Cannot access dashboard on Secure mode with HTTPS

tootertoo · April 10, 2024, 12:34pm

Hi community,
I am trying to deploy flowise.ai on a Free Tier OCI compute instance with Ubuntu Image. I discovered Traefik to be a good option for a reverse proxy. I am using a custom domain: flowise.[reacted].[redacted] and to make it accessible on HTTPS, I am using Let's encrpyt with HTTP Challenge method. So far I have no issues with flowise service on URL:

https://flowise.[redacted].[redacted]

But when I use go to /traefik , there's no 404 error just a blank page. The logs doesn't show anything.

This is my compose file:

services:
    traefik:
      image: "traefik:v2.11"
      container_name: "traefik"
      restart: always
      command:
        #- "--log.level=DEBUG"
        #- '--api=true'
        - '--api.dashboard=true'
          #- '--providers.docker.endpoint=unix:///var/run/docker.sock'
        - "--api.insecure=false"
        - "--providers.docker=true"
        - '--providers.docker.network=traefik-public'
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.web.address=:80"
        - --entrypoints.web.http.redirections.entrypoint.to=websecure
        - --entrypoints.web.http.redirections.entrypoint.scheme=https
        - "--entrypoints.websecure.address=:443"
        - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
        - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
          #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.myresolver.acme.email=myemail@example.com"
        - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      labels:
          - traefik.docker.network=traefik-public
          - traefik.constraint-label=traefik-public
            ## HTTP Catchall for redirecting HTTP -> HTTPS
          - 'traefik.http.routers.http-catchall.rule=PathPrefix(`/`)'
          - 'traefik.http.routers.http-catchall.entrypoints=web'
          - 'traefik.http.routers.http-catchall.middlewares=redirect-to-https'
          - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'
            ## Traefik Dashboard
          - "traefik.http.routers.dashboard.rule=Host(`${DOMAIN}`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
          - 'traefik.http.routers.dashboard.entrypoints=websecure'
          - 'traefik.http.routers.dashboard.tls.certresolver=myresolver'
          - 'traefik.http.routers.dashboard.service=api@internal'
          - 'traefik.http.services.api@internal.loadbalancer.server.port=8080' # Required in swarms, https://doc.traefik.io/traefik/v2.0/routing/providers/docker/#services
            # - 'traefik.http.routers.traefik.middlewares=traefik-auth'
            # - 'traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$8EVjn/nj$$GiLUZqcbueTFeD23SuB6x0' # username: admin, password: admin
          - 'traefik.http.routers.dashboard.middlewares=strip'
          - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
      ports:
        - "80:80"
        - "443:443"
        - "8080:8080"
      networks:
        - traefik-public
      volumes:
        - "./letsencrypt:/letsencrypt"
        - "/var/run/docker.sock:/var/run/docker.sock:ro"

    flowise:
        image: flowiseai/flowise
        restart: always
        environment:
          - ...
        ports:
            - '${PORT}:${PORT}'
        networks:
            - traefik-public
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.flowise.rule=Host(`${DOMAIN}`)"
            - "traefik.http.routers.flowise.entrypoints=websecure"
            - "traefik.docker.network=traefik-public"
            - "traefik.constraint-label=traefik-public"
            - "traefik.http.routers.flowise.tls.certresolver=myresolver"
            - 'traefik.http.routers.flowise.service=webapp'
            - "traefik.http.services.webapp.loadbalancer.server.port=${PORT}" 
        volumes:
            - "~/.flowise:/root/.flowise"
        command: /bin/sh -c "sleep 3; flowise start"

networks:
  traefik-public:

And the .env file:

PORT=3000
DATABASE_PATH=/root/.flowise
APIKEY_PATH=/root/.flowise
SECRETKEY_PATH=/root/.flowise
LOG_PATH=/root/.flowise/logs
BLOB_STORAGE_PATH=/root/.flowise/storage

CORS_ORIGINS="['http://your.domain.com', 'http://localhost' ]"
# IFRAME_ORIGINS="*"

# NUMBER_OF_PROXIES= 1
DOMAIN="your.domain.com"

FLOWISE_USERNAME=
FLOWISE_PASSWORD=
# FLOWISE_SECRETKEY_OVERWRITE=myencryptionkey
# FLOWISE_FILE_SIZE_LIMIT=50mb
DEBUG=true
# LOG_LEVEL=debug (error | warn | info | verbose | debug)
LOG_LEVEL=verbose
# TOOL_FUNCTION_BUILTIN_DEP=crypto,fs
# TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash

# LANGCHAIN_TRACING_V2=true
# LANGCHAIN_ENDPOINT=https://api.smith.langchain.com
# LANGCHAIN_API_KEY=your_api_key
# LANGCHAIN_PROJECT=your_project

# DISABLE_FLOWISE_TELEMETRY=true

What I wanted to achieve?

