We Keep Coding

Getting "Gateway Timeout" for Mautic behind Traefik proxy

I deployed an multicontainer application with Mautic behind a Traefik reverse proxy.
However, I am getting a "Gateway timeout".
The reverse proxy's configuration seems OK as other containers within the application work fine.
I also changed the mautic settings to the mautics domain name.
Any idea?
docker-compose.yml
version: '3.3'
services:
reverse-proxy:
image: traefik:v2.4
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock
mautic-app:
restart: always
image: mautic/mautic:v3
volumes:
- mautic_data:/var/www/html
environment:
- MAUTIC_DB_HOST=mautic-database
- MAUTIC_DB_USER=${MAUTIC_DB_USER}
- MAUTIC_DB_PASSWORD=${MAUTIC_DB_PASSWORD}
- MAUTIC_DB_NAME=mautic3
ports:
- 80
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.mautic.tls=true'
- 'traefik.http.routers.mautic.tls.domains[0].main=optin.${SITE}'
- 'traefik.http.routers.mautic.tls.certresolver=lets-encrypt'
- 'traefik.http.routers.mautic.rule=Host(`optin.${SITE}`)'
depends_on:
- mautic-database
networks:
- mautic-net
mautic-database:
image: powertic/percona-docker
restart: always
environment:
MYSQL_ROOT_PASSWORD: ${MAUTIC_DB_PASSWORD}
ports:
- 3306
volumes:
- database:/var/lib/mysql
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_general_ci --sql-mode=""
networks:
- mautic-net
volumes:
database:
driver: local
mautic_data:
driver: local
networks:
mautic-net:
driver: bridge
traefik.toml
[log]
level = "DEBUG"
[providers]
[providers.docker]
exposedByDefault = false
[providers.file]
directory = "/etc/traefik/dynamic"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[certificatesResolvers.lets-encrypt.acme]
storage = "/etc/traefik/acme.json"
email = "jenslaufer#jenslaufer.com"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
force-https.toml
[http.routers]
[http.routers.force-https]
entryPoints = ["http"]
middlewares = ["force-https"]
rule = "HostRegexp(`{any:.+}`)"
service = "noop"
[http.middlewares]
[http.middlewares.force-https.redirectScheme]
scheme = "https"
[http.services]
[http.services.noop.loadBalancer]

Not sure if you're using Apache or PHP FPM behind the proxy.
But... Traefik does not support fastCgi Proxy
We encountered this issue with Traefik and set up our mautic kubernetes with nginx-proxy for that reason.

If you have docker running in swam mode, containers will have multiple networks attached. Traefik needs pointing to which network to use.
You must set label traefik.docker.network on the backend service container.
labels:
traefik.docker.network: <traefik network>
Otherwise, you will be getting success sometimes but most of the time traefik will return Gateway Timeout

It's a "misconfiguration" in docker-compose:
Traefik and Maurice are in different networks.
Moving Traefik to the mautic-net network fixed the problem.

Traefik and Harbor

I have changed the docker-compose.yml after the default Conf-Generation. My Proxy configuration looks like:
( I had only touched the proxy part )
proxy:
image: goharbor/nginx-photon:v1.9.4
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
- web
dns_search: .
expose:
- 8080
ports:
- 8081:8080 #only to test if its online
labels:
- "traefik.enable=true"
- "traefik.backend=harbor-backend"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:harbor.example.com"
- "traefik.frontend.entryPoints=https,http"
- "traefik.port=8080"
depends_on:
- registry
- core
- portal
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
web:
external: true
In my Harbor.yml i had leaved the http port to 80 and disabled https.
My Proxy configuration is the default one.
The Web UI works fine but when I try to login with the docker client i get this response:
root#h2791112:~# docker login registry.example.com
Username: admin
Password:
Error response from daemon: Get https://registry.example.com/v2/: unauthorized: authentication required
And that are the crendentials that work with the ui
did I miss a label ?

This worked for me: https://github.com/goharbor/harbor/issues/3114#issuecomment-432962664
Follow the steps

SSL passthrough with Traefik

I need to send the SSL connections directly to the backend, not decrypt at my Traefik. The backend needs to receive https requests.
I tried the traefik.frontend.passTLSCert=true option but getting "404 page not found" error when I access my web app and also get this error on Traefik container
traefik | time="2018-09-16T10:47:41Z" level=error msg="Failed to create TLSClientConfig: no TLS provided"
traefik | time="2018-09-16T10:47:41Z" level=error msg="Failed to create RoundTripper for frontend frontend-Host-dev-mydomain-com-0: no TLS provided"
traefik | time="2018-09-16T10:47:41Z" level=error msg="Skipping frontend frontend-Host-dev-mydomain-com-0..."
Could you suggest any solution? Thank you.
I'm using Traefik version 1.6.6.
Here is my docker-compose.yml for the app container.
version: '3'
services:
app:
image: webdevops/php-nginx-dev:7.2
networks:
- proxy
volumes:
- ./:/app
- ../traefik/ssl/*.mydomain.com.crt:/opt/docker/etc/nginx/ssl/server.crt
- ../traefik/ssl/*.mydomain.com.key:/opt/docker/etc/nginx/ssl/server.key
environment:
- WEB_DOCUMENT_ROOT=/app
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:dev.mydomain.com
- traefik.docker.network=proxy
- traefik.port=443
networks:
proxy:
external: true
The docker-compose.yml of my Traefik container.
version: "3"
services:
traefik:
image: traefik
container_name: traefik
command:
- --api
- --docker
- --docker.exposedbydefault=false
restart: always
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./ssl:/sslcert
networks:
proxy:
external: true
Finally, my traefik.toml file.
debug = true
logLevel = "ERROR"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/sslcert/*.mydomain.com.crt"
keyFile = "/sslcert/*.mydomain.com.key"
[retry]

Traefik now has TCP support in its new 2.0 version - which is still in alpha at this time (Apr 2019).
See PR https://github.com/containous/traefik/pull/4587
and the release notes of v2.0.0-alpha1 at https://github.com/containous/traefik/releases/tag/v2.0.0-alpha1 showing this TCP support PR being included
Hence once 2.0 is released (probably within 2-3 months), HTTPS passthrough will become possible.

