I want to use Traefik as a reverse proxy inside swarm and pass SSL traffic to a specific container (wordpress:latest). The SSL certificate seems to work ok, but I am getting 404 page not found on https://fakepage.com (I'm using placeholder domain to avoid exposing private information).
Traffic through http works normally.
My docker-compose configuration for the docker stack I'm using.
version: "3.6"
services:
traefik:
image: traefik
ports:
- 80:80
- 443:443
- 8080:8080
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
placement:
constraints: [node.role == worker]
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik_data:/tmp
command:
- "--docker"
- "--docker.domain=fakepage.com"
- "--logLevel=DEBUG"
- "--api"
- "--api.statistics"
- "--entryPoints=Name:http Address::80"
- "--entryPoints=Name:https Address::443 TLS"
- "--docker.endpoint=unix:///var/run/docker.sock"
- "--acme=true"
- "--acme.entrypoint=https"
- "--acme.httpchallenge"
- "--acme.httpchallenge.entrypoint=http"
- "--acme.domains=fakepage.com"
- "--acme.email=admin#fakepage.com"
- "--acme.storage=/tmp/acme.json"
db:
image: "mysql:5.7"
environment:
MYSQL_ROOT_PASSWORD: example
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
MYSQL_DATABASE: wordpress
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
placement:
constraints: [node.role == worker]
volumes:
- db_data:/var/lib/mysql
wordpress:
depends_on:
- db
image: wordpress:latest
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
placement:
constraints: [node.role == worker]
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
volumes:
- wp_data:/var/www/html
labels:
traefik.enable: "true"
traefik.frontend.rule: "Host:fakepage.com"
volumes:
db_data:
wp_data:
traefik_data:
The problem was that I was missing a segment flag under container.
traefik.frontend.entryPoints: "http,https"
Related
I am trying to redirect from the specific port of the service to the domain name in traefik.
This is my config in yml file (swarm mode). Here I am trying to automatically redirect from https://portainer.com:8443 to https://portainer.com
I opened the port 8443 for traefik as well.
But when I am trying to do the redirection using: https://portainer.com/example to https://portainer.com it is working fine. How to make that work with ports?
version: '3.8'
services:
reverse-proxy:
image: traefik:latest
ports:
- 80:80
- 443:443
- 8443:8443
env_file:
- ./.env
deploy:
placement:
constraints: [node.role == manager]
update_config:
failure_action: rollback
labels:
# Enable traefik for the specific service
- "traefik.enable=true"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.middlewares=https-redirect"
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
# Make the Traefik use this domain in HTTPS
- "traefik.http.routers.traefik-https.rule=Host(`traefik.com`)"
# Allow the connections to the traefik api for the dashboard support
- "traefik.http.routers.traefik-https.service=api#internal"
- "traefik.http.services.traefik-svc.loadbalancer.server.port=9999"
# Use the Let's encrypt resolver
- "traefik.http.routers.traefik-https.tls=true"
- "traefik.http.routers.traefik-https.tls.certresolver=le"
# Use the traefik_net network that is declared below
- "traefik.docker.network=traefik_net"
# Use the auth for traefik dashboard
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH_USER_PASSWORD}"
- "traefik.http.routers.traefik-https.middlewares=traefik-auth"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
command:
- --providers.docker
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.email=port#port.com
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
- --certificatesresolvers.le.acme.httpchallenge=true
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=http
- --accesslog
- --log
- --api
networks:
- traefik_net
agent:
image: portainer/agent:latest
environment:
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
# deployed inside an overlay network
AGENT_CLUSTER_ADDR: tasks.agent
# AGENT_PORT: 9001
# LOG_LEVEL: debug
env_file:
- ./.env
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [ node.platform.os == linux ]
portainer:
image: portainer/portainer-ce:latest
command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- portainer_data:/data
networks:
- traefik_net
- agent_network
env_file:
- ./.env
deploy:
mode: replicated
replicas: 1
placement:
constraints: [ node.role == manager ]
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.service=portainer"
- "traefik.http.routers.portainer.rule=Host(`portainer.com`)"
- "traefik.http.routers.portainer.entrypoints=https"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=le"
- "traefik.docker.network=traefik_net"
- "traefik.http.middlewares.portainer-redirect.redirectregex.regex=^https?://portainer.com:8443"
- "traefik.http.middlewares.portainer-redirect.redirectregex.replacement=https://portainer.com"