I need to access the Traefik Dashboard by using this route:

https://flowise.[redacted].[redacted]/traefik/dashboard

Additional Info:

The environment variables for flowise container can be configured with .env.template
I followed this guide to setup my Traefik service with the /traefik as dashboard route

I am a newbie using traefik for first time. Looking forward for any help is much appreciated!
Thank you.

bluepuma77 · April 10, 2024, 6:52pm

You can’t. Traefik dashboard is fixed to /dashboard and uses /api.

You could change the path to target service by middleware, but the first html page will return scripts and links with the fixed paths, so this won’t work.

It’s best practice to use a sub-domain for GUI web apps, if you can’t set some kind of "base path".

tootertoo · April 20, 2024, 5:46am

Hi @bluepuma77, I apologize for the delayed response.

You are absolutely correct regarding the endpoints. Utilizing a custom path prefix like /traefik within the same hostname wouldn't function as expected.

To address this, I've implemented a successful workaround by establishing an A record within my Cloudflare DNS. This record directs traffic for the subdomain traefik.flowise to the public IP address of your Oracle instance, configured as "DNS Only" to avoid proxying. Here's the configuration for reference:

A flowise <Oracle Instance Public IP> Proxied A traefik.flowise <Oracle Instance Public IP> DNS Only

This configuration enables secure access to the Traefik dashboard using HTTPS with custom-generated certificates obtained from Let's Encrypt. You can access the dashboard at the following URL:

https://traefik.flowise.[redacted].[redacted]

I've included my docker-compose file that accomplishes this configuration for future references to this thread.

services:
  traefik:
    image: traefik:v2.11
    environment:
      - CLOUDFLARE_EMAIL=${CF_EMAIL}
      - CLOUDFLARE_DNS_API_TOKEN=${CF_API_TOKEN}
    ports:
      #- 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./letsencrypt:/letsencrypt
      #- /var/log:/var/log
    command:
      - --api.dashboard=true
      - --log.level=INFO
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.myresolver.acme.email=<your_email>
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.${DOMAIN}`) # <-- this was the change
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=

  flowise:
    image: flowiseai/flowise
    restart: always
    environment:
        - ... # same as before define in .env
    ports:
        - '${PORT}:${PORT}'
    networks:
        - proxy
    labels:
        - "traefik.enable=true"
        - "traefik.http.routers.flowise.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.flowise.entrypoints=websecure"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.flowise.tls.certresolver=myresolver"
        - 'traefik.http.routers.flowise.service=webapp'
        - "traefik.http.services.webapp.loadbalancer.server.port=${PORT}" 
    volumes:
        - "~/.flowise:/root/.flowise"
    command: /bin/sh -c "flowise start"

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

bluepuma77 · April 20, 2024, 6:53am

Note that it’s best practice not to use ports on target services.

You usually don’t want them accessible outside of the Docker network, that way security middlewares could be circumvented.

Inside a Docker network all ports are accessible, anyway.

Topic		Replies	Views
Accessing secure dashboard results in 404 Traefik v2 (latest) docker , dashboard-api	10	1355	September 21, 2023
Unable to configure dashboard in secure mode Traefik v2 (latest) docker , dashboard-api	5	1524	August 10, 2023
Safe mode: dashboard: 404 Traefik v2 (latest) docker , dashboard-api	1	147	September 19, 2023
Dashbord Secure Mode - 404 page not found Traefik v2 (latest) docker , dashboard-api , letsencrypt-acme	7	3564	May 4, 2021
Another "Can’t Access Dashboard on HTTPS" Traefik v2 (latest) dashboard-api	3	338	December 28, 2023

Cannot access dashboard on Secure mode with HTTPS

What I wanted to achieve?

Additional Info:

Related Topics