I am considering replacing Apache for Traefik for my web project (Kestrel / .Net Core). After reading the documentation, a few things remain unclear to me regarding Traefik:
1/ Does Traefik automatically handle the LetsEncrypt certificate renewal or does it need to be done manually or via an external script? From the doc it's said that this is performed when adding a new host or restart, but what happens after 3 months of Traefik running without any restart/new host added?
2/ When a Docker backend becomes unreachable, how is it possible to serve a custom static HTML page? I can see how to set specific error page from the documentation, but not how to redirect trafic to it when a given backend becomes unavailable.
3/ When a Docker backend needs to be updated, is there some steps that need to be performed on Traefik prior to performing the Docker stop/restart?
4/ It seems I can't get to have 2 docker backend running at the same time, see the configuration file below, if I uncomment the 2nd backend (api.mydomain.io), then the 1st one becomes not available anymore. Am I missing something here?
version: '3'
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --docker # Enables the web UI and tells Træfik to listen to docker
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
- "8080:8080" # The Web UI (enabled by --api)
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/acme.json
- /root/mydomain_prod/cert/:/certs/
- /root/mydomain_prod/503.html:/503.html
container_name: traefik-reverse-proxy
##############################
# Front - www.mydomain.io
##############################
mydomain-front:
image: mydomain-front
labels:
- traefik.enable=true
- traefik.backend=mydomain-front
- traefik.frontend.rule=Host:traefik.mydomain.io
- traefik.port=8084
networks:
- internal
- proxy
container_name: mydomain-front
##############################
# API - api.mydomain.io
# Note: If I uncomment this one, then www.mydomain.io won't work anymore
##############################
#mydomain-api:
# image: mydomain-api
# labels:
# - traefik.enable=true
# - traefik.backend=mydomain-api
# - traefik.frontend.rule=Host:api.mydomain.io
# - traefik.port=8082
# networks:
# - internal
# - proxy
# container_name: mydomain-api
Many thanks,
Flo
1/ Traefik can handle the LetsEncrypt certificate renewal. Just remember to create a Volume to store the acme.json file. When the certificate expires, Traefik will do the renewal without asking.
2/ I don’t know if it’s possible. If you find a solution, share it.
3/ When you need to update a Docker, just update it. Traefik will be trigger from that change and update is own configuration.
4/ You can have to backend running at the same time. Below you can see a docker-compose.yml configuration :
version: '3'
services:
two-backend-service:
restart: always
image: ……..
labels:
- traefik.enable=true
- traefik.service1.frontend.rule=Host:service1.exemple.com
- traefik.service1.frontend.passHostHeader=true
- traefik.service1.port=8082
- traefik.Service2.backend=service2
- traefik.Service2.frontend.rule=Host:service2.exemple.com
- traefik.Service2.frontend.passHostHeader=true
- traefik.Service2.port=8081
traefik:
build:
context: ./traefik
dockerfile: Dockerfile
restart: always
ports:
- 80:80
- 443:443
labels:
- traefik.enable=false
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_letsencrypt:/etc/traefik/acme/
volumes:
traefik_letsencrypt:
driver: local
Related
I currently have a Traefik setup with one nodejs service running locally in a docker container with a docker-compose.yml file like so:
container_name: nestjs-server
build:
context: ./
dockerfile: Dockerfile
networks:
- traefik-global-proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.nestjs-server.rule=Host(`mydomain.com`) || Host(`www.mydomain.com`)"
- "traefik.http.routers.nestjs-server.entrypoints=websecure"
- "traefik.http.routers.nestjs-server.tls.certresolver=letsencrypt"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
I am running on a 1vCPU / 2GB cloud instance. Now I would like to add a second node app instance on another VM. I have seen it is possible to add server instances to the load balancer like so:
services:
my-service:
loadBalancer:
servers:
- url: "http://<private-ip-server-1>:<private-port-server-1>/"
- url: "http://<private-ip-server-2>:<private-port-server-2>/"
But I am not sure how to load balance between instances on another service alongside local docker instances. I have read that it is not possible to mix the label based config with the file config, so I assume I'd need to do something like:
my-service:
loadBalancer:
servers:
- url: "http://<private-ip-server-1>:<private-port-server-1>/"
- port: "<local-port-server-2>"
Is this possible? What is the correct way to accomplish this, other than having everything run on the same machine within docker?
