All subdirectories return 404

Traefik Traefik v2
1

First, thank you in advance for taking a look. I think I have a very basic mistake somewhere, but I have searched for hours with no result. I am trying to run a proof of concept to expose a container behind a traefik 2.4 reverse proxy at a subdirectory. My DDNS does not allow for subdomains, so I am stuck with subdirectories until I can prove this works.

My problem is every container I stand up is dynamically picked up by traefik and shows up in the dashboard, but the subdirectory gives a 404 error. I have even used PathPrefix with a regex to prevent the ending / error.

Here is my configuration.

Traefik's docker-compose:

version: '3'

services:
        traefik:
                image: traefik:v2.4
                container_name: traefik
                restart: unless-stopped
                security_opt:
                        - no-new-privileges:true
                networks:
                        - t2_proxy
                ports:
                        - 80:80
                        - 443:443
                volumes:
                        - /etc/localtime:/etc/localtime:ro
                        - /var/run/docker.sock:/var/run/docker.sock:ro
                        - ./data/traefik.yml:/traefik.yml:ro
                        - ./data/acme.json:/acme.json
                        - ./data/log:/var/log

                labels:
                        - "traefik.enable=true"
                        - "traefik.http.routers.traefik.entrypoints=http"
                        - "traefik.http.routers.traefik.rule=Host(`domain.host.com`)"
                        - "traefik.http.middlewares.traefik-auth.basicauth.users=user:password"
                        - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
                        - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
                        - "traefik.http.routers.traefik-secure.entrypoints=https"
                        - "traefik.http.routers.traefik-secure.rule=Host(`domain.host.com`)"
                        - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
                        - "traefik.http.routers.traefik-secure.tls=true"
                        - "traefik.http.routers.traefik-secure.tls.certresolver=http"
                        - "traefik.http.routers.traefik-secure.service=api@internal"

        fail2ban:
                image: crazymax/fail2ban:latest
                container_name: fail2ban
                network_mode: "host"
                cap_add:
                        - NET_ADMIN
                        - NET_RAW
                volumes:
                        #                        - /var/log:/var/log:ro
                        - ./fail2ban/data:/data
                        - ./data/log:/var/log:ro
networks:
        t2_proxy:
                external: true

Here is my traefik.yml configuration file:

api:
        dashboard: true

entryPoints:
        http:
                address: ":80"
        https:
                address: ":443"

providers:
        docker:
                endpoint: "unix:///var/run/docker.sock"
                exposedByDefault: false

certificatesResolvers:
        http:
                acme:
                        email: email@email.com
                        storage: acme.json
                        httpChallenge:
                                entrypoint: http

log:
        filePath: "/var/log/traefik.log"
        level: DEBUG
accessLog:
        filePath: "var/log/access.log"
        filters:
                statusCodes:
                        - "400-499"
                retryAttempts: true

Here is the first proof-of-concept container I'm trying to expose. It's just portainer in a separate docker-compose:

version: '3'

services:
        portainer:
                image: portainer/portainer-ce:latest
                container_name: portainer
                restart: unless-stopped
                security_opt:
                        - no-new-privileges:true
                networks:
                        - t2_proxy
                ports:
                        - "9000:9000"
                volumes:
                        - /etc/localtime:/etc/localtime:ro
                        - /var/run/docker.sock:/var/run/docker.sock:ro
                        - ./data:/data
                labels:
                        - "traefik.enable=true"

                          #web routers
                        - "traefik.http.routers.portainer.entrypoints=http"
                        - "traefik.http.routers.portainer.rule=Host(`domain.host.com`) && PathPrefix(`/portainer`)"
                          #- "traefik.http.routers.portainer.rule=Host(`domain.host.com`) && PathPrefix(`/portainer{regex:$|/.*}`)"
                          #- "traefik.http.routers.portainer.rule=Path(`/portainer`)"
                          #- "traefik.http.routers.portainer.rule=PathPrefix(`/portainer{regex:$|/.*}`)"

                          #middlewares
                          #- "traefik.http.routers.portainer.middlewares=portainer-stripprefix"
                          #- "traefik.http.middlewares.portainer-stripprefix.stripprefix.prefixes=/portainer"
                        - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
                        - "traefik.http.routers.portainer.middlewares=portainer-https-redirect"

                          #web secure rpiters
                        - "traefik.http.routers.portainer-secure.entrypoints=https"
                        - "traefik.http.routers.portainer-secure.rule=Host(`domain.host.com`) && PathPrefix(`/portainer`)"
                          #- "traefik.http.routers.portainer-secure.rule=Host(`domain.host.com`) && PathPrefix(`/portainer{regex:$|/.*}`)"
                          #- "traefik.http.routers.portainer-secure.rule=Path(`/portainer`)"
                          #- "traefik.http.routers.portainer-secure.rule=PathPrefix(`/portainer{regex:$|/.*}`)"
                          #- "traefik.http.routers.portainer-secure.middlewares=chain-basic-auth@users"
                        - "traefik.http.routers.portainer-secure.tls=true"
                        - "traefik.http.routers.portainer-secure.tls.certresolver=http"
                        - "traefik.http.routers.portainer-secure.service=portainer"
                        - "traefik.http.services.portainer.loadbalancer.server.port=9000"
                        - "traefik.docker.network=t2_proxy"
networks:
        t2_proxy:
                external: true

Please let me know if I should post any other details. I sense I am missing a very obvious bit of configuration, as this is my first time using Traefik. Thanks again for any help!

2

Hello @transistor,

Thanks for your interest in Traefik!

As the forwarded request contains the /portainer path a 404 Not Found error is returned by Portainer because it does not exist.

To remove the /portainer path from the forwarded request you can use the strip prefix middleware. The following labels have to be added to the portainer container:

- "traefik.http.routers.portainer-secure.middlewares=portainer-stripprefix"
- "traefik.http.middlewares.portainer-stripprefix.stripprefix.prefixes=/portainer"

With those labels, the 404 error is fixed but the portainer UI is not loading properly.

That's because the UI requests don't contain the portainer path (which is required to match the router rule). It seems that it's currently not possible to configure portainer to add this prefix: [FEAT] Add path prefix to web UI · Issue #3901 · portainer/portainer · GitHub

IMO the only solution is to use a dedicated domain in the router rule.

3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.