Can not access Dashboard via traefik.Mydomain.com

Magnet · May 27, 2023, 12:25am

Can not access Dashboard via traefik.Mydomain.com
Cloudflare Invalid SSL

version: "3.3"

services:

  traefik:
    image: "traefik:v2.10"
    container_name: "traefik"

    labels:
      - "traefik.http.middlewares.test-auth.basicauth.users=user1:$$2b$$05$$e6VrNv.t8F4C5CAeztQNkeO9Y5CjzTgCZKcWdF3CBmy/tZs20mkpS,user2:$$2b$$05$$e6VrNv.t8F4C5CAeztQNkeO9Y5CjzTgCZKcWdF3CBmy/tZs20mkpS"
      - "traefik.http.routers.api.rule=Host(`traefik.Mydomain.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.routers.api.entrypoints=websecure"

    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@MyDomain.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - CLOUDFLARE_EMAIL=MyEmail@gmail.com
      - CLOUDFLARE_DNS_API_TOKEN=MyToken
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  web1:
    image: nginx:latest
    container_name: "web1"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.web1.rule=Host(`web1.MyDomain.com`)"
      - "traefik.http.routers.web1.entrypoints=websecure"
      - "traefik.http.routers.web1.tls.certresolver=myresolver"
    volumes:
      -  ./index1.html:/var/www/websites/index.html
      -  ./default.conf:/etc/nginx/conf.d/default.conf

bluepuma77 · May 27, 2023, 12:28pm

Did you read my comment in your other post?

Also enable Traefik debug log to see what’s happening.

Magnet · May 27, 2023, 7:40pm

Thanks for the reply.

docker logs traefik | grep traefik.MyDomain.com
time="2023-05-27T19:23:00Z" level=debug msg="Adding certificate for domain(s) traefik.MyDomain.com"

https://traefik.wwwmri.com/
404 page not found

I do not have a static config file. Do I need one?

bluepuma77 · May 27, 2023, 7:56pm

Static config can be traefik.yml file or command in docker-compose.yml.

Magnet · May 27, 2023, 8:52pm

Thanks for the Static vs Dynamic clarification.

I am still lost your git hub has all sorts of other things in it that is not in the documentation and Is making me more confused.

You are also using mydashboard where I am using api... I am lost here

Magnet · May 27, 2023, 9:20pm

I really do not get why web1.Mydomain.com works
MyIP:8080 works for the dashboard
Yet traefik.Mydomain.com does not and is so difficult to configure.

bluepuma77 · May 28, 2023, 5:46am

Yes, Traefik is not plug&play.

You need to enable Traefik dashboard, either in secure or insecure mode (which uses port 8080), read the doc.

To understand Traefik, it is recommended to read the whole documentation, at least start at the beginning to understand the concepts (static/dynamic, entrypoints, providers, routers/services, TLS).

Then you will understand that api and mydashboard are just names, they can differ per setup, but need to be consistent throughout your setup.

Magnet · May 28, 2023, 10:32pm

When the dashboard is not functional via domain name what concept are we talking about here?
I can only assume poor documentation as to the examples are not working.

bluepuma77 · May 29, 2023, 8:02pm

As stated before, please read the Dashboard doc.

Dashboard is not enabled and when you use it with insecure, then the dashboard will be "hardcoded" to port 8080. Labels won’t change that. And the middleware assignment is wrong.

Magnet:

labels:
      - "traefik.http.middlewares.test-auth.basicauth.users=user1:$2b$05$e6VrNv.t8F4C5CAeztQNkeO9Y5CjzTgCZKcWdF3CBmy/tZs20mkpS,user2:$2b$05$e6VrNv.t8F4C5CAeztQNkeO9Y5CjzTgCZKcWdF3CBmy/tZs20mkpS"
      - "traefik.http.routers.api.rule=Host(`traefik.Mydomain.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.routers.api.entrypoints=websecure"

Magnet · May 29, 2023, 10:01pm

Thanks for the reply
Per documentation:

Insecure Mode

This mode is not recommended because it does not allow the use of security features.

To enable the "insecure mode", use the following options from Traefik's API:
File (YAML)

api:
  dashboard: true
  insecure: true

File (TOML)
CLI

You can now access the dashboard on the port 8080 of the Traefik instance, at the following URL: http://<Traefik IP>:8080/dashboard/ (trailing slash is mandatory).

My code already works with
http://:8080/dashboard/

I have no idea where I am supposed to insert the api: or why?

api:
  dashboard: true
  insecure: true`

I would like to access the dashboard @ https://traefik.Mydomain.com which is not what they are not showing.

Ultimately I would like to access the dashboard @ https://traefik.MyDomain.com

Which is the same way that I access web1.MyDomain.com, web2.MyDomain.com and whoami.Mydomain.com

The doc does not seem to mention the middleware. Sounds like yet another rabbit hole?

Some security would be good too.
This is getting really crazy

bluepuma77 · May 30, 2023, 9:22am

The insecure mode is a hack to quickly check dashboard on port 8080, just disable it, remove the line.

Magnet · May 30, 2023, 10:34pm

I got it.
This was not in any of the dashboard docs
I needed to add an additional label:

     - "traefik.http.routers.traefik.tls.certresolver=myresolver"