I have traefik set up and running, but experiencing issues with https, (wildcard certificate). Im able to get a redirect from 80 to 443 but nothing will load. I donot see much information in the logs and they have been set to debug level
Checked the permissions for the cert and set logs to debug
0644 on crt and 0600 on key
Tarefik TOML
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/traefik/certs/server.crt"
keyFile = "/etc/traefik/certs/server.key"
Docker Compose
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --api --docker # Enables the web UI and tells Traefik to listen to docker
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /home/traefik/traefik.toml:/traefik.toml
- /home/traefik/certs:/etc/traefik/certs
networks:
- traefik-net
Sample NGINX server being run
nginx-docker:
image: nginx:latest
labels:
- "traefik.frontend.rule=Host:<hostname>.eogresources.com"
networks:
- traefik-net
Exposing 443 on traefik resolved my issue. Added additional port docker-compose file, change reflected below. Silly mistake. Also added the network in compose file
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --api --docker # Enables the web UI and tells Traefik to listen to docker
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /home/traefik/traefik.toml:/traefik.toml
- /home/traefik/certs:/etc/traefik/certs
networks:
- traefik-net
networks:
traefik-net:
driver: "overlay"
Related
I deployed an multicontainer application with Mautic behind a Traefik reverse proxy.
However, I am getting a "Gateway timeout".
The reverse proxy's configuration seems OK as other containers within the application work fine.
I also changed the mautic settings to the mautics domain name.
Any idea?
docker-compose.yml
version: '3.3'
services:
reverse-proxy:
image: traefik:v2.4
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock
mautic-app:
restart: always
image: mautic/mautic:v3
volumes:
- mautic_data:/var/www/html
environment:
- MAUTIC_DB_HOST=mautic-database
- MAUTIC_DB_USER=${MAUTIC_DB_USER}
- MAUTIC_DB_PASSWORD=${MAUTIC_DB_PASSWORD}
- MAUTIC_DB_NAME=mautic3
ports:
- 80
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.mautic.tls=true'
- 'traefik.http.routers.mautic.tls.domains[0].main=optin.${SITE}'
- 'traefik.http.routers.mautic.tls.certresolver=lets-encrypt'
- 'traefik.http.routers.mautic.rule=Host(`optin.${SITE}`)'
depends_on:
- mautic-database
networks:
- mautic-net
mautic-database:
image: powertic/percona-docker
restart: always
environment:
MYSQL_ROOT_PASSWORD: ${MAUTIC_DB_PASSWORD}
ports:
- 3306
volumes:
- database:/var/lib/mysql
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_general_ci --sql-mode=""
networks:
- mautic-net
volumes:
database:
driver: local
mautic_data:
driver: local
networks:
mautic-net:
driver: bridge
traefik.toml
[log]
level = "DEBUG"
[providers]
[providers.docker]
exposedByDefault = false
[providers.file]
directory = "/etc/traefik/dynamic"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[certificatesResolvers.lets-encrypt.acme]
storage = "/etc/traefik/acme.json"
email = "jenslaufer#jenslaufer.com"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
force-https.toml
[http.routers]
[http.routers.force-https]
entryPoints = ["http"]
middlewares = ["force-https"]
rule = "HostRegexp(`{any:.+}`)"
service = "noop"
[http.middlewares]
[http.middlewares.force-https.redirectScheme]
scheme = "https"
[http.services]
[http.services.noop.loadBalancer]
Not sure if you're using Apache or PHP FPM behind the proxy.
But... Traefik does not support fastCgi Proxy
We encountered this issue with Traefik and set up our mautic kubernetes with nginx-proxy for that reason.
If you have docker running in swam mode, containers will have multiple networks attached. Traefik needs pointing to which network to use.
You must set label traefik.docker.network on the backend service container.
labels:
traefik.docker.network: <traefik network>
Otherwise, you will be getting success sometimes but most of the time traefik will return Gateway Timeout
It's a "misconfiguration" in docker-compose:
Traefik and Maurice are in different networks.
Moving Traefik to the mautic-net network fixed the problem.
I am coming from this. I am new in web-servers. I am setting up a server (example.de) serving several dockerized applications. One of them (app3) is running on behind an Apache server (port 80 inside the container mapped to 8484). I want to use a NGINX docker container to redirect the url example.de/app3 to example.de:8484. Other two applications will be also redirected to example.de/app?.
When I request the url example.de:8484 it works fine. However, when I use example.de/app3 only the "It works" webpage appears.
The docker-compose file is something similar to:
version: '3'
services:
app3:
build:
context: app3
container_name: app3
app3_apache:
build:
context: app3/apache
container_name: app3_apache
ports:
- "8484:80"
volumes:
- vol_app3:/vol/app3
depends_on:
- app3
links:
- app3
nginx-proxy:
container_name: nginx
build:
context: nginx/
ports:
- "80:80"
depends_on:
- app3_apache
links:
- app3_apache
volumes:
- vol_nginx:/etc/nginx/conf.d
volumes:
vol_app3:
driver_opts:
type: none
device: /vol/app3
o: bind
vol_nginx:
driver_opts:
type: none
device: /vol/nginx
o: bind
NGINX default.conf file looks like:
server {
listen 80;
listen [::]:80;
server_name example.de;
location /app3 {
proxy_pass http://app3_apache:80;
}
}
Additional information:
It creates and run the containers. The webpage in the APACHE container is served in the NGINX container using the xxx.xxx.xxx.xxx:80 but not app3_apache:80 <h1>Bad Request (400)</h1>.