I have a problem with Traefik. All my services are OK, Traefik does his job, retrieves the certificates of Lets Encrypt, makes Load blancing between my different applications.
My problem is that I can't access the Dashboard, it asks me a login/password, yet I informed it in the docker-compose.
version: "3.7"
services:
traefik:
image: traefik:chevrotin
command:
--entrypoints.http.address=:80
--entrypoints.https.address=:443
--providers.docker=true
--api=true
--certificatesresolvers.letsencrypt.acme.httpchallenge=true
--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http
--certificatesresolvers.letsencrypt.acme.email=mymail#mail.com
--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
# Redirect all HTTP traffic to HTTPS
- traefik.http.routers.to-https.rule=Host(`traefik.mydomain.com`)
- traefik.http.routers.to-https.entrypoints=http
- traefik.http.routers.to-https.middlewares=to-https
- traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.middlewares=auth
- traefik.http.routers.traefik.service=api#internal
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.middlewares.to-https.redirectscheme.scheme=https
- traefik.http.middlewares.auth.basicauth.users=MyLogin:MyPassword
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /docker/letsencrypt:/letsencrypt
if you have a idea. Thanks
I find. I'm not encoded my password.
I use this website : https://www.web2generators.com/apache-tools/htpasswd-generator
to encoded my password.
"traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj
Note: all dollar signs in the hash need to be doubled for escaping
I am having some trouble accessing my phpmyadmin through traefik2 reverse proxy! all the other apps I am using in my docker-compose are working correctly through traefik. Its as simple as setting the labels up, specififying which domain to use, and then going to that through a browser. Right now I am able to access phpmyadmin through the local ip and port, but unable to through my domain. I just get a 404 not found error. This is my phpmyadmin docker-compose setup.
phpmyadmin:
image: phpmyadmin/phpmyadmin:latest
depends_on:
- mariadb
container_name: phpmyadmin
restart: unless-stopped
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
# volumes:
# - $USERDIR/docker/phpmyadmin/config.user.inc.php:/etc/phpmyadmin/config.user.inc.php
environment:
- PMA_PORT=$DB_PORT
- PMA_HOST=$MYSQL_HOST
# - PMA_ABSOLUTE_URI=$ABSOLUTE_URI
# - PMA_ARBITRARY=1
- MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
ports:
- $PHPMYADMIN_PORT:80
labels:
- "traefik.enable=true"
# - "traefik.backend=phpmyadmin"
## HTTP Routers
- "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
- "traefik.http.routers.phpmyadmin-rtr.rule=Host(`phpmyadmin.$DOMAINNAME`)"
## Middlewares
- "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth#file"
## HTTP Services
- "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
- "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"
I am also getting a very similar error with my php/apache container that I can access locally but not through traefik. All the other containers have been a simple swap of the labels, rename them and boom, they are accessible ! what am I doing wrong? I tried adding PMA_ABSOLUTE_URI=$ABSOLUTE_URI and I can't figure out how to enable ssl in phpmyadmin in docker.
and it still doesnt work but phpmyadmin says:
There is a mismatch between HTTPS indicated on the server and client. This can lead to a non working phpMyAdmin or a security risk. Please fix your server configuration to indicate HTTPS properly.
And also for my apache server it is setup like this, with a similar problem where it can be accessed from localhost but not traefik!
apache:
build:
context: $USERDIR/docker/apache
dockerfile: Dockerfile
container_name: apache
volumes:
- $USERDIR/WEBSITE:/var/www/html/
ports:
- 6546:80
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.apache-rtr.entrypoints=https"
# - "traefik.http.routers.tautulli-rtr.rule=Host(`web.$DOMAINNAME`)"
- "traefik.http.routers.apache-rtr.rule=Host(`$SECONDDOMAINNAME`)"
## Middlewares
- "traefik.http.routers.apache-rtr.middlewares=chain-no-auth#file"
## HTTP Services
- "traefik.http.routers.apache-rtr.service=apache-svc"
- "traefik.http.services.apache-svc.loadbalancer.server.port=80"
sorry if this is alot, I am very new to docker, and really trying to figure this out! If i posted this in the wrong spot or something, let me know!
and if you need anymore information, please also let me know!
