Access Traefics UI via localhost

Traefik Traefik v3 (latest)
1

Hello,

I want to use a traefic reverse proxy in my home server setup.
For that I want to have the administration UI, but I want not to expose it to the internet because of security concerns.

I want to access it via a ssh tunnel to my home server.
For that I have following setup. But it does not work. After tunneling via ssh to my server and visit localhost:8080 I don't see the panel.

traefics docker-compose.yml

services:
    traefik:
        image: traefik:latest
        container_name: "traefik"
        command:
            - "--api.dashboard=true"
            - "--providers.docker=true"
            - "--providers.docker.exposedByDefault=false"
            - "--providers.docker.network=proxy-tier"
            - "--entrypoints.web.address=:80"
            - "--entrypoints.websecure.address=:443"
            - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
            - "--certificatesresolvers.myresolver.acme.email=dev@mydomain.de"
            - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        volumes:
            - "./letsencrypt:/letsencrypt"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.api-local.rule=Host(`localhost`)"
            - "traefik.http.routers.api-local.entrypoints=web,websecure"
            - "traefik.http.routers.api-local.service=api@internal"
           # - "traefik.enable=true"
           # - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.de`)"
           # - "traefik.http.routers.traefik.entrypoints=websecure"
           # - "traefik.http.routers.traefik.service=api@internal"
           # - "traefik.http.routers.traefik.tls.certresolver=myresolver"
           # - "traefik.http.routers.traefik.middlewares=traefik-auth"
        networks:
            - proxy-tier
            - default

networks:
    proxy-tier:
        name: proxy-tier
        external: true

After tunneling to my server via:
ssh -L localhost:8080:localhost:8080 myuser@myserver

And curl localhost:8080 I receive:

user@MacBook-Pro ~ % curl http://localhost:8080
curl: (52) Empty reply from server
user@MacBook-Pro ~ % curl https://localhost:8080
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8080
user@MacBook-Pro ~ %

Does anybody have a hint how I could archive my goal?

T

2

will result empty, it’s probably sending a redirect in headers.

Use curl http://localhost:8080/dashboard/ instead.

3

After some reading sessions of the documentation I think I have to set api.insecure=true for my purpose.

But I changed a little bit my intention. So I added a new entrypoint on port 5000 and I used that entrypoint instead of web and websecure.
Now I can tunnel port 5000 to localhost:5000 and access the local ui.
But myresolver always try to request lets encrypt for a signed certificate of localhost.
That is a little bit odd. Is there a solution to have a automatic ssl certificate generation which contacts not a external signing service?:

services:
    traefik:
        image: traefik:latest
        container_name: "traefik"
        command:
            - "--api.dashboard=true"
            - "--providers.docker=true"
            - "--providers.docker.exposedByDefault=false"
            - "--providers.docker.network=proxy-tier"
            - "--entrypoints.web.address=:80"
            - "--entrypoints.websecure.address=:443"
            - "--entrypoints.local.address=:5000"
            - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
            - "--certificatesresolvers.myresolver.acme.email=dev@mydomain.de"
            - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        ports:
            - "80:80"
            - "443:443"
            - "5000:5000"
        volumes:
            - "./letsencrypt:/letsencrypt"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.api-local.rule=Host(`localhost`)"
            - "traefik.http.routers.api-local.entrypoints=local"
            - "traefik.http.routers.api-local.service=api@internal"
            - "traefik.http.routers.api-local.tls.certresolver=myresolver"
            - "traefik.http.routers.api-local.middlewares=api-local-auth"
            - "traefik.http.middlewares.api-local-auth.basicauth.users=..."
        networks:
            - proxy-tier
            - default

networks:
    proxy-tier:
        name: proxy-tier
        external: true
4

A Traefik certresolver will always connect to an external certificate provider, for this to work a real top level domain has to be used.

If you just set tls: {} (yaml) or tls=true (labels), then Traefik will create a custom TLS cert for you. But the browser/client will not trust it, so a warning will be shown first.

5

Can you name the whole property path please? I don't find anything if I'm looking for "tls: {}" or "tls=true" in the search engine of the documentation.

Edit: Its: - "traefik.http.routers.<router-name>.tls=true"

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.