I am considering switching to traefik to control my docker containers and everything looks great so far. One thing I could not find in the docs is how to expose several HTTPS ports.
The documentation mentions that the exposed port is defined as:
[entryPoints]
[entryPoints.https]
address = ":443"
What should I put there to tell traefik that I would like to listen for HTTPS traffic on 443 and 50443?
Just define another entrypoint following the same scheme but name it differently e.g. [entrypoints.verysecure]. Remember that every TLS entrypoint needs a cert/key configuration
Related
I'm trying to setup traefik v2 on a development server we have.
The setup:
Docker serving dozens of nginx containers acting as a frontend for different projects. Every nginx container has a unique domain linked to it. Nginx is running on port 80. Every project has a separate docker-compose (traefik also has a separate docker-compose).
What I'm trying to accomplish:
Proxy all of the containers to traefik and add new ones on the go (new services are stopped/started all the time). Make traefik automatically redirect to HTTPS and contact the appropriate nginx container based on the hostname in order to serve the website.
Question: Is this even possible to do? I've been trying to figure it out for the past day or so but I can't get everything to work. Either the redirect doesn't work or if it does it returns 404.
Managed to find a guide that covers this:
https://chriswiegman.com/2019/10/serving-your-docker-apps-with-https-and-traefik-2/
To extend what the guide pointed to, the magic sauce is in LABELS. It can be broken down to this:
# Setup HTTP
# tells traefik that cany HTTP connection needs to be re-directed to HTTPS
- "traefik.http.middlewares.mysite-https.redirectscheme.scheme=https"
# 'web' (or any name) can be defined my traefik entrypoints. Web is port 80.
- "traefik.http.routers.mysite-http.entrypoints=web"
# tells to route incoming connections to 'mysitesdomain.com' to this service
- "traefik.http.routers.mysite-http.rule=Host(`mysitesdomain.com`)"
# Maps the above 'middleware' called 'mysite-https'
- "traefik.http.routers.mysite-http.middlewares=mysite-https#docker"
# Setup HTTPS
- "traefik.http.routers.mysite.entrypoints=web-secure"
- "traefik.http.routers.mysite.rule=Host(`mysitesdomain.com`)"
- "traefik.http.routers.mysite.tls=true"
- "traefik.http.routers.mysite.tls.certresolver=default"
What seems to be missing the loadbalancer definition.
- "traefik.http.services.replica_service.loadbalancer.server.port=80" # "80" is the container's incoming port.
In front of my web servers and Docker applications I'm running Traefik to handle load balancing and reverse-proxy. In this specific case Magento 2 is running on another host in the same private network as the Traefik host.
Traefik: 192.168.1.30
Magento: 192.168.1.224
Traffic is coming into the firewall on port 80/443 and forwarded to Traefik which forwards the request based on the domain name (in this case exampleshop.com).
My Traefik configuration looks like this:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[backends]
[backends.backend-exampleshop]
[backends.backend-exampleshop.servers.server1]
url = "http://192.168.1.224:80
passHostHeader = true
[frontends]
[frontends.exampleshop]
backend = "backend-exampleshop"
[frontends.exampleshop.routes.hostname]
rule = "Host:exampleshop.com"
For regular websites above configuration always worked as expected (a working HTTPS connection with valid Let's Encrypt cert) but in this Magento 2 case it results in:
ERR_TOO_MANY_REDIRECTS
Therefore I'm unable to reach both my homepage as well as my admin page. Looking at the Database records I've configured both my unsecure as secure URL as https://exampleshop.com to avoid redirect errors.
Apache is listening fine on port 80, and when contacted directly (by changing my hosts file) the page gets displayed just fine over HTTP.
What am I missing here?
Command out below code solved this case OR
Enable ACME on your Traefik and switch SSL mode on Cloudflare to Full (if enabled)
[entryPoints.http.redirect]
entryPoint = "https"
I suppose that 192.168.1.224 is the IP (local) where Traefik is installed.
entryPoints.http : address = ":80" == address = "0.0.0.0:80"
https//exampleshop.com
entryPoints.https (because https == port 443)
frontends.example1 (because rule = "Host:exampleshop.com")
backend-example1: server = "http://192.168.1.224:80"
entryPoints.http because :80 == http://192.168.1.224:80
redirection to entryPoints.https
etc
Try to change the port of your local application.
