I'm trying to get a traefik docker instance running on my raspberry pi 4 8gb. I have everything setup, but I can't get the let's encrypt certification working. (My name registrar is Porkbun)
Here's my docker-compose :
Version: '3.4'
services:
traefik:
image: 'traefik:2.3'
restart: 'unless-stopped'
ports:
- '80:80'
- '443:443'
volumes:
- '/var/run/docker/sock:/var/run/docker.sock'
- './config_files/traefik.toml:/traefik.toml'
- './config_files/traefik_dynamic.toml:/traefik_dynamic.toml'
- './config_files/acme.json:/acme.json'
networks:
- pi
whoami:
image: 'traefik/whoami'
restart: 'unless-stopped'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.whoami.rule=PathPrefix(`/whoami{regex:$$|/.*}`)'
- 'traefik.http.services.whoami.loadbalancer.server.port=80'
networks:
pi:
external: true
And here's my traefik.toml :
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "lets-encrypt"
[api]
dashboard = true
[certificatesResolvers.lets-encrypt.acme]
email = "lucien.astie#gmail.com"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
[providers.file]
filename = "traefik_dynamic.toml"
Lastly my traefik_dynamic.toml :
[http.middlewares.simpleAuth.basicAuth]
users = [
"uberfluff:$apr1$qAWpnRq5$W94tcAy9JCKE6TN.Zy/Kp1"
]
[http.routers.api]
rule = "Host(`lulusworld.art`)"
entrypoints = ["web"]
middlewares = ["simpleAuth"]
service = "api#internal"
[http.routers.api.tls]
certResolver = "lets-encrypt"
But with all of this I get this error :
Unable to obtain ACME certificate for domains "lulusworld.art": unable to generate a certificate for the domains [lulusworld.art]: error: one or more domains had a problem:\n[lulusworld.art] acme: error: 400 :: urn:ietf:params:acme:error:dns :: no valid A records found for lulusworld.art; no valid AAAA records found for lulusworld.art, url: \n" routerName=api#file rule="Host(lulusworld.art)" providerName=lets-encrypt.acme
Here's what I did to try to fix this :
I made a A record (the record is working but not the SSL)
According to docs for wildcard certificate you need DNS challenge but I can't get porkbun working with DNS Challenge
If you have any idea how I could solve my problem it would be greatly appreciated.
I want to redirect the request to a non-dockerized webapp running in another host using traefik.
I am starting traefik with docker-compose with the following yml :
version: "3.3"
services:
reverse-proxy:
image: traefik:v2.4
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.file=true"
- "--providers.file.filename=/etc/traefik/rules.toml"
ports:
- "80:80"
- "8050:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "./rules.toml:/etc/traefik/rules.toml"
labels:
- traefik.enable=false
And my rules.toml file is :
[entrypoints]
[entrypoints.http]
address = ":8080"
[providers]
[providers.file]
[http]
[http.routers]
[http.routers.auth-router]
rule = "Path(`/auth`)"
service = "auth"
entrypoint=["http"]
[http.services]
[http.services.auth.loadbalancer]
[[http.services.auth.loadbalancer.servers]]
url = "http://myhost.com:8080/auth"
Whenever user opens http://localhost:8080/auth, traefik should redirect them to http://myhost.com:8080/auth, that is my requirement. but I'm getting the following error during traefik startup
Cannot start the provider *file.Provider: field not found, node: entrypoint"
How can I resolve this issue.
The error makes it seem like it's a file provider issue, but I think it's just a type on your part -- should be entryPoints (uppercase P) in your rules.toml file
[entryPoints]
[entryPoints.http]
address = ":8080"
[providers]
[providers.file]
[http]
[http.routers]
[http.routers.auth-router]
rule = "Path(`/auth`)"
service = "auth"
entryPoints = ["http"]
[http.services]
[http.services.auth.loadbalancer]
[[http.services.auth.loadbalancer.servers]]
url = "http://myhost.com:8080/auth"
This probably a newbie question regarding traefik and the SSL configuration.
