I have been following the instructions available here on setting up Docker and Traefik 2 for a home media server: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/
So far, the media services are working well together. SSL is self-signed since Let's Encrypt doesn't want to update when the Traefik container is rerun, but that's not a big deal. What is a big deal is that some of the subdomains return a "404 file not found" when attempting to reach the application via a domain name. Using the IP address and port of the host works fine, but I need the domain to work for things like Plex in order to connect other Plex apps to this server.
Below are the Traefik and Plex sections of my docker-compose.yml, along with a section for a container that is working properly:
Traefik Section:
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:2.2.1
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.
0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
# - --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
#- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server
- uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
networks:
t2_proxy:
ipv4_address: 192.168.2.254
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
# - target: 8080
# published: 8080
# protocol: tcp
# mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of
wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
Plex Section:
# Plex - Media Server
plexms:
image: plexinc/pms-docker:public
container_name: plexms
restart: unless-stopped
depends_on:
- "traefik"
networks:
t2_proxy:
ipv4_address: 192.168.2.20
# devices:
# - /dev/dri:/dev/dri # for harware transcoding
security_opt:
- no-new-privileges:true
ports:
- "32400:32400/tcp"
- "32400:32400/udp"
- "3005:3005/tcp"
- "8324:8324/tcp"
- "32469:32469/tcp"
- "1900:1900/udp"
- "32410:32410/udp"
- "32412:32412/udp"
- "32413:32413/udp"
- "32414:32414/udp"
- "33400:33400/tcp"
volumes:
- $DOCKERDIR/plexms:/config
- $USERDIR/Downloads:/Downloads
- /mnt/user/anime:/anime
- /mnt/user/tv:/tv
- /mnt/user/movies:/movies
- /dev/shm:/transcode # Offload transcoding to RAM if you have enough RAM
# - $USERDIR/Downloads/plex_tmp:/transcode
environment:
TZ: $TZ
HOSTNAME: "plex"
PLEX_CLAIM: $PLEX_CLAIM
PLEX_UID: $PUID
PLEX_GID: $PGID
ADVERTISE_IP: https://plex.domain.name:443/
hostname: plex.tamarik.space
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.plexms-rtr.entrypoints=https"
- "traefik.http.routers.plexms-rtr.rule=Host(`plex.$DOMAINNAME`)"
- "traefik.http.routers.plexms-rtr.tls=true"
## Middlewares
- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file"
#- "traefik.http.routers.plexms-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.plexms-rtr.service=plexms-svc"
- "traefik.http.services.plexms-svc.loadbalancer.server.port=32400"
Working Application (Sonarr):
# Sonarr - TV Shows management
# Set url_base in sonarr settings if using PathPrefix
sonarr:
# image: aront/sonarr #for mp4_automator support
image: linuxserver/sonarr
container_name: sonarr
restart: unless-stopped
depends_on:
- "traefik"
networks:
t2_proxy:
ipv4_address: 192.168.2.12
security_opt:
- no-new-privileges:true
ports:
- "8989:8989"
volumes:
- $DOCKERDIR/sonarr:/config
- /mnt/user/torrents:/downloads
- /mnt/user/tv:/media
- /etc/localtime:/etc/localtime:ro
# - "$DOCKERDIR/shared/mp4_automator:/config_mp4_automator:rw"
environment:
PUID: $PUID
PGID: $PGID
TZ: $TZ
labels:
- "traefik.enable=true"
## HTTP Routers Auth Bypass
- "traefik.http.routers.sonarr-rtr-bypass.entrypoints=https"
- "traefik.http.routers.sonarr-rtr-bypass.rule=Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`, `$SONARR_API_KEY`)"
- "traefik.http.routers.sonarr-rtr-bypass.priority=100"
## HTTP Routers Auth
- "traefik.http.routers.sonarr-rtr.entrypoints=https"
- "traefik.http.routers.sonarr-rtr.rule=Host(`sonarr.$DOMAINNAME`)"
- "traefik.http.routers.sonarr-rtr.tls=true"
- "traefik.http.routers.sonarr-rtr.priority=99"
## Middlewares
- "traefik.http.routers.sonarr-rtr-bypass.middlewares=chain-no-auth@file"
- "traefik.http.routers.sonarr-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.sonarr-rtr.service=sonarr-svc"
- "traefik.http.routers.sonarr-rtr-bypass.service=sonarr-svc"
- "traefik.http.services.sonarr-svc.loadbalancer.server.port=8989"
Thanks for any assistance you can provide!