Try adding in the label - "traefik.http.routers.phpmyadmin-rtr.tls=true"
This fixed the issue for me
I have traefik running in my docker swarm, doing https proxying for a couple of websites, this part is working fine.
The problem is that I have one container that only publishes a WSS (mosquitto), for my home automation setup, and I can't get it to work.
In my automation stack yml file I have the following stanza for mosquitto, from what I have read on various pages, I just need to specify HTTPS as a protocol, as it also covers WSS
mqtt:
deploy:
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
placement:
constraints:
- node.labels.mysensors==yes
replicas: 1
labels:
- traefik.frontend.rule=Host:mqtt.mydomain.com
- traefik.port=9001
- traefik.docker.network=traefik-public
- traefik.enable=true
- traefik.redirectorservice.frontend.entryPoints=http
- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.frontend.whiteList.sourceRange=192.168.0.0/16
- traefik.tags=traefik-public
- traefik.webservice.frontend.entryPoints=https
ports:
- 1883:1883
networks:
- homeautomation
- traefik-public
volumes:
- /opt/mosquitto:/mosquitto
image: "eclipse-mosquitto:1.4.12"
In my Traefik dashboard, I only see the other (https) service backends exposed, and not this WSS one.. Wonder what I am missing in my configuration.
Add in labels:
- traefik.backend.loadbalancer.stickiness: "true"
This will allow to support wss connections
I'm having a hard time trying to configure one redis container for all my applications using traefik. This is my configuration:
1 - Docker compose for Traefik and Redis:
version: '2'
services:
proxy:
container_name: traefik
image: traefik:1.3.6-alpine
command: --docker
ports:
- 80:80
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
networks:
- proxy
labels:
- traefik.frontend.rule=Host:monitor.company.dev
- traefik.port=8080
redis:
container_name: main_redis
image: redis:3.2
restart: always
volumes:
- ./data/redis:/data
networks:
- proxy
labels:
- traefik.backend=main-redis
- traefik.default.protocol=http
- traefik.frontend.rule=Host:main-redis.company.dev
- traefik.docker.network=proxy
- traefik.port=6379
networks:
proxy:
external: true
2 - Docker compose for my PHP Application.
version: '2'
services:
...
php:
container_name: myapp_php
build: ./docker/php # php:7.1-fpm base image
networks:
- internal
- proxy
labels:
- traefik.enable=false
- traefik.docker.network=proxy
expose:
- 9000
networks:
proxy:
external: true
internal:
external: false
I tried to connect my php application to main-redis.company.dev on both ports 6379 and 80 but I get a Redis::connect(): connect() failed: Connection refused message.
I also changed these stuff in my redis.conf:
Commented the line with bind 127.0.0.1
And changed protected-mode to no
My docker containers are staying in the same network, so I think it should work. Anyone knows why am I having this problem?
2022 UPDATE to #djeeg answer
For some time now you can use TCP mode for your routers. To do that you need to define the labels with TCP instead of HTTP
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.redis.rule=HostSNI(`redis.example.com`)"
- "traefik.tcp.routers.redis.entrypoints=redis" //6379 entrypoint
- "traefik.tcp.routers.redis.tls.certresolver=myresolver" //let's encrypt resolver
- "traefik.tcp.routers.redis.service=redis"
- "traefik.tcp.services.redis.loadbalancer.server.port=6379"
once you got that working in order to connect assuming you are using TSL you will get error Error: Protocol error, got "H" as reply type byte.
To prevent this you need to do things.
Allow for tls connection in the connection string
Setup SNI for your DNS name or provide public certificate file via cert pr cacert
redis-cli -u redis://redis.example.com:6379 --tls --sni redis.example.com
First off, remove the traefik labels from your redis service definition, traefik is currently (Nov 2017) a HTTP proxy, so you can't expose the endpoint like that
See here:
https://github.com/containous/traefik/issues/10
https://github.com/containous/traefik/issues/1611
Then to connect the php service to the redis service, that looks like you are trying to do that within the same docker instance (rather than externally)
Instead of main-redis.company.dev:6379, it should be like on of these:
redis:6379
main_redis:6379
%PROJECT_NAME%_redis:6379
depending upon how you are deploying the container