Answer for traefik 1.0 (outdated)
passTLSCert forwards the TLS Client certificate to the backend, that is, a client that sends a certificate in the TLS handshake to prove it's identity.
Traefik is an HTTP reverse proxy. To establish the SSL connection directly with the backend, you need to reverse proxy TCP and not HTTP, and traefik doesn't (yet ?) support tcp (but there are issues for that on github).
Traefik won't fit your usecase, there are different alternatives, envoy is one of them.

The new passthrough for TCP routers is already available: https://docs.traefik.io/routing/routers/#passthrough

Deploying Traefik with LetsEncrypt and multiple Docker backend

I am considering replacing Apache for Traefik for my web project (Kestrel / .Net Core). After reading the documentation, a few things remain unclear to me regarding Traefik:
1/ Does Traefik automatically handle the LetsEncrypt certificate renewal or does it need to be done manually or via an external script? From the doc it's said that this is performed when adding a new host or restart, but what happens after 3 months of Traefik running without any restart/new host added?
2/ When a Docker backend becomes unreachable, how is it possible to serve a custom static HTML page? I can see how to set specific error page from the documentation, but not how to redirect trafic to it when a given backend becomes unavailable.
3/ When a Docker backend needs to be updated, is there some steps that need to be performed on Traefik prior to performing the Docker stop/restart?
4/ It seems I can't get to have 2 docker backend running at the same time, see the configuration file below, if I uncomment the 2nd backend (api.mydomain.io), then the 1st one becomes not available anymore. Am I missing something here?
version: '3'
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --docker # Enables the web UI and tells Træfik to listen to docker
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
- "8080:8080" # The Web UI (enabled by --api)
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/acme.json
- /root/mydomain_prod/cert/:/certs/
- /root/mydomain_prod/503.html:/503.html
container_name: traefik-reverse-proxy
##############################
# Front - www.mydomain.io
##############################
mydomain-front:
image: mydomain-front
labels:
- traefik.enable=true
- traefik.backend=mydomain-front
- traefik.frontend.rule=Host:traefik.mydomain.io
- traefik.port=8084
networks:
- internal
- proxy
container_name: mydomain-front
##############################
# API - api.mydomain.io
# Note: If I uncomment this one, then www.mydomain.io won't work anymore
##############################
#mydomain-api:
# image: mydomain-api
# labels:
# - traefik.enable=true
# - traefik.backend=mydomain-api
# - traefik.frontend.rule=Host:api.mydomain.io
# - traefik.port=8082
# networks:
# - internal
# - proxy
# container_name: mydomain-api
Many thanks,
Flo

1/ Traefik can handle the LetsEncrypt certificate renewal. Just remember to create a Volume to store the acme.json file. When the certificate expires, Traefik will do the renewal without asking.
2/ I don’t know if it’s possible. If you find a solution, share it.
3/ When you need to update a Docker, just update it. Traefik will be trigger from that change and update is own configuration.
4/ You can have to backend running at the same time. Below you can see a docker-compose.yml configuration :
version: '3'
services:
two-backend-service:
restart: always
image: ……..
labels:
- traefik.enable=true
- traefik.service1.frontend.rule=Host:service1.exemple.com
- traefik.service1.frontend.passHostHeader=true
- traefik.service1.port=8082
- traefik.Service2.backend=service2
- traefik.Service2.frontend.rule=Host:service2.exemple.com
- traefik.Service2.frontend.passHostHeader=true
- traefik.Service2.port=8081
traefik:
build:
context: ./traefik
dockerfile: Dockerfile
restart: always
ports:
- 80:80
- 443:443
labels:
- traefik.enable=false
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_letsencrypt:/etc/traefik/acme/
volumes:
traefik_letsencrypt:
driver: local

grpc issue with Drone Agent - Drone IO 0.8

I am running Drone Server and Drone Agent on the same instance, i am trying to connect with the private ip of the instance.
If I curl the ip with port, I get a proper html page.
But in Drone Agent logs I get this continuously
drone-agent_1 | INFO: 2017/10/03 14:02:37 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
Since it would be on the same instance, it should work, and drone server should be configured for grpc as well.
2 Docker compose file, one for agent and one for server
version: '2'
services:
drone-agent:
image: drone/agent:0.8
command: agent
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DRONE_SERVER=172.30.1.169:9456
- DRONE_SECRET=secret
Docker Compose Server
version: '2'
services:
drone-server:
image: drone/drone:0.8
ports:
- 9456:8000
- 8502:9000
volumes:
- /var/lib/drone:/var/lib/drone/
restart: always
environment:
- DRONE_OPEN=false
- DRONE_HOST=https://subdomain.somehost.com:9876/
- DRONE_BITBUCKET=true
- DRONE_BITBUCKET_CLIENT=secretc
- DRONE_BITBUCKET_SECRET=secretb
- DRONE_SECRET=secret
- DRONE_ADMIN=user1

In your example you expose the drone server GRPC endpoint at 8502:9000 but you provide the agent with port 9456. Providing the agent with the correct port should resolve this issue for you.
-DRONE_SERVER=172.30.1.169:9456
+DRONE_SERVER=172.30.1.169:8502