I want the traefik dashboard to only connect via https but at the same time provide authentication. I also want traefik to automatically redirect to https if I access the http address.
I've tried configuring myself by adding traefik dashboard http redirection to https and adding htpasswd authentication. But sadly it doesn't work.
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https", "traefik", "traefik-https"]
[entryPoints]
[entryPoints.traefik]
address = ":8080"
compress = true
[entryPoints.traefik.redirect]
entryPoint = "traefik-https"
[entryPoints.traefik-https.tls]
[entryPoints.traefik-https.auth]
[entryPoints.traefik-https.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.traefik-https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.traefik-https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[api]
entryPoint = "traefik"
dashboard = true
debug = true
[file]
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.test_1]
rule = "Host: example.com,www.example.com"
[frontends.frontend2]
backend = "backend2"
[frontends.frontend2.routes.test_1]
rule = "Host: duplicati.example.com,www.duplicati.example.com"
[frontends.frontend3]
entryPoints = ["traefik"]
backend = "backend3"
[frontends.frontend3.routes.test_1]
rule = "Host: traefik.example.com"
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://127.0.0.1:56000"
weight = 1
[backends.backend2]
[backends.backend2.servers.server1]
url = "http://127.0.0.1:57000"
weight = 1
[backends.backend3]
[backends.backend3.servers.server1]
url = "http://127.0.0.1:8080"
weight = 1
I expected it to redirect to https automatically when I access http://example.com:8080. Like this http://example.com:8080 --> https://example.com:8080. But when I access https://example.com:8080 it gave me an error Client sent an HTTP request to an HTTPS server.
What am I doing wrong?
I successfully fixed the problem. I don't know how I did it but I started from zero, refered to the Traefik docs, test my code, try, try, and try again until my code works!
Here is the code just in case someone needs it as a future reference
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https", "traefik", "traefik-https"]
[entryPoints]
[entryPoints.foo]
address=":58080"
compress = true
[entryPoints.foo.redirect]
entrypoint="traefik-https"
[entryPoints.traefik-https]
address = ":58443"
compress = true
[entryPoints.traefik-https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.traefik-https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.traefik-https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[entryPoints.traefik-https.auth]
[entryPoints.traefik-https.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[entryPoints.https.tls.defaultCertificate]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/letsencrypt/live/example.com/fullchain.pem"
keyFile = "/etc/letsencrypt/live/example.com/privkey.pem"
[api]
entryPoint = "traefik-https"
dashboard = true
debug = true
[file]
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.test_1]
rule = "Host: example.com,www.example.com"
[frontends.frontend2]
backend = "backend2"
[frontends.frontend2.routes.test_1]
rule = "Host: duplicati.example.com,www.duplicati.example.com"
# [frontends.frontend3]
# entryPoints = ["traefik"]
# backend = "backend3"
# [frontends.frontend3.routes.test_1]
# rule = "Host: traefik.example.com"
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://127.0.0.1:56000"
weight = 1
[backends.backend2]
[backends.backend2.servers.server1]
url = "http://127.0.0.1:57000"
weight = 1
# [backends.backend3]
# [backends.backend3.servers.server1]
# url = "http://127.0.0.1:8080"
# weight = 1
Traefik docs that I've refered to:
https://docs.traefik.io/configuration/backends/web/
https://docs.traefik.io/configuration/entrypoints/
Related
I would like to create a traefik v2 config file which redirects http://localhost:80 traffic to http://otherhost.example.com:8080.
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.dashboard]
address = ":80"
[entryPoints.dashboard.redirect???]
scheme = "http"
port = "8080"
No dockers whatsoever.
Thanks,
Lorand.
That worked:
defaultEntryPoints = ["http"]
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[providers]
[providers.file]
filename = "dynamic_conf.toml"
watch = true
And dynamic_conf.toml:
## Dynamic configuration
[http.routers]
[http.routers.Router-1]
# By default, routers listen to every entry points
rule = "Host(`localhost`)"
service = "my-service"
[http.services]
[http.services.my-service.loadBalancer]
passHostHeader = false
[[http.services.my-service.loadBalancer.servers]]
url = "http://example.com"
It had to be called with full url, like: http://localhost/index.html
I'd like to be able to use Traefik to forward traffic for a domain with subfolders to a docker container on a diff hosts. Also, I'd like to be able to use multiple separate domains.
I'm unable to find instructions or a guide to do that exactly. Can anyone give me pointers please?
This is what I have so far.
### traefik.toml
defaultEntryPoints = ["https","http"]
[api]
entryPoint = "traefik"
dashboard = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["admin:{SHA}123="]
[acme]
email = "123#123.com"
storage = "/etc/traefik/acme/acme.json"
onHostRule = false
acmeLogging = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.123.it"
[[acme.domains]]
main = "*.123.co.uk"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "{{ DOMAIN }}"
watch = true
exposedbydefault = false
[file]
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://192.168.0.1:8585/"
[backends.backend2]
[backends.backend2.servers.server2]
url = "http://192.168.0.1:8383/"
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.graf]
rule = "Host:123.it"
[frontends.frontend2]
backend = "backend2"
[frontends.frontend2.routes.graf]
rule = "Host:123.co.uk; PathPrefix: /app"
According to https://github.com/containous/traefik/pull/2133, it should be possible to redirect selectively per frontend. Is this available in the File backend?