I'd like to use my own (self-signed, company, ...) certificates with traefik. I tried to follow the documentation, but I keep on getting the following message:
... level=debug msg="No default certificate, generating one"
My traefik.tomllooks like this:
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[log]
level = "DEBUG"
[api]
insecure = true
dashboard = true
[providers.docker]
exposedByDefault = false
[[tls]]
entryPoints = ["websecure"]
[[tls.certificate]]
certFile = "/certs/cert.crt"
keyFile = "/certs/cert.key"
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/cert/cert.crt"
keyFile = "/cert/cert.key"
and my docker-compose.yml looks like this:
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.2
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/shared/traefik/etc/traefik.toml:/etc/traefik/traefik.toml
- $PWD/shared/traefik/ssl:/certs/
whoami:
# A container that exposes an API to show its IP address
image: containous/whoami
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.basic-auth-whoami.basicauth.users=***:***"
- "traefik.http.middlewares.strip-whoami.stripprefix.prefixes=/whoami"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.middlewares=basic-auth-whoami#docker,strip-whoami#docker"
- "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`) && Host(`<mydomain>`)"
- "traefik.http.services.whoami-poc-traefik.loadbalancer.server.port=80"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
- "traefik.http.routers.whoami.tls=true"
I am quite sure this is something trivial but I can't figure it out (both the toml syntax and traefik concepts being a too much to swallow at once).
I finally found out what was not working by following this blog
I had to:
Add file provider for dynamic configuration to my traefik.toml file:
[providers.file]
filename = "/tls-certs.toml"
Add a volume mapping to my docker-compose.yml file:
- $PWD/shared/traefik/etc/tls-certs.toml:/tls-certs.toml
Provide a tls-certs.toml file:
[[tls.certificates]] #first certificate
certFile = "/certs/cert.crt"
keyFile = "/certs/cert.key"
I am trying to serve a dockerized version of phantombot with traefik and let traefik handle the certificates for ssl.
Since phantombot uses a websocket, the websocket itself can only be accessed via wss when connecting externally but on the internal network it is listet as ws since phantombot runs in http mode.
I have tried to create an entrypoint at port 82 for wss which looks like this in the toml:
[entryPoints.panel]
adress = ":82"
[entryPoints.panel.tls]
[[entryPoints.panel.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
And the corresponding labels in the bot's docker-compose:
- traefik.panel.frontend.rule=Host:my.domain.com
- traefik.panel.frontend.entryPoints=panel
- traefik.panel.frontend.protocol=ws
- traefik.panel.port=82
Exposed ports on the container for the bot:
expose:
- 80
- 81
- 82
I have tried changing the protocols, making a catchall but nothing seems to work. Everytime I try to connect, I get an error-message in the browser stating that wss://my.domain.com:82/ is not answering and a HTTP(500): Broken Pipe in the bot's interface.
I am at my wits' end.
It would be nice if someone could help me :)
Edit: docker-compose of traefik
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8080:8080"
- "81:81"
- "82:82"
networks:
- web
volumes:
- ./traefik.toml:/etc/traefik/traefik.toml
- ./traefik.log:/etc/traefik/traefik.log
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/letsencrypt/live/my.domain.com/cert.pem:/cert.pem
- /etc/letsencrypt/live/my.domain.com/privkey.pem:/privkey.pem
labels:
- traefik.frontend.rule=Host:monitor.my.domain.com
- traefik.port=8080
- traefik.docker.network=web
- traefik.enable=true
- traefik.frontend.auth.basic.users=user:pass
networks:
web:
external: true
Traefik Toml:
# uncomment this line to get debug info with "docker logs":
#debug = true
defaultEntryPoints = ["https","http"]
[traefikLog]
filePath = "/etc/traefik/traefik.log"
format = "json"
# The syntax is somewhat esoteric so this is mostly copy-paste
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[entryPoints.ytplayer]
adress = ":81"
[entryPoints.ytplayer.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
sniStrict = true
OSCPMustStaple = true
[[entryPoints.ytplayer.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[entryPoints.panel]
adress = ":82"
[entryPoints.panel.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
sniStrict = true
OSCPMustStaple = true
[[entryPoints.panel.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "morellenoir.de"
watch = true
exposedbydefault = false
# enable web configuration backend.
[web]
# Web administration port, proxied in docker-compose.yml
address = ":8080"
#traefik configuration
defaultEntryPoints = ["https","http"]
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
I want to unconditionally forward all requests to a backend, but when I try to visit it, I keep getting 404. Here are my configs.
