I set up a traefik reverse proxy in a docker enviroment.
The goal is to redirect traffic to different servers (not containers) based on URL/Host.
After fiddling around, I got traefik to work. I can now see the backend.
But if I try to access a server, I get "404 page not found" from traefik.
Also the tcp.routers and tcp.services don't show up in traefik-backend.
Are there limitations when mixing docker-compose and traefik.toml as configuration? If I start traefik it says, that it uses traefik.toml.
Another problem is, that user authentication for traefik-backend isn't used - there is no question for username/password.
Or does traefik ignore the whole configuration, because it can't get certificates (it's just dev and not in production right now).
docker-compose.yml:
version: "3.3"
services:
traefik:
restart: always
image: "traefik:latest"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- traefik_proxy
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./17/traefik.toml:/etc/traefik/traefik.toml
- ./shared:/shared
command:
- "--api=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=traefik_proxy"
networks:
traefik_proxy:
external: true
traefik.toml:
[global]
sendAnonymousUsage = false
[log]
level = "DEBUG"
[api]
dashboard = true
insecure = true
[entryPoints]
[entryPoints.traefik]
address = ":8080"
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[http]
[http.routers]
[http.routers.mymiddleware]
entryPoints = ["websecure"]
rule = "Host(`cmw.domain.de`) || Host(`sync.domain.de`)"
certResolver = "myresolver"
service = "mymiddleware"
[http.routers.owncloud]
entryPoints = ["websecure"]
rule = "Host(`cloud.domain.de`)"
certResolver = "myresolver"
service = "owncloud"
[http.routers.dashboard]
entryPoints = ["traefik"]
rule = "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
service = "api#internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
usersFile="shared/.htpasswd"
[tcp.services]
[tcp.services.mymiddleware]
[[tcp.services.mymiddleware.loadBalancer.servers]]
address = "192.168.92.14"
[tcp.service.owncloud]
[[tcp.services.owncloud.loadBalancer.servers]]
address = "192.168.92.10"
[certificatesResolvers.myresolver.acme]
email = "webmaster#domain.de"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"
I think the problem is with mixing http routers with tcp services. Traefik will search for http service named mymiddleware, but there is no such service defined. Vice versa, for your tcp services, there is no tcp router defined. I guess this could be simply fixed by changing your tcp.services to http.services.
But there was a nother problem, which is more important:
It's a "must" to seperate dynamic and static configuration.
So I ended up with:
docker-compose.yml
version: "3.3"
services:
traefik:
restart: always
image: "traefik:latest"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- traefik_proxy
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./traefik/traefik.toml:/etc/traefik/traefik.toml
- ./shared:/shared
networks:
traefik_proxy:
external: true
traefik/traefik.toml
[global]
sendAnonymousUsage = false
[log]
level = "DEBUG"
[api]
dashboard = true
# insecure = true
[providers.file]
filename = "shared/config.toml"
[entryPoints]
[entryPoints.traefik]
address = ":8080"
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[certificatesResolvers.myresolver.acme]
email = "webmaster#domain.de"
storage = "shared/acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"
shared/config.toml
[http]
[http.routers]
[http.routers.cudgelmiddleware]
entryPoints = ["websecure"]
rule = "Host(`cmw.domain.de`) || Host(`sync.domain.de`)"
certResolver = "myresolver"
service = "mymiddleware"
[http.routers.owncloud]
entryPoints = ["websecure"]
rule = "Host(`cloud.otherdomain.com`)"
certResolver = "myresolver"
service = "owncloud"
[http.routers.dashboard]
entryPoints = ["traefik"]
rule = "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
service = "api#internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
usersFile="shared/.htpasswd"
[http.services]
[http.services.mymiddleware]
[[http.services.mymiddleware.loadBalancer.servers]]
url = "http://192.168.92.14"
[http.service.owncloud]
[[http.services.owncloud.loadBalancer.servers]]
url = "http://192.168.92.10"
Related
I'm migrating an old API to Traefik 2 and I can't get forward auth to work. The configuration below is pretty much the equivalent of what we had with Traefik 1.7, but I keep getting "404 page not found" for everything unless I comment out the entry point middleware as well as the auth labels. The Traefik documentation doesn't seem to explain this in any more detail besides adding the middleware itself and some configuration options.
As I understand it this should do forward auth for the web and websecure entry points to the auth entry point and I assigned the /auth path on the auth entry point to our API container.
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
middlewares = ["auth"]
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http]
middlewares = ["auth"]
[entryPoints.websecure.http.tls]
[entryPoints.auth]
address = ":7000"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://127.0.0.1:7000/auth"
version: '3.8'
services:
proxy:
image: traefik:2.8
volumes:
ports:
- 80:80
- 443:443
- 7000:7000
api:
image: api
deploy:
labels:
- traefik.enable=true
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.rule=Host(`api.example.org`)
- traefik.http.services.api.loadbalancer.server.port=8000
- traefik.http.routers.auth.entrypoints=auth
- traefik.http.routers.auth.rule=PathPrefix(`/auth`)
- traefik.http.services.auth.loadbalancer.server.port=8000
I figured out my configuration had 2 issues.
