I there! Im having trouble running an application behind https. The certificate generates successfully with letsencrypt. Locally the app runs great in every route, /manager and /auth/admin. When adding the SSL layer, the only route working properly is the traefik dashboard at /dashboard. The other ones returns me 404 codes and logs shows me nothing, not even errors... I am not understanding the basics of traefik? I am missing something abvious? Sorry, this is my first time setting up a reverse proxy with SSL, apologies in advance for the troubles
I tried to modify this original version which only works locally: ragapp/deployments/multiple-ragapps/docker-compose.yml at main · ragapp/ragapp · GitHub
And my updated version is as the following:
services:
traefik:
image: "traefik:v3.1"
ports:
- "80:80"
- "443:443" # Add port 443 for HTTPS
labels:
- traefik.enable=true
- traefik.docker.network=ragapp-network
# Keycloak OpenID plugin configuration
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.KeycloakURL=https://intelligence.patagonian.com/auth
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.ClientID=ragapp
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.ClientSecret=jh4yDlJ5QsBSafVNaqqLxEG3vKcYyNgD
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.KeycloakRealm=ragapp
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.Scope=openid
# Admin authentication middleware
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.UserClaimName=X-Forwarded-Roles
- traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.UserHeaderName=roles
- traefik.http.middlewares.admin-auth.plugin.headauth.header.name=roles
- traefik.http.middlewares.admin-auth.plugin.headauth.allowed[0]=[admin-manager]
- traefik.http.middlewares.admin-auth.plugin.headauth.methods[0]=GET
- traefik.http.middlewares.admin-auth.plugin.headauth.methods[1]=POST
- traefik.http.middlewares.admin-auth.plugin.headauth.methods[2]=PUT
- traefik.http.middlewares.admin-auth.plugin.headauth.methods[3]=DELETE
# Uncomment the following lines if you want to use Basic Auth
# - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME:-admin}:${HASHED_PASSWORD:-$$apr1$$3gG256rA$$BomHrC/uMhL807k/t7Wd6/}
# Add Let's Encrypt and domain-specific configuration
- traefik.http.routers.traefik-https.rule=Host(`intelligence.patagonian.com`)
- traefik.http.routers.traefik-https.entrypoints=websecure
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=myresolver
- traefik.http.routers.traefik-https.service=api@internal
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# - ${STATE_DIR}/traefik/traefik.yml:/traefik_config.yml:ro
- ./letsencrypt:/letsencrypt # Mount for Let's Encrypt data
command:
#- --configFile=/traefik_config.yml
- --api.dashboard=true
- --log.level=DEBUG
- --accesslog=true
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --certificatesresolvers.myresolver.acme.httpchallenge=true
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.myresolver.acme.email=benjamin.bascary@patagoniansys.com
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
- --experimental.plugins.keycloakopenid.moduleName=github.com/Gwojda/keycloakopenid
- --experimental.plugins.keycloakopenid.version=v0.1.34
- --experimental.plugins.headauth.moduleName=github.com/poloyacero/headauth
- --experimental.plugins.headauth.version=v0.0.1
networks:
- ragapp-network
keycloak:
image: quay.io/keycloak/keycloak:25.0.2
command: start-dev --import-realm --hostname=https://intelligence.patagonian.com/auth
ports:
- "8080:8080"
labels:
- traefik.enable=true
- traefik.http.services.keycloak.loadbalancer.server.port=8080
- traefik.http.routers.keycloak.rule=PathPrefix(`/auth`)
- traefik.http.middlewares.keycloak-strip-path.stripprefix.prefixes=/auth
- traefik.http.routers.keycloak.middlewares=keycloak-strip-path
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
volumes:
- ${STATE_DIR}/keycloak/example/:/opt/keycloak/data/
networks:
- ragapp-network
depends_on:
- traefik
manager:
image: ${MANAGER_IMAGE:-ragapp/manager:latest}
build: ../../src/manager
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${STATE_DIR}:/app/data
environment:
- BASE_URL=/manager
- RAGAPP_IMAGE=${RAGAPP_IMAGE:-ragapp/ragapp:latest}
- CHAT_REQUEST_LIMIT_THRESHOLD=20
- STATE_DIR=${STATE_DIR}
- STATE_DIR_LOCAL=/app/data
labels:
- traefik.enable=true
- traefik.http.services.app.loadbalancer.server.port=8000
- traefik.http.routers.admin-manager.rule=PathPrefix(`/manager`)
- traefik.http.middlewares.strip-manager-path.stripprefix.prefixes=/manager
- traefik.http.routers.admin-manager.middlewares=ragapp-keycloakopenid,admin-auth,strip-manager-path
networks:
- ragapp-network
depends_on:
- traefik
- keycloak
networks:
ragapp-network:
name: ragapp-network