Actually, the config was completely valid but Cloudflare's crypto/SSL settings were set to Flexible instead of Full; causing a loop.
I run into this as well, but I've found I have to add this:
ingress.kubernetes.io/ssl-proxy-headers: "X-Forwarded-Proto: https"
In our kubernetes ingress manifests and it fixes it.
I'm running traefik on an AWS instance with a rancher back-end. I am terminating SSL at the AWS load balancer, and am communicating on port 80 with the instance, which forwards the :80 traffic to the traefik container.
So the Load balancer currently has:
https:443 ==> http:80
http:80 ==> http:80
That means, if you type https://example.com, you get SSL, and if you type http://example.com, you just get an ordinary http connection.
The desire is to have an auto redirect via http 302 -- it would redirect http://example.com to https://example.com.
So far what I've unsuccessfully tried is the following:
** AWS Load balancer**
https:443 => http:80
http:80 => http:81
traefik.toml
------------
[entryPoints]
[entryPoints.http]
address = ":81"
[entryPoints.http.redirect]
regex = "^http://example.com/(.*)"
replacement = "https://example.com/$1"
address = ":80"
docker-compose.yml
------------------
API-Proxy:
container_name: api-proxy
image: traefik
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "$PWD/traefik.toml:/etc/traefik/traefik.toml"
command: "--web --rancher --docker.domain=rancher.localhost --logLevel=DEBUG"
cpu_shares: 128
restart: always
ports:
- 80:80/tcp
- 81:81/tcp
- 8100:8080/tcp
When I try accessing via port 80, there's a timeout. Traefik logs don't seem to be helpful.
Is this a silly approach? Or is it better to terminate SSL at the traefic container using Let's encrypt?
Try something like this in your Traefik config. Then forward both ports 443 and 80 on the LB to port 80 on Traefik.
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
I do this in Kubernetes on AWS currently. It's a little fiddly to get just right, but it is totally possible.
First you need to make sure that your ELB is listening for HTTP (not HTTPS) on port 80 and for HTTPS on port 443. If you have the ELB listening for HTTPS on port 80, you'll get very strange behavior by clients. Check that first. Note: this is the default behavior if you have deployed Traefik using Helm.
Use aws elb describe-load-balancers to print out all of your ELBs. You'll have to find the ELB in there (I don't know how to tell you which one it is) and look in the LoadBalancerDescriptions[].ListenerDescriptions[].Listener.Protocol and InstanceProtocol to make sure that they are HTTPS and HTTP, respectively.
Second, this is all you need in your config.toml:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.httpn]
address = ":8880"
compress = true
Explanation:
Listen on port 80
Set up a permanent redirect for any traffic on port 80 to port 8880
Listen on port 8880 with HTTP and enable gzip compression
The ELB should have port 80 mapped to port 80 and port 443 mapped to port 8880. Now all HTTP traffic will be automatically redirected (use curl -v -L http://example.com to test) to HTTPS and terminated at the ELB and forwarded as HTTP to Traefik.
I am still looking for a good way to specify the protocols for the ELB listeners on deploy but I haven't come up with a good solution other than manually changing them via the AWS console after I deploy Traefik.
How to configure make Zabbix accessible using HTTPS? - Ubuntu Apache!
Currently Zabbix is accessible on Intranet via http://192.160.1.1/zabbix where I would like to setup to access it like https://192.160.1.1/zabbix
Thanks
I managed to arrange SSL on my Zabbix site by having a named vhost (mytest.site.com) with any docroot (/var/www/mytest.site.com/public_html). Zabbix hooks into any /zabbix url, so it doesn't really matter which one. It is important that you have a valid DNS resolving to your vhost. Then use Letsencrypt to create a SSL certificate for that vhost and have it forward traffic to port 80 to port 443 (see https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04 for installation details).
apache + ssl is configured using xampp on windows server 2003. http content has no problem by domain name, but https content can only be visited from localhost. "netstat -a" shows
Proto Local Address Remote Address State
...
TCP hostname:https hostname:0 Listening
...
How to config to enable https via domain name?
Found the reason. Another program take the 443 port so apache https failed. use "netstat -a -o -n" can get the detail.
I'm assuming you can already access apache using this domain name.
Take a look in your ports.conf, usually found at
/etc/apache2/ports.conf
It should contain a line like:
NameVirtualHost *:443
and also
Listen 8443 https