Middleware must be defined using the dynamic configurtation (note the change to auth#file):
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
middlewares = ["auth#file"]
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http]
middlewares = ["auth#file"]
[entryPoints.websecure.http.tls]
[entryPoints.auth]
address = ":7000"
[providers.file]
filename = "/etc/traefik/dynamic.toml"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://127.0.0.1:7000/auth"
Multiple router definitions require explicit service targets:
version: '3.8'
services:
api:
image: api
deploy:
labels:
- traefik.enable=true
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.rule=Host(`api.example.org`)
- traefik.http.routers.api.service=api # Required
- traefik.http.services.api.loadbalancer.server.port=8000
- traefik.http.routers.auth.entrypoints=auth
- traefik.http.routers.auth.rule=PathPrefix(`/auth`)
- traefik.http.routers.auth.service=auth # Required
- traefik.http.services.auth.loadbalancer.server.port=8000
I'm trying to get a traefik docker instance running on my raspberry pi 4 8gb. I have everything setup, but I can't get the let's encrypt certification working. (My name registrar is Porkbun)
Here's my docker-compose :
Version: '3.4'
services:
traefik:
image: 'traefik:2.3'
restart: 'unless-stopped'
ports:
- '80:80'
- '443:443'
volumes:
- '/var/run/docker/sock:/var/run/docker.sock'
- './config_files/traefik.toml:/traefik.toml'
- './config_files/traefik_dynamic.toml:/traefik_dynamic.toml'
- './config_files/acme.json:/acme.json'
networks:
- pi
whoami:
image: 'traefik/whoami'
restart: 'unless-stopped'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.whoami.rule=PathPrefix(`/whoami{regex:$$|/.*}`)'
- 'traefik.http.services.whoami.loadbalancer.server.port=80'
networks:
pi:
external: true
And here's my traefik.toml :
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "lets-encrypt"
[api]
dashboard = true
[certificatesResolvers.lets-encrypt.acme]
email = "lucien.astie#gmail.com"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
[providers.file]
filename = "traefik_dynamic.toml"
Lastly my traefik_dynamic.toml :
[http.middlewares.simpleAuth.basicAuth]
users = [
"uberfluff:$apr1$qAWpnRq5$W94tcAy9JCKE6TN.Zy/Kp1"
]
[http.routers.api]
rule = "Host(`lulusworld.art`)"
entrypoints = ["web"]
middlewares = ["simpleAuth"]
service = "api#internal"
[http.routers.api.tls]
certResolver = "lets-encrypt"
But with all of this I get this error :
Unable to obtain ACME certificate for domains "lulusworld.art": unable to generate a certificate for the domains [lulusworld.art]: error: one or more domains had a problem:\n[lulusworld.art] acme: error: 400 :: urn:ietf:params:acme:error:dns :: no valid A records found for lulusworld.art; no valid AAAA records found for lulusworld.art, url: \n" routerName=api#file rule="Host(lulusworld.art)" providerName=lets-encrypt.acme
Here's what I did to try to fix this :
I made a A record (the record is working but not the SSL)
According to docs for wildcard certificate you need DNS challenge but I can't get porkbun working with DNS Challenge
If you have any idea how I could solve my problem it would be greatly appreciated.
I want to redirect the request to a non-dockerized webapp running in another host using traefik.
I am starting traefik with docker-compose with the following yml :
version: "3.3"
services:
reverse-proxy:
image: traefik:v2.4
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.file=true"
- "--providers.file.filename=/etc/traefik/rules.toml"
ports:
- "80:80"
- "8050:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "./rules.toml:/etc/traefik/rules.toml"
labels:
- traefik.enable=false
And my rules.toml file is :
[entrypoints]
[entrypoints.http]
address = ":8080"
[providers]
[providers.file]
[http]
[http.routers]
[http.routers.auth-router]
rule = "Path(`/auth`)"
service = "auth"
entrypoint=["http"]
[http.services]
[http.services.auth.loadbalancer]
[[http.services.auth.loadbalancer.servers]]
url = "http://myhost.com:8080/auth"
Whenever user opens http://localhost:8080/auth, traefik should redirect them to http://myhost.com:8080/auth, that is my requirement. but I'm getting the following error during traefik startup
Cannot start the provider *file.Provider: field not found, node: entrypoint"
How can I resolve this issue.
