Hi everyone, I'm posting to this forum because I cannot figure out why traefik is not seeing my specified middlewares/middleware chains.
I'm following the smarthomebeginner guide as most people do. I previously had this working before my hard drive failed. Now my second attempt isn't as successful.
The main issue is that my traefik container is producing the error:
middleware "chain-authelia@file" does not exist
I have also tried changing the middleware to another one I have specified in my middlewares-chains.yml such and I still end up getting
middleware "chain-no-auth@file does not exist or
middleware "chain-basic-auth@file" does not exist
I expected that maybe my container is not able to access the directory.
So I ran docker exec traefik ls rules, I was able to clearly see both configuration files (middlewares.yml and middlewares-chains.yml).
The directory is defined in my docker-compose traefik container as
- $USERDIR/docker/traefik2/rules:/rules (Please see full compose file below for more details)
I know its bad practice, but I have changed the permissions of the traefik directory recursively to 777. But if the docker exec displayed the rules before, it wasn't necessary in my opinion. I don't know what specific permissions the traefik folder is meant to have by default (I just don't know what to try haha)
I have run all my files through a YAML Validator and have had no issues with any of them.
I am assuming the source of the error lies somewhere in my labels, I've included below my docker-compose, an authelia container which is an example of some of my containers config, and both my middlewares.yml and middlewares-chains.yml.
Thanks for in advance for any help!
Traefik2 file tree:
└── traefik2
├── acme
│ └── acme.json
├── rules
│ ├── middlewares-chains.yml
│ └── middlewares.yml
└── traefik.log
My docker-compose.yml:
traefik:
container_name: traefik
depends_on:
- watchtower
image: traefik:latest
restart: unless-stopped
command:
# CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443 # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8282
- --api=true
- --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
# - --pilot.token=f763d34c-681d-40b5-bfbd-3d66798372c7
networks:
- t2_proxy
- external_network
security_opt:
- no-new-privileges:true
ports:
- "80:80"
- "443:443"
- "8282:8282"
- "19132:19132/udp"
volumes:
- $USERDIR/docker/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $USERDIR/docker/traefik2/acme/acme.json:/acme.json
- $USERDIR/docker/traefik2/traefik.log:/traefik.log
- $USERDIR/docker/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.http-catchall.middlewares.redirectscheme.scheme=https"
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
#- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.service=api@internal"
- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
Example additional container with same issue
authelia:
container_name: authelia
depends_on:
- traefik
image: authelia/authelia:latest
#image: authelia/authelia:4.21.0
restart: always
networks:
- t2_proxy
# depends_on:
# - mariadb
# - redis
volumes:
- ${DOCKERDIR}/authelia:/config
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.tls=true"
- "traefik.http.routers.authelia-rtr.rule=Host(`auth.$DOMAINNAME`)"
## Middlewares
- "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
## HTTP Services
- "traefik.http.routers.authelia-rtr.service=authelia-svc"
- "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
My middlewares.yml:
---
http:
middlewares:
basic-auth:
basicAuth:
usersFile: "/shared/.htpasswd"
realm: "Traefik 2 Basic Auth"
rate-limit:
rateLimit:
average: 100
burst: 50
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
compress:
compress: {}
secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
#customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}"
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.<removed-domain>"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Group"
My middlewares-chains.yml
http:
middlewares:
chain-authelia:
chain:
middlewares:
- "rate-limit"
- "secure-headers"
- "authelia"
- "https-redirectscheme"
- "compress"
chain-no-auth:
chain:
middlewares:
- "rate-limit"
- "secure-headers"
- "https-redirectscheme"
- "compress"
chain-basic-auth:
chain:
middlewares:
- "rate-limit"
- "secure-headers"
- "basic-auth"
- "https-redirectscheme"
- "compress"