docker-compose.yml
version: '3.3'
services:
load-balancer:
image: traefik:1.5-alpine
ports:
- 8080:80
volumes:
- ./traefik:/etc/traefik
server1:
build: server1
ports:
- 8081:80
traefik.toml
defaultEntryPoints = ["http"]
debug = true
logLevel = "DEBUG"
[accessLog]
[entryPoints.http]
address = ":80"
[frontends.dummy]
backend = "dummy"
entrypoints = ["http"]
[frontends.dummy.routes.all]
rule = "PathPrefix:/"
[backends.dummy.servers.server1]
url = "http://server1:80"
I can access server1 with no problem from localhost:8081 and http://server1 from inside the load-balancer container. But localhost:8080 keeps returning 404
The debug log
load-balancer_1 | time="2017-12-15T12:56:09Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
load-balancer_1 | time="2017-12-15T12:56:09Z" level=info msg="Traefik version v1.5.0-rc2 built on 2017-12-06_03:07:42PM"
load-balancer_1 | time="2017-12-15T12:56:09Z" level=info msg="
load-balancer_1 | Stats collection is disabled.
load-balancer_1 | Help us improve Traefik by turning this feature on :)
load-balancer_1 | More details on: https://docs.traefik.io/basic/#collected-data
load-balancer_1 | "
load-balancer_1 | time="2017-12-15T12:56:09Z" level=debug msg="Global configuration loaded {"LifeCycle":{"RequestAcceptGraceTimeout":0,"GraceTimeOut":0},"GraceTimeOut":0,"Debug":true,"CheckNewVersion":true,"SendAnonymousUsage":false,"AccessLogsFile":"","AccessLog":{"format":"common"},"TraefikLogsFile":"","TraefikLog":null,"LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":null,"DefaultEntryPoints":["http"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":0,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Web":null,"Docker":null,"File":null,"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null,"ServiceFabric":null,"Rest":null,"API":null,"Metrics":null,"Ping":null}"
load-balancer_1 | time="2017-12-15T12:56:09Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc42060ea60} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
load-balancer_1 | time="2017-12-15T12:56:09Z" level=info msg="Starting server on :80"
load-balancer_1 | 172.21.0.1 - - [15/Dec/2017:12:56:17 +0000] "GET / HTTP/1.1" - - - "curl/7.54.0" 1 - - 0ms
The last access log is from the command
curl localhost:8080
and it returned
404 page not found
I don't want to use the docker backend, just want to let traefik do the conventional round-robin from the container. I wonder if it's possible?
okay, after joining slack, Machael Matul pointed out you will need
[file] declared somewhere after entry points
[file]
and for backend to work, it has to be before routes declaration on frontend.
example:
[frontends]
[frontends.frontend1]
backend = "buffalo"
[frontends.frontend1.routes.web]
rule = "Host:xyz.com"
entrypoints = ["http","https"]
example of complete:
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[accessLog]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:md5hashedpassword"]
[acme]
email = "info#xyz.com"
storage = "/acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[file]
watch = true
[backends]
[backends.buffalo]
[backends.buffalo.loadbalancer.stickiness]
[backends.buffalo.servers.server1]
url = "http://node1:3000"
[backends.buffalo.servers.server2]
url = "http://node2:3000"
[backends.backendNginx]
[backends.backendNginx.loadbalancer.stickiness]
[backends.backendNginx.servers.server1]
url = "http://nginx1:8080"
[backends.backendNginx.servers.server2]
url = "http://nginx2:8080"
[backends.ai6forum]
[backends.ai6forum.loadbalancer.stickiness]
[backends.ai6forum.servers.server1]
url = "http://10.140.0.9:80"
[frontends]
[frontends.frontend1]
backend = "buffalo"
[frontends.frontend1.routes.web]
rule = "Host:xyz.com"
entrypoints = ["http","https"]
passHostHeader = true
passTLSCert = true
priority = 10
[frontends.nginx]
backend = "backendNginx"
[frontends.nginx.routes.web]