- "traefik.http.middlewares.portainer-redirect.redirectregex.permanent=true"
- "traefik.http.routers.portainer.middlewares=portainer-redirect"
Just need to add one more entrypoint and it will work:
version: '3.8'
services:
reverse-proxy:
image: traefik:latest
ports:
- 80:80
- 443:443
- 8443:8443
env_file:
- ./.env
deploy:
placement:
constraints: [node.role == manager]
update_config:
failure_action: rollback
labels:
# Enable traefik for the specific service
- "traefik.enable=true"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.middlewares=https-redirect"
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
# Make the Traefik use this domain in HTTPS
- "traefik.http.routers.traefik-https.rule=Host(`traefik.com`)"
# Allow the connections to the traefik api for the dashboard support
- "traefik.http.routers.traefik-https.service=api#internal"
- "traefik.http.services.traefik-svc.loadbalancer.server.port=9999"
# Use the Let's encrypt resolver
- "traefik.http.routers.traefik-https.tls=true"
- "traefik.http.routers.traefik-https.tls.certresolver=le"
# Use the traefik_net network that is declared below
- "traefik.docker.network=traefik_net"
# Use the auth for traefik dashboard
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH_USER_PASSWORD}"
- "traefik.http.routers.traefik-https.middlewares=traefik-auth"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
command:
- --providers.docker
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --entrypoints.https-new.address=:8443
- --certificatesresolvers.le.acme.email=port#port.com
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
- --certificatesresolvers.le.acme.httpchallenge=true
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=http
- --accesslog
- --log
- --api
networks:
- traefik_net
agent:
image: portainer/agent:latest
environment:
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
# deployed inside an overlay network
AGENT_CLUSTER_ADDR: tasks.agent
# AGENT_PORT: 9001
# LOG_LEVEL: debug
env_file:
- ./.env
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [ node.platform.os == linux ]
portainer:
image: portainer/portainer-ce:latest
command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- portainer_data:/data
networks:
- traefik_net
- agent_network
env_file:
- ./.env
deploy:
mode: replicated
replicas: 1
placement:
constraints: [ node.role == manager ]
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.service=portainer"
- "traefik.http.routers.portainer.rule=Host(`portainer.com`)"
- "traefik.http.routers.portainer.entrypoints=https,https-new"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=le"
- "traefik.docker.network=traefik_net"
- "traefik.http.middlewares.portainer-redirect.redirectregex.regex=^https?://portainer.com:8443"
- "traefik.http.middlewares.portainer-redirect.redirectregex.replacement=https://portainer.com"
- "traefik.http.middlewares.portainer-redirect.redirectregex.permanent=true"
- "traefik.http.routers.portainer.middlewares=portainer-redirect"
I am new to Traefik but trying to migrate from jwilder/nginx-proxy and letsencrypt-companion to Traefik.
I have setup Traefik with this config file:
traefik.yml
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
api:
dashboard: true
insecure: true
certificatesResolvers:
le:
acme:
email: username#gmail.com
storage: acme.json
httpChallenge:
# used during the challenge
entryPoint: web
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.2
restart: always
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /data/disk1/traefik/traefik.yml:/traefik.yml
- /data/disk1/traefik/acme.json:/acme.json
container_name: traefik
When starting one container on domain #1
docker-compose.yml
version: "3"
services:
confluence:
container_name: confluence
image: atlassian/confluence-server:7.6.2
volumes:
- /data/disk1/atlassian/application-data/confluence:/var/atlassian/application-data/confluence
ports:
- "8090:8090"
external_links:
- postgres:postgres
environment:
- CATALINA_CONNECTOR_PROXYNAME=confluence.tld
- CATALINA_CONNECTOR_PROXYPORT=443
- CATALINA_CONNECTOR_SCHEME=https
- CATALINA_CONNECTOR_SECURE=true
- VIRTUAL_HOST=confluence.tld
- VIRTUAL_NETWORK=web
- VIRTUAL_PORT=8090
- LETSENCRYPT_EMAIL=user#tld
- LETSENCRYPT_HOST=confluence.tld
labels:
- traefik.enable=true
- traefik.http.routers.confluence.rule=Host(`confluence.tld`)
- traefik.http.routers.confluence.tls=true
- traefik.http.routers.confluence.tls.certresolver=le
- traefik.http.routers.confluence.service=confluence
- traefik.http.services.confluence.loadbalancer.server.port=8090
networks:
- web
restart: always
networks:
web:
external:
name: web
It works perfect.
NOTE: I have kept the environment variables for jwilder/nginx-proxy for the time being
When launching another container with different tld I can't get that working.