I can reach the app3_apache container from the NGINX container:
traceroute app3_apache
traceroute to app3_apache (xxx.xxx.xxx.xxx), 30 hops max, 60 byte packets
1 app3_apache.server_default (xxx.xxx.xxx.xxx) 0.351 ms 0.054 ms 0.035 ms
You should create a docker network to link the container.
You can check docs here: https://docs.docker.com/network/bridge/
After you create the network, you will have to change configuration for nginx proxy_pass to point out the internal IP of the web server application.
As for example I setup this network configuration to connect 3 containers with fixed IP addresses.
version: '2'
services:
zabbix-server4:
container_name: zabbix-server4
image: zabbix/zabbix-server-mysql:alpine-4.0.5
networks:
zbx_net:
aliases:
- zabbix-server4
ipv4_address: 172.16.238.5
zabbix-web4:
container_name: zabbix-web4
image: zabbix/zabbix-web-nginx-mysql:alpine-4.0.5
ports:
- 127.0.0.1:11011:80
links:
- zabbix-server4
environment:
- ZBX_SERVER_HOST=172.16.238.5
networks:
zbx_net:
aliases:
- zabbix-web4
ipv4_address: 172.16.238.10
zabbix-agent4:
container_name: zabbix-agent4
image: zabbix/zabbix-agent:alpine-4.0.5
links:
- zabbix-server4
environment:
- ZBX_SERVER_HOST=172.16.238.5
networks:
zbx_net:
aliases:
- zabbix-agent4
ipv4_address: 172.16.238.15
networks:
zbx_net:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
ipam:
driver: default
config:
- subnet: 172.16.238.0/24
gateway: 172.16.238.1
In your case, you could set a new network and assign new network's IPs to both the nginx and web container, then in nginx proxy_pass configuration you should put web server's IP.
E.g:
version: '3'
services:
app3:
build:
context: app3
container_name: app3
app3_apache:
build:
context: app3/apache
container_name: app3_apache
ports:
- "8484:80"
volumes:
- vol_app3:/vol/app3
depends_on:
- app3
links:
- app3
networks:
my_net:
aliases:
- zabbix-agent4
ipv4_address: 172.16.11.10
nginx-proxy:
container_name: nginx
build:
context: nginx/
ports:
- "80:80"
depends_on:
- app3_apache
links:
- app3_apache
volumes:
- vol_nginx:/etc/nginx/conf.d
networks:
my_net:
aliases:
- zabbix-agent4
ipv4_address: 172.16.11.20
volumes:
vol_app3:
driver_opts:
type: none
device: /vol/app3
o: bind
vol_nginx:
driver_opts:
type: none
device: /vol/nginx
o: bind
networks:
my_net:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
ipam:
driver: default
config:
- subnet: 172.16.11.0/24
gateway: 172.16.11.1
And proxy pass should be sety to
location /app3 {
proxy_pass http://172.16.11.10:80;
}
To prevent having this trouble, I run nginx on host, not in a container, then I split traffic in containers using same approach.
Having nginx installed in the host machine allow me to avoid this kind of configuration overhead.
Question 1
https://docs.traefik.io/configuration/entrypoints/#default-certificate seems to indicate that if I do not specify any certFile or keyFile, a self-signed certificate will be generated by Traefik, and used instead.
There can only be one defaultCertificate set per entrypoint. Use a single set of square brackets [ ], instead of the two needed for normal certificates. If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.
However, when I try this and enter https://localhost/whoami I get an SSL error by Chrome (ERR_SSL_PROTOCOL_ERROR). Logs also show level=error msg="failed to load X509 key pair: tls: failed to find any PEM data in certificate input". Have I misunderstood the configuration in that documentation?
This is the code I have to test this.
test.yml
version: '3.6'
services:
traefik:
image: traefik
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/etc/traefik/traefik.toml
deploy:
placement:
constraints:
- node.role == manager
labels:
- "traefik.port=8080"
- "traefik.frontend.rule=PathPrefixStrip:/traefik"
networks:
- traefiknet
whoami:
image: emilevauge/whoami
deploy:
labels:
- "traefik.port=80"
- "traefik.frontend.rule=PathPrefixStrip:/whoami"
networks:
- traefiknet
networks:
traefiknet:
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[api]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
swarmMode = true
network = "test_traefiknet"
Start with:
docker stack deploy -c test.yml test
Question 2
Note that I also tested to do like it reads on this page: https://docs.traefik.io/configuration/entrypoints/#static-certificates
If an empty TLS configuration is provided, default self-signed certificates are generated.