The error makes it seem like it's a file provider issue, but I think it's just a type on your part -- should be entryPoints (uppercase P) in your rules.toml file
[entryPoints]
[entryPoints.http]
address = ":8080"
[providers]
[providers.file]
[http]
[http.routers]
[http.routers.auth-router]
rule = "Path(`/auth`)"
service = "auth"
entryPoints = ["http"]
[http.services]
[http.services.auth.loadbalancer]
[[http.services.auth.loadbalancer.servers]]
url = "http://myhost.com:8080/auth"
This probably a newbie question regarding traefik and the SSL configuration.
I'd like to use my own (self-signed, company, ...) certificates with traefik. I tried to follow the documentation, but I keep on getting the following message:
... level=debug msg="No default certificate, generating one"
My traefik.tomllooks like this:
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[log]
level = "DEBUG"
[api]
insecure = true
dashboard = true
[providers.docker]
exposedByDefault = false
[[tls]]
entryPoints = ["websecure"]
[[tls.certificate]]
certFile = "/certs/cert.crt"
keyFile = "/certs/cert.key"
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/cert/cert.crt"
keyFile = "/cert/cert.key"
and my docker-compose.yml looks like this:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.2
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/shared/traefik/etc/traefik.toml:/etc/traefik/traefik.toml
- $PWD/shared/traefik/ssl:/certs/
whoami:
# A container that exposes an API to show its IP address
image: containous/whoami
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.basic-auth-whoami.basicauth.users=***:***"
- "traefik.http.middlewares.strip-whoami.stripprefix.prefixes=/whoami"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.middlewares=basic-auth-whoami#docker,strip-whoami#docker"
- "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`) && Host(`<mydomain>`)"
- "traefik.http.services.whoami-poc-traefik.loadbalancer.server.port=80"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
- "traefik.http.routers.whoami.tls=true"
I am quite sure this is something trivial but I can't figure it out (both the toml syntax and traefik concepts being a too much to swallow at once).
I finally found out what was not working by following this blog
I had to:
Add file provider for dynamic configuration to my traefik.toml file:
[providers.file]
filename = "/tls-certs.toml"
Add a volume mapping to my docker-compose.yml file:
- $PWD/shared/traefik/etc/tls-certs.toml:/tls-certs.toml
Provide a tls-certs.toml file:
[[tls.certificates]] #first certificate
certFile = "/certs/cert.crt"
keyFile = "/certs/cert.key"
I am trying to serve a dockerized version of phantombot with traefik and let traefik handle the certificates for ssl.
Since phantombot uses a websocket, the websocket itself can only be accessed via wss when connecting externally but on the internal network it is listet as ws since phantombot runs in http mode.
I have tried to create an entrypoint at port 82 for wss which looks like this in the toml:
[entryPoints.panel]
adress = ":82"
[entryPoints.panel.tls]
[[entryPoints.panel.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
And the corresponding labels in the bot's docker-compose:
- traefik.panel.frontend.rule=Host:my.domain.com
- traefik.panel.frontend.entryPoints=panel
- traefik.panel.frontend.protocol=ws
- traefik.panel.port=82
Exposed ports on the container for the bot:
expose:
- 80
- 81
- 82
I have tried changing the protocols, making a catchall but nothing seems to work. Everytime I try to connect, I get an error-message in the browser stating that wss://my.domain.com:82/ is not answering and a HTTP(500): Broken Pipe in the bot's interface.
I am at my wits' end.
It would be nice if someone could help me :)
Edit: docker-compose of traefik
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8080:8080"
- "81:81"
- "82:82"
networks:
- web
volumes:
- ./traefik.toml:/etc/traefik/traefik.toml
- ./traefik.log:/etc/traefik/traefik.log
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/letsencrypt/live/my.domain.com/cert.pem:/cert.pem
- /etc/letsencrypt/live/my.domain.com/privkey.pem:/privkey.pem
labels:
- traefik.frontend.rule=Host:monitor.my.domain.com
- traefik.port=8080
- traefik.docker.network=web
- traefik.enable=true
- traefik.frontend.auth.basic.users=user:pass
networks:
web:
external: true
Traefik Toml:
# uncomment this line to get debug info with "docker logs":
#debug = true
defaultEntryPoints = ["https","http"]
[traefikLog]
filePath = "/etc/traefik/traefik.log"
format = "json"
# The syntax is somewhat esoteric so this is mostly copy-paste
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[entryPoints.ytplayer]
adress = ":81"
[entryPoints.ytplayer.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
sniStrict = true
OSCPMustStaple = true
[[entryPoints.ytplayer.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[entryPoints.panel]
adress = ":82"
[entryPoints.panel.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
sniStrict = true
OSCPMustStaple = true
[[entryPoints.panel.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "morellenoir.de"
watch = true
exposedbydefault = false
# enable web configuration backend.
[web]
# Web administration port, proxied in docker-compose.yml
address = ":8080"
#traefik configuration
defaultEntryPoints = ["https","http"]
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true