E.g.
docker-compose.yml
version: "3"
services:
confluence:
container_name: myapp
image: nginx:latest
volumes:
- /data/disk1/myapp/www/:/usr/share/nginx/html:ro
- /data/disk1/myapp/conf/nginx.conf:/etc/nginx/nginx.conf:ro
ports:
- "9999:80"
environment:
- VIRTUAL_HOST=www.tld2,tld2
- VIRTUAL_NETWORK=web
- VIRTUAL_PORT=9999
- LETSENCRYPT_EMAIL=user#tld2
- LETSENCRYPT_HOST=www.tld2,tld2
labels:
- traefik.enable=true
- traefik.http.routers.myapp.rule=Host(`tld2`) || Host(`www.tld2`)
- traefik.http.routers.myapp.tls=true
- traefik.http.routers.myapp.tls.certresolver=le
- traefik.http.routers.myapp.service=tld2
- traefik.http.services.myapp.loadbalancer.server.port=9999
networks:
- web
restart: always
networks:
web:
external:
name: web
It doesn't work but everything looks OK in Traefik dashboard.
Any ideas?
There is an error in the second docker-compose.yml:
You define the router named mypp to use a service named tld2:
traefik.http.routers.myapp.service=tld2
but your service is named myapp:
traefik.http.services.myapp.loadbalancer.server.port=9999
This should have generated an error in Traefik's log regarding an unresolvable service.
To fix this, configure your router myapp to use the service myapp:
traefik.http.routers.myapp.service=myapp
I try to used traefik 2 with 2 endpoints
toto.xxx/tata
toto.xxx/titi
But any endpoints work.
My docker-compose is
version: "3.7"
services:
traefik:
image: traefik:v2.2
restart: unless-stopped
environment:
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
ports:
- 80:80
- 444:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${TRAEFIK_ACME}/acme.json:/etc/traefik/acme.json
- ${TRAEFIK_CONFIG}/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ${TRAEFIK_LOG}:/etc/traefik/traefik_log
labels:
# General
- "traefik.enable=true"
# Traefik internal rules
- "traefik.http.routers.traefik.service=api#internal"
# hostname
- "traefik.http.routers.traefik.rule=Host(`ubuntu.local`) && PathPrefix(`/traefik`)"
# Authentication
# - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD"
# - "traefik.http.routers.traefik.middlewares=traefik-auth"
# HTTPS
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
# Internal port
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
# Prefixes
- "traefik.http.middlewares.prefix-traefik.stripprefix.prefixes=/traefik"
- "traefik.http.middlewares.traefik.stripprefix.forceslash=true"
- "traefik.http.routers.traefik.middlewares=prefix-traefik#docker"
Does anyone have any ideas?
Thanks
I don't see from the snippet you share how did you try to configure traeifk with these endpoints. can you add more info?
In case you are trying to proxy traffic to other services behind the proxy, you need to set labels on these services with the needed router rules. Below is an example of doing this
proxy:
image: traefik:v2.2
command:
- '--log.level=DEBUG'
- '--providers.docker=true'
- '--entryPoints.web.address=:80'
- '--providers.providersThrottleDuration=2s'
- '--providers.docker.watch=true'
- '--providers.docker.swarmMode=true'
- '--providers.docker.swarmModeRefreshSeconds=15s'
- '--providers.docker.exposedbydefault=false'
- '--providers.docker.defaultRule=Host("lvh.me")'
- '--accessLog.bufferingSize=0'
- '--api=true'
- '--api.dashboard=true'
- '--api.insecure=true'
- '--ping.entryPoint=web'
- '--providers.redis.endpoints=redis:6379'
- '--providers.redis.rootkey=traefik'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
ports:
- '80:80'
- '8080:8080'
deploy:
labels:
- traefik.enable=true
- traefik.docker.network=traefik
networks:
- traefik
mailcatcher:
image: sj26/mailcatcher
deploy:
labels:
- traefik.enable=true
- traefik.tags=public
- traefik.http.services.mailcatcher.loadbalancer.server.port=1080
- traefik.http.routers.mailcatcher.rule=Host(`lvh.me`) && PathPrefix(`/mailcatcher`)
- traefik.http.routers.mailcatcher.service=mailcatcher
- traefik.http.routers.mailcatcher.entrypoints=web
- traefik.docker.network=traefik
logging:
driver: json-file
options:
'max-size': '10m'
'max-file': '5'
networks:
- traefik
I'm starting up Traefik version 2.1.4 with the following configuration:
defaultEntryPoints:
- http
entryPoints:
hole-1:
address: ':663'
frontends:
hole-frontend-1:
backend: hole-backend-1
entrypoints:
- hole-1
backends:
hole-backend-1:
servers:
hole-server-1:
url: 'http://11.23.24.1:3000'
weight: 10
When I hit the http://11.23.24.1:663 I'm hit with the Traefik page 404 pages not found. When I go to http://11.23.24.1:3000 in the browser, it works, it displays the page.