However, that also did not work. My question is however, what is the difference between this configuration and the configuration shown in question 1 in the toml file?
I found out the answer. I needed to remove [entryPoints.https.tls.defaultCertificate]. Unfortunately I did not find the documentation very clear in this regard.
I need to send the SSL connections directly to the backend, not decrypt at my Traefik. The backend needs to receive https requests.
I tried the traefik.frontend.passTLSCert=true option but getting "404 page not found" error when I access my web app and also get this error on Traefik container
traefik | time="2018-09-16T10:47:41Z" level=error msg="Failed to create TLSClientConfig: no TLS provided"
traefik | time="2018-09-16T10:47:41Z" level=error msg="Failed to create RoundTripper for frontend frontend-Host-dev-mydomain-com-0: no TLS provided"
traefik | time="2018-09-16T10:47:41Z" level=error msg="Skipping frontend frontend-Host-dev-mydomain-com-0..."
Could you suggest any solution? Thank you.
I'm using Traefik version 1.6.6.
Here is my docker-compose.yml for the app container.
version: '3'
services:
app:
image: webdevops/php-nginx-dev:7.2
networks:
- proxy
volumes:
- ./:/app
- ../traefik/ssl/*.mydomain.com.crt:/opt/docker/etc/nginx/ssl/server.crt
- ../traefik/ssl/*.mydomain.com.key:/opt/docker/etc/nginx/ssl/server.key
environment:
- WEB_DOCUMENT_ROOT=/app
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:dev.mydomain.com
- traefik.docker.network=proxy
- traefik.port=443
networks:
proxy:
external: true
The docker-compose.yml of my Traefik container.
version: "3"
services:
traefik:
image: traefik
container_name: traefik
command:
- --api
- --docker
- --docker.exposedbydefault=false
restart: always
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./ssl:/sslcert
networks:
proxy:
external: true
Finally, my traefik.toml file.
debug = true
logLevel = "ERROR"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/sslcert/*.mydomain.com.crt"
keyFile = "/sslcert/*.mydomain.com.key"
[retry]
Traefik now has TCP support in its new 2.0 version - which is still in alpha at this time (Apr 2019).
See PR https://github.com/containous/traefik/pull/4587
and the release notes of v2.0.0-alpha1 at https://github.com/containous/traefik/releases/tag/v2.0.0-alpha1 showing this TCP support PR being included
Hence once 2.0 is released (probably within 2-3 months), HTTPS passthrough will become possible.
Answer for traefik 1.0 (outdated)
passTLSCert forwards the TLS Client certificate to the backend, that is, a client that sends a certificate in the TLS handshake to prove it's identity.
Traefik is an HTTP reverse proxy. To establish the SSL connection directly with the backend, you need to reverse proxy TCP and not HTTP, and traefik doesn't (yet ?) support tcp (but there are issues for that on github).
Traefik won't fit your usecase, there are different alternatives, envoy is one of them.
The new passthrough for TCP routers is already available: https://docs.traefik.io/routing/routers/#passthrough
I want to use multiple docker-compose projects with Traefik as reverse proxy. After following the documentation I've created two docker-compose files; one for Traefik and one for an example project which has 2 "whoami" containers.
This works great for the backends, but it seems that Traefik creates one frontend per running container. So instead of 1 frontend for the 2 whoami containers, I got two frontends defined: "frontend-Host-whoami-localhost-0" and "frontend-Host-whoami-localhost-1".
Traefik will create more frontends if I scale up the whoami service (by either duplicating their definition in the docker-compose.yaml file, or with docker-compose scale whoami=10).
I just want one frontend for the "Host:whoami.localhost" rule, which points to one backend with multiple running containers attached to it. How can I do this?
traefik.toml:
defaultEntryPoints = ["http"]
[web]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "localhost"
docker-compose.yaml (for traefik):
version: "2"
services:
traefik:
container_name: traefik
image: traefik
networks:
- webgateway
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
labels:
traefik.backend: web
traefik.frontend.rule: Host:monitor.localhost
networks:
webgateway:
driver: bridge
whoami/docker-compose.yaml:
version: "2"
services:
whoami:
image: emilevauge/whoami
networks:
- webgateway
labels:
traefik.backend: whoami
traefik.frontend.rule: Host:whoami.localhost
whoami_2:
image: emilevauge/whoami
networks:
- webgateway
labels:
traefik.backend: whoami
traefik.frontend.rule: Host:whoami.localhost
networks:
webgateway:
external:
name: traefikdocker_webgateway
I suppose you want that:
http://example.com/
|-> app1 who serve http://example.com/foo
|-> app2 who serve http://example.com/bar
To do that you must use another matcher (like PathPrefix by example):
traefik.frontend.rule: Host:http://example.com/; PathPrefix:/foo
|-> app1 who serve http://example.com/foo
traefik.frontend.rule: Host:http://example.com/; PathPrefix:/bar
|-> app2 who serve http://example.com/bar
If you just want to scale, you only need one service in your composefile:
traefik.frontend.rule: Host:http://example.com/
|-> 10 x app (docker-compose scale app=10)