I'm trying to figure out why traefik serve default ssl certificate for tcp even tls.passthrough is configured.
docker-compose.yaml:
version: "3"
services:
mariadb:
image: mariadb:10
restart: always
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "yes"
MYSQL_USER: ${DB_USERNAME}
MYSQL_PASSWORD: ${DB_PASSWORD}
MYSQL_DATABASE: ${DB_DATABASE}
volumes:
- "mariadb-data:/var/lib/mysql"
networks:
- seat-network
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
deploy:
resources:
limits:
cpus: '1'
memory: 512M
reservations:
cpus: '0.5'
memory: 150M
redis:
image: redis:5-alpine
restart: always
networks:
- seat-network
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
deploy:
resources:
limits:
cpus: '1.0'
memory: 256M
reservations:
cpus: '0.1'
memory: 50M
traefik:
image: "traefik:v2.9"
restart: always
command:
- --log.level=DEBUG
- --api=true
- --api.dashboard=true
- --providers.docker
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entryPoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
# Mumble entrypoint
- --entryPoints.mumbletcp.address=:64738
- --entryPoints.mumbleudp.address=:64738/udp
# ACME
- --certificatesresolvers.primary.acme.email=${TRAEFIK_ACME_EMAIL}
- --certificatesresolvers.primary.acme.storage=acme.json
- --certificatesresolvers.primary.acme.httpchallenge.entrypoint=web
ports:
- ${TRAEFIK_HTTP_PORT}:80
- ${TRAEFIK_HTTPS_PORT}:443
- 64738:64738
- 64738:64738/udp
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme/acme.json:/acme.json
labels:
- "traefik.enable=true"
#- "traefik.http.routers.api.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
#- "traefik.http.routers.api.service=api@internal"
#- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.rule=Host(`traefik.${TRAEFIK_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=user:$$2y$$10$$9uhdfyubKRCy09ezQgeCguKfvgwI3yu0RdPxBPYYILGQkHhnGhvfe"
# Uncomment to enable HTTPS via ACME
- "traefik.http.routers.api.tls.certResolver=primary"
networks:
- seat-network
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
deploy:
resources:
limits:
cpus: '0.50'
memory: 96M
reservations:
cpus: '0.25'
memory: 32M
seat-web:
image: eveseat/seat:4
restart: always
command: web
# volumes:
# - ./packages:/var/www/seat/packages:ro # development only
env_file:
- .env
labels:
- "traefik.enable=true"
- "traefik.http.routers.seat-web.rule=Host(`${SEAT_SUBDOMAIN}.${TRAEFIK_DOMAIN}`)"
- "traefik.http.routers.seat-web.entrypoints=websecure"
# Uncomment to enable HTTPS via ACME
- "traefik.http.routers.seat-web.tls.certResolver=primary"
depends_on:
- mariadb
- redis
networks:
- seat-network
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
deploy:
replicas: 1
resources:
limits:
cpus: '0.50'
memory: 192M
reservations:
cpus: '0.1'
memory: 90M
seat-worker:
image: eveseat/seat:4
restart: always
command: worker
# volumes:
# - ./packages:/var/www/seat/packages:ro # development only
env_file:
- .env
depends_on:
- seat-web # so that we can get db migrations done
- mariadb
- redis
networks:
- seat-network
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
deploy:
replicas: 2
resources:
limits:
cpus: '1'
memory: 512M
reservations:
cpus: '0.5'
memory: 256M
seat-cron:
image: eveseat/seat:4
restart: always
command: cron
# volumes:
# - ./packages:/var/www/seat/packages:ro # development only
env_file:
- .env
depends_on:
- seat-web # so that we can get db migrations done
- mariadb
- redis
networks:
- seat-network
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
deploy:
resources:
limits:
cpus: '0.50'
memory: 192M
reservations:
cpus: '0.1'
memory: 16M
mumble-agent:
image: alliancewaw/seat-mumble-register
restart: unless-stopped
depends_on:
- traefik
- mumble-server
networks:
- seat-network
volumes:
- ./mumble-agent:/app/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.mumble-agent.rule=Host(`mumble-agent.${TRAEFIK_DOMAIN}`)"
- "traefik.http.routers.mumble-agent.entrypoints=websecure"
# Uncomment to enable HTTPS via ACME
- "traefik.http.routers.mumble-agent.tls.certResolver=primary"
mumble-server:
image: mumblevoip/mumble-server:latest
restart: on-failure
depends_on:
- traefik
volumes:
- ./mumble/data:/data
- ./mumble/ssl:/ssl
- ./mumble/secrets:/run/secrets
networks:
- seat-network
labels:
- "traefik.enable=true"
#- "traefik.tags=service"
- "traefik.tcp.routers.mumble-server.entrypoints=mumbletcp"
- "traefic.tcp.routers.mumble-server.rule=HostSNI(mumble.${TRAEFIK_DOMAIN})"
- "traefik.tcp.routers.mumble-server.tls.passthrough=true"
- "traefik.tcp.services.mumble-server.loadbalancer.server.port=64738"
- "traefic.udp.routers.mumble-server.entrypoints=mumbleudp"
- "traefik.upd.services.mumble-server.loadbalancer.server.port=64738"
environment:
MUMBLE_SUPERUSER_PASSWORD: ${MUMBLE_SUPERUSER_PASSWORD}
MUMBLE_CONFIG_BANDWIDTH: 72000
MUMBLE_CONFIG_SERVER_PASSWORD: ${MUMBLE_SERVER_PASSWORD}
MUMBLE_CONFIG_HOST: "0.0.0.0"
MUMBLE_CONFIG_ICE: "tcp -h 0.0.0.0 -p 6502"
MUMBLE_CONFIG_ICE_SECRET_READ: ${MUMBLE_CONFIG_ICE_SECRET_READ}
MUMBLE_CONFIG_ICE_SECRET_WRITE: ${MUMBLE_CONFIG_ICE_SECRET_WRITE}
MUMBLE_VERBOSE: true
expose:
- 6502
- 64738
- 64738/udp
volumes:
mariadb-data:
networks:
seat-network:
traefik logs:
level=debug msg="Serving default certificate for request: \"mumble.your.site\""
Folks do you have any idea why I get default cert even if I configured TLS passthrough.