I tried adding the following, but it didn't work:
[frontends.foo.headers]
SSLRedirect = true
The option SSLRedirect = true always redirect on 443.
If you want to redirect to an entry point without using 443 port use entryPoint = "https"
https://docs.traefik.io/user-guide/examples/#http-redirect-on-https
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "examples/traefik.crt"
keyFile = "examples/traefik.key"
https://docs.traefik.io/configuration/backends/file/
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
# ...
[entryPoints.https]
address = ":443"
# ...
[file]
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.redirect]
entryPoint = "https"
# ...
Our problem is that traffic from the https entrypoint is (probably) forwarded to the backend with the wrong port. Accessing the http entrypoint works as expected: the traffic is loadbalanced between server 1 2 3. when using the https entrypoint, we get a 404 page not found. The TLS is all good, the connection is secure, but it looks like traefik does not change the port for the backend server to :80.
We do let's encrypt via traefik and this looks good.
Here's how we start traffic:
docker run -d -p 443:443 -p 80:80 -v /home/pi/lbtest/traefik/traefik.toml:/traefik.toml -v /home/pi/lbtest/traefik/acme.json:/acme.json traefik
And this is our traefik.toml
debug = true
[file]
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[frontends]
[frontends.lbtest]
backend = "lbtest"
[frontends.lbtest.routes.route0]
rule = "Host:xxx.gotdns.ch"
[backends]
[backends.lbtest]
[backends.lbtest.servers.server1]
url = "http://192.168.178.81:80"
[backends.lbtest.servers.server2]
url = "http://192.168.178.49:80"
[backends.lbtest.servers.server3]
url= "http://192.168.178.64:80"
[acme]
email = "xxx#xxx.eu.com"
storageFile = "acme.json"
acmeLogging = true
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "xxx.gotdns.ch"
Why does http://xxx.gotdns.ch work - it loadbalances between server 1 2 3 - but not for https://xxx.gotdns.ch. Any ideas?
It's problem with the field defaultEntryPoints in your configuration:
debug = true
defaultEntryPoints = ["http", "https"] # <-- move the field here
[file]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[frontends]
[frontends.lbtest]
backend = "lbtest"
[frontends.lbtest.routes.route0]
rule = "Host:xxx.gotdns.ch"
[backends]
[backends.lbtest]
[backends.lbtest.servers.server1]
url = "http://192.168.178.81:80"
[backends.lbtest.servers.server2]
url = "http://192.168.178.49:80"
[backends.lbtest.servers.server3]
url= "http://192.168.178.64:80"
[acme]
email = "xxx#xxx.eu.com"
storageFile = "acme.json"
acmeLogging = true
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "xxx.gotdns.ch"
I recommend to write your configuration like that:
debug = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxx#xxx.eu.com"
storageFile = "acme.json"
acmeLogging = true
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "xxx.gotdns.ch"
[file]
[frontends]
[frontends.lbtest]
backend = "lbtest"
[frontends.lbtest.routes.route0]
rule = "Host:xxx.gotdns.ch"
[backends]
[backends.lbtest]
[backends.lbtest.servers.server1]
url = "http://192.168.178.81:80"
[backends.lbtest.servers.server2]
url = "http://192.168.178.49:80"
[backends.lbtest.servers.server3]
url= "http://192.168.178.64:80"
In Traefik, is it possible to either:
A. Setup two different SSL entrypoints, such that I can enable TLS Mutual Authentication on one SNI (ClientCAFiles) and not on the other;
or
B. Use the same entrypoint (:443), but have the ClientCAFiles directive only apply to a specific URL
I've tried something like this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
clientCAFiles = ["certs/clientca.crt"]
[[entryPoints.https.tls.certificates]]
certFile = "certs/server1.crt"
keyFile = "certs/server1.key"
[entrypoints.otherSSL]
address = ":8443"
[entryPoints.otherSSL.tls]
[[entryPoints.otherSSL.tls.certificates]]
certFile = "certs/server2.crt"
keyFile = "certs/server2.key"
but doesn't work. Also tried like this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
clientCAFiles = ["certs/clientca.crt"]
certFile = "certs/server1.crt"
keyFile = "certs/server1.key"
[[entryPoints.https.tls.certificates]]
certFile = "certs/server2.crt"
keyFile = "certs/server2.key"
This also does not work.
This works:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
clientCAFiles = ["certs/clientca.crt"]
[[entryPoints.https.tls.certificates]]
certFile = "certs/server1.crt"
keyFile = "certs/server1.key"
[[entryPoints.https.tls.certificates]]
certFile = "certs/server2.crt"
keyFile = "certs/server2.key"
but requires clientAuth for BOTH SNIs.