I can't seem to figure out how to set up a reverse proxy in Traefik to point http://11.23.24.1:663 to http://11.23.24.1:3000.
I tried this, but I get the error
2020/02/18 11:39:43 command traefik.exe error: no valid configuration found in file: C:\config\traefik.yaml
http:
routers:
hole-router-1:
rule: "Host(`11.23.24.1`) && PathPrefix(`/`)"
service: hole-service
services:
hole-service:
loadBalancer:
servers:
- url: http://11.23.24.1:3000
C:\config\traefik\traefik.yaml:
entryPoints:
hole-1:
address: ":661"
providers:
file:
filename: C:\config\traefik\dynamic.yaml
C:\config\traefik\dynamic.yaml:
http:
routers:
hole-router-1:
rule: "Path(`/`)"
entryPoints:
- hole-1
service: hole-service
services:
hole-service:
loadBalancer:
servers:
- url: http://10.23.24.10:3000
I started Traefik with: traefik.exe --configFile=C:/config/traefik/traefik.yaml
Traefik 2.1 do not support frontend and backends any more.
This repository provides some examples to deploy Traefik 2.1 https://github.com/wshihadeh/traefik_v2
Example to do it with Docker:
version: '3.7'
networks:
traefik:
external: true
volumes:
db_data:
services:
proxy:
image: traefik:v2.1
command:
- '--providers.docker=true'
- '--entryPoints.http.address=:80'
- '--providers.providersThrottleDuration=2s'
- '--providers.docker.watch=true'
- '--providers.docker.exposedbydefault=false'
- '--providers.docker.defaultRule=Host("local.me")'
- '--accessLog.bufferingSize=0'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
ports:
- '663:80'
deploy:
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
update_config:
delay: 10s
order: start-first
parallelism: 1
rollback_config:
parallelism: 0
order: stop-first
logging:
driver: json-file
options:
'max-size': '10m'
'max-file': '5'
networks:
- traefik
hole-backend:
image: hole-backend:demo-v1
command: 'web'
deploy:
labels:
- traefik.enable=true
- traefik.http.services.hole.loadbalancer.server.port=8080
- traefik.http.routers.hole.rule=Host(`hole.local.me`)
- traefik.http.routers.hole.service=blog
- traefik.http.routers.hole.entrypoints=web
- traefik.docker.network=traefik
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
update_config:
delay: 10s
order: start-first
parallelism: 1
rollback_config:
parallelism: 0
order: stop-first
logging:
driver: json-file
options:
'max-size': '10m'
'max-file': '5'
networks:
- traefik
i would like use traefik in a cluster swarm, following this guide https://docs.traefik.io/user-guide/swarm-mode/#deploy-traefik i've write this stack file:
traefik:
image: traefik:alpine
deploy:
placement:
constraints:
- node.role == manager
command: --api --docker --docker.watch --docker.swarmMode
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "80:80"
- "8080:8080"
labels:
- "traefik.enable=false"
backend:
image: registry.example.com/backend
labels:
- "traefik.backend=backend"
- "traefik.backend.buffering.maxRequestBodyBytes=2147483648"
- "traefik.backend.loadbalancer.sticky=true"
- "traefik.frontend.rule=Host:backend.localhost"
- "traefik.frontend.passHostHeader=true"
- "traefik.port=80"
api:
image: registry.example.com/api
labels:
- "traefik.backend=api"
- "traefik.backend.buffering.maxRequestBodyBytes=2147483648"
- "traefik.backend.loadbalancer.sticky=true"
- "traefik.frontend.rule=Host:api.localhost"
- "traefik.frontend.passHostHeader=true"
- "traefik.port=80"
Traefik start but nothing is configured, I can not understand where is the error.
You forgot the network part from the example.
You miss both network related labels and the networks itslelf:
deploy:
labels:
- "traefik.docker.network=traefik-network" # for both api and backend
...
networks:
- "traefik-network" # for traefik, api and backend
...
networks:
traefik-network:{} # you can also make it external
EDIT :
also, on swarm, the labels should be set under the "deploy" section of your service, and not ont the service itself.