Api and Dashboard docker labels

Beardo · December 23, 2019, 9:49pm

So I finally got a working docker compose file where I can access services via my specified domain name. When I spun up a whoami container, that worked fairly easy like plug and play. Getting the dashboard access outside of the insecure version was a little less so. Here is the configuration that I am using now where I got my dashboard fully up. I created individual routers for the dashboard and api. I feel like I am just needlessly splitting it up like this and wondering if this is a simpler label structure to get the api and dashboard up.

traefik:
    image: traefik:v2.1
    command:
      - --log.level=${LOG_LEVEL}
      #- --log.filePath=/traefik/logs/traefik.log
      #- --log.format=json
      - --accesslog=true
      - --accesslog.filePath=/traefik/logs/access.log
      - --accesslog.bufferingSize=256
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.watch=true
      - --providers.docker.network=traefik_public
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/traefik/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=[1.1.1.1:53, 1.0.0.1:53]
      - --api.insecure=true
      - --api.dashboard=true
    container_name: traefikv2
    restart: unless-stopped
    networks:
      - traefik_public
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme/acme.json:/traefik/letsencrypt/acme.json
      #- ./logs/traefik.log:/traefik/logs/traefik.log
      - ./logs/access.log:/traefik/logs/access.log
    environment:
      CLOUDFLARE_EMAIL: ${CF_API_EMAIL}
      CLOUDFLARE_API_KEY: ${CF_API_TOKEN}
      TZ: ${TIME_ZONE}
    labels:
      traefik.enable: true
      traefik.http.routers.traefik-dashboard.rule: Host(`traefik.${DOMAIN}`)
      traefik.http.routers.traefik-dashboard.entryPoints: websecure
      traefik.http.routers.traefik-dashboard.tls: true
      traefik.http.routers.traefik-dashboard.tls.certresolver: letsencrypt
      traefik.http.routers.traefik-dashboard.tls.domains[0].main: "${DOMAIN}"
      traefik.http.routers.traefik-dashboard.tls.domains[0].sans: "*.${DOMAIN}"
      traefik.http.routers.traefik-dashboard.service: dashboard@internal
      traefik.http.routers.traefik-api.rule: Host(`traefik.${DOMAIN}`) && PathPrefix(`/api`)
      traefik.http.routers.traefik-api.entryPoints: websecure
      traefik.http.routers.traefik-api.tls: true
      traefik.http.routers.traefik-api.tls.certresolver: letsencrypt
      traefik.http.routers.traefik-api.tls.domains[0].main: "${DOMAIN}"
      traefik.http.routers.traefik-api.tls.domains[0].sans: "*.${DOMAIN}"
      traefik.http.routers.traefik-api.service: api@internal
      # redirect all http to https
      traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.http-catchall.entrypoints: web
      traefik.http.routers.http-catchall.middlewares: redirect-to-https@docker
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https

Beardo · December 23, 2019, 11:17pm

Took another look at the docs and got the simpler solution with auth cherry on top.

traefik:
    image: traefik:v2.1
    command:
      - --log.level=${LOG_LEVEL}
      #- --log.filePath=/traefik/logs/traefik.log
      #- --log.format=json
      - --accesslog=true
      - --accesslog.filePath=/traefik/logs/access.log
      - --accesslog.bufferingSize=256
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.watch=true
      - --providers.docker.network=traefik_public
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/traefik/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=[1.1.1.1:53, 1.0.0.1:53]
      - --api.dashboard=true
    container_name: traefikv2
    restart: unless-stopped
    networks:
      - traefik_public
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme/acme.json:/traefik/letsencrypt/acme.json
      #- ./logs/traefik.log:/traefik/logs/traefik.log
      - ./logs/access.log:/traefik/logs/access.log
    environment:
      CLOUDFLARE_EMAIL: ${CF_API_EMAIL}
      CLOUDFLARE_API_KEY: ${CF_API_TOKEN}
      TZ: ${TIME_ZONE}
    labels:
      #dashboard
      traefik.enable: true
      traefik.http.routers.traefik-api.rule: Host(`traefik.${DOMAIN}`)
      traefik.http.routers.traefik-api.entryPoints: websecure
      traefik.http.routers.traefik-api.tls: true
      traefik.http.routers.traefik-api.tls.certresolver: letsencrypt
      traefik.http.routers.traefik-api.tls.domains[0].main: "${DOMAIN}"
      traefik.http.routers.traefik-api.tls.domains[0].sans: "*.${DOMAIN}"
      traefik.http.routers.traefik-api.service: api@internal
      traefik.http.routers.traefik-api.middlewares: dashboardauth@docker
      # redirect all http to https
      traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.http-catchall.entrypoints: web
      traefik.http.routers.http-catchall.middlewares: redirect-to-https@docker
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
      #basic auth
      traefik.http.middlewares.dashboardauth.basicauth.users: "user:$$"

Topic		Replies	Views
Working example of traefikv2 setup with whoami and secure dashboard Traefik v2 docker	2	2424	August 13, 2021
Does this docker-compose allow access to the traefik dashboard? If so, on which url? Traefik v2 docker , dashboard-api , letsencrypt-acme	2	2220	April 16, 2023
Secure Dashboard HTTPS 404 Traefik v3 (latest) docker , dashboard-api , letsencrypt-acme	3	48	October 21, 2024
Unable to Access the Dashboard from my Domain Traefik v2 docker	12	642	June 22, 2023
Dashboard via router and domain don't work (always return 404) Traefik v2 docker , dashboard-api	0	365	February 10, 2022

Api and Dashboard docker labels

Related topics