My domain name jstock.co DNS, and SSL certificate are handled by Cloudflare.
I have the following traefik.toml
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:xxx"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/app/cert.pem"
KeyFile = "/app/key.pem"
With the above setup, traefik able to re-route the following traffic to correct docker containers
https://notification.jstock.co/info/
https://iex.jstock.co/info/
https://intrinio.jstock.co/info/
...
Now, we have purchased another domain name wenote.me. Its DNS, and SSL certificate also handled by Cloudflare.
I was wondering, is it possible, to reuse existing Traefik, to handle traffic from wenote.me? If so, what should be traefik.toml looks like?
This is how it is being done.
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:xxx"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/app/cert.pem"
KeyFile = "/app/key.pem"
[[entryPoints.https.tls.certificates]]
CertFile = "/app/wenote.me.cert.pem"
KeyFile = "/app/wenote.me.key.pem"
Related
I would like to create a traefik v2 config file which redirects http://localhost:80 traffic to http://otherhost.example.com:8080.
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.dashboard]
address = ":80"
[entryPoints.dashboard.redirect???]
scheme = "http"
port = "8080"
No dockers whatsoever.
Thanks,
Lorand.
That worked:
defaultEntryPoints = ["http"]
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[providers]
[providers.file]
filename = "dynamic_conf.toml"
watch = true
And dynamic_conf.toml:
## Dynamic configuration
[http.routers]
[http.routers.Router-1]
# By default, routers listen to every entry points
rule = "Host(`localhost`)"
service = "my-service"
[http.services]
[http.services.my-service.loadBalancer]
passHostHeader = false
[[http.services.my-service.loadBalancer.servers]]
url = "http://example.com"
It had to be called with full url, like: http://localhost/index.html
I'd like to be able to use Traefik to forward traffic for a domain with subfolders to a docker container on a diff hosts. Also, I'd like to be able to use multiple separate domains.
I'm unable to find instructions or a guide to do that exactly. Can anyone give me pointers please?
This is what I have so far.
### traefik.toml
defaultEntryPoints = ["https","http"]
[api]
entryPoint = "traefik"
dashboard = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["admin:{SHA}123="]
[acme]
email = "123#123.com"
storage = "/etc/traefik/acme/acme.json"
onHostRule = false
acmeLogging = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.123.it"
[[acme.domains]]
main = "*.123.co.uk"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "{{ DOMAIN }}"
watch = true
exposedbydefault = false
[file]
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://192.168.0.1:8585/"
[backends.backend2]
[backends.backend2.servers.server2]
url = "http://192.168.0.1:8383/"
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.graf]
rule = "Host:123.it"
[frontends.frontend2]
backend = "backend2"
[frontends.frontend2.routes.graf]
rule = "Host:123.co.uk; PathPrefix: /app"
According to https://github.com/containous/traefik/pull/2133, it should be possible to redirect selectively per frontend. Is this available in the File backend?
I tried adding the following, but it didn't work:
[frontends.foo.headers]
SSLRedirect = true
The option SSLRedirect = true always redirect on 443.
If you want to redirect to an entry point without using 443 port use entryPoint = "https"
https://docs.traefik.io/user-guide/examples/#http-redirect-on-https
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "examples/traefik.crt"
keyFile = "examples/traefik.key"
https://docs.traefik.io/configuration/backends/file/
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
# ...
[entryPoints.https]
address = ":443"
# ...
[file]
[frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.redirect]
entryPoint = "https"
# ...
Our problem is that traffic from the https entrypoint is (probably) forwarded to the backend with the wrong port. Accessing the http entrypoint works as expected: the traffic is loadbalanced between server 1 2 3. when using the https entrypoint, we get a 404 page not found. The TLS is all good, the connection is secure, but it looks like traefik does not change the port for the backend server to :80.
We do let's encrypt via traefik and this looks good.
Here's how we start traffic:
docker run -d -p 443:443 -p 80:80 -v /home/pi/lbtest/traefik/traefik.toml:/traefik.toml -v /home/pi/lbtest/traefik/acme.json:/acme.json traefik
And this is our traefik.toml
debug = true
[file]
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[frontends]
[frontends.lbtest]
backend = "lbtest"
[frontends.lbtest.routes.route0]
rule = "Host:xxx.gotdns.ch"
[backends]
[backends.lbtest]
[backends.lbtest.servers.server1]
url = "http://192.168.178.81:80"
[backends.lbtest.servers.server2]
url = "http://192.168.178.49:80"
[backends.lbtest.servers.server3]
url= "http://192.168.178.64:80"
[acme]
email = "xxx#xxx.eu.com"
storageFile = "acme.json"
acmeLogging = true
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "xxx.gotdns.ch"
Why does http://xxx.gotdns.ch work - it loadbalances between server 1 2 3 - but not for https://xxx.gotdns.ch. Any ideas?
It's problem with the field defaultEntryPoints in your configuration:
debug = true
defaultEntryPoints = ["http", "https"] # <-- move the field here
[file]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[frontends]
[frontends.lbtest]
backend = "lbtest"
[frontends.lbtest.routes.route0]
rule = "Host:xxx.gotdns.ch"
[backends]
[backends.lbtest]
[backends.lbtest.servers.server1]
url = "http://192.168.178.81:80"
[backends.lbtest.servers.server2]
url = "http://192.168.178.49:80"
[backends.lbtest.servers.server3]
url= "http://192.168.178.64:80"
[acme]
email = "xxx#xxx.eu.com"
storageFile = "acme.json"
acmeLogging = true
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "xxx.gotdns.ch"
I recommend to write your configuration like that:
debug = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxx#xxx.eu.com"
storageFile = "acme.json"
acmeLogging = true
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "xxx.gotdns.ch"
[file]
[frontends]
[frontends.lbtest]
backend = "lbtest"
[frontends.lbtest.routes.route0]
rule = "Host:xxx.gotdns.ch"
[backends]
[backends.lbtest]
[backends.lbtest.servers.server1]
url = "http://192.168.178.81:80"
[backends.lbtest.servers.server2]
url = "http://192.168.178.49:80"
[backends.lbtest.servers.server3]
url= "http://192.168.178.64:80"
In Traefik, is it possible to either:
A. Setup two different SSL entrypoints, such that I can enable TLS Mutual Authentication on one SNI (ClientCAFiles) and not on the other;
or
B. Use the same entrypoint (:443), but have the ClientCAFiles directive only apply to a specific URL
I've tried something like this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
clientCAFiles = ["certs/clientca.crt"]
[[entryPoints.https.tls.certificates]]
certFile = "certs/server1.crt"
keyFile = "certs/server1.key"
[entrypoints.otherSSL]
address = ":8443"
[entryPoints.otherSSL.tls]
[[entryPoints.otherSSL.tls.certificates]]
certFile = "certs/server2.crt"
keyFile = "certs/server2.key"
but doesn't work. Also tried like this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
clientCAFiles = ["certs/clientca.crt"]
certFile = "certs/server1.crt"
keyFile = "certs/server1.key"
[[entryPoints.https.tls.certificates]]
certFile = "certs/server2.crt"
keyFile = "certs/server2.key"
This also does not work.
This works:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
clientCAFiles = ["certs/clientca.crt"]
[[entryPoints.https.tls.certificates]]
certFile = "certs/server1.crt"
keyFile = "certs/server1.key"
[[entryPoints.https.tls.certificates]]
certFile = "certs/server2.crt"
keyFile = "certs/server2.key"
but requires clientAuth for BOTH SNIs.