setting DNS only the above worked.
I'll try to configure traefik for something like that:
1) server.example.com --> traefik --> httpChallengeToLetsEncrypt
2) client --> traefik (passthrough tls) --> server.example.com( with let's encrypt )
N.B.: traefik receives its requests at example.com level
What is happening:
1) Works correctly only if traefik does not manage let's encrypt certificates itself (otherwise it does not transmit any request whose pathPrefix begins with ".well-known/acme-challenge" :-\ )
2) Does not work with a config for tcp router like this:
tcp:
routers:
example:
entryPoints:
- web-secure
rule: "HostSNI(`server.example.com`)"
service: example
tls:
passthrough: true
services:
example:
loadBalancer:
servers:
- url: "https://192.168.0.1:443/"
How would you let one or more services manage their let's encrypt certificates themselves ?
And is it possible to do it at the same time that traefik also manages let's encrypt certificates or the problem mentioned in point 1 is it redibitory?
Best regards,
jmc
use tls.passthrough=true and a tcp router instead of http
below is a fully working example where apache is responsible for its own certificates.
traefik never touches them
version: "3"
services:
traefik:
image: traefik
command:
- --api.insecure=true
- --providers.docker=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- traefik.http.routers.api.rule=Host(`traefik.docker.local`)
- traefik.http.routers.api.service=api#internal
whoami:
image: containous/whoami
labels:
- traefik.http.routers.whoami.rule=Host(`whoami.docker.local`)
- traefik.http.routers.whoami.service=whoami#docker
- traefik.http.services.whoami.loadbalancer.server.port=80
apache:
build: php-apache
depends_on: [traefik]
env_file: ./php-apache/env
volumes:
- "./php-apache/cert/haproxy/:/etc/ssl/haproxy/"
- "./php-apache/cert/private/:/etc/ssl/private/"
- "./php-apache/cert/trusted/:/usr/local/share/ca-certificates/"
- "./php-apache/conf/:/etc/apache2/conf-enabled/"
- "./php-apache/log/:/var/log/apache2/"
- "./php-apache/sites/available/:/etc/apache2/sites-available/"
- "./php-apache/sites/enabled/:/etc/apache2/sites-enabled/"
- "./php-apache/www/:/var/www/"
labels:
- "traefik.http.routers.apache.entrypoints=http"
- "traefik.http.routers.apache.priority=1"
- "traefik.http.routers.apache.rule=HostRegexp(`{catchall:.*}`)"
- "traefik.http.routers.apache.service=apache#docker"
- "traefik.http.services.apache.loadbalancer.server.port=80"
- "traefik.tcp.routers.apache.entrypoints=https"
- "traefik.tcp.routers.apache.rule=HostSNI(`*`)"
- "traefik.tcp.routers.apache.service=apache#docker"
- "traefik.tcp.routers.apache.tls.passthrough=true"
- "traefik.tcp.services.apache.loadbalancer.server.port=443"