Kaaedan
September 9, 2020, 5:40am
1
Hey !
I'm trying to set up traefik on my vps with the help of docker-compose but I can't fix my issue.
Here is my docker-compose.yml
version: "3.8"
services:
proxy:
image: traefik:v2.1
command:
- --api
- --providers.docker
- --providers.docker.exposedbydefault=false
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.domain.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=user:password"
networks:
web:
external: true
The problem is that the authentication does not work when i'm going on dashboard.example.com . I tried the exact same configuration just with example.com as a domain and it does work, it ask for the authentication when i'm just trying to go on example.com .
If someone could help me with that I would be grateful
Kaaedan
September 9, 2020, 2:10pm
3
Hey ! Here is my traefik.toml file !
[global]
sendAnonymousUsage = false
[log]
level = "INFO"
format = "common"
[providers]
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = true
swarmMode = false
[providers.file]
filename = "/opt/traefik/traefik_dynamic.toml"
watch = true
[api]
dashboard = true
debug = false
insecure = false
[entryPoints]
[entryPoints.insecure]
address = ":80"
[entryPoints.secure]
address = ":443"
[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "email@example.com"
caServer = "https://acme-v02.api.letsencrypt.org/directory"
storage = "acme.json"
keyType = "EC384"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"
Kaaedan
September 9, 2020, 3:16pm
4
I managed to make it work but the thing is that letsencrypt do not work
I change my docker-compose with this one https://github.com/containous/blog-posts/blob/master/2019_09_10-101_docker/docker-compose-08.yml from Idez
I got no errors but still can't use https.
Kaaedan
September 9, 2020, 10:41pm
6
Yes i've done in the command-line arguments it's all good concerning the subdomain. The thing is that letsencrypt ain't working the way it should
zespri
September 9, 2020, 10:43pm
7
Post your updated configuration then if you fixed it since your initial posts.
Kaaedan
September 9, 2020, 10:44pm
8
I've posted the link to the doc anyway i'll just copy paste it here :
version: "3.3"
services:
traefik:
image: "traefik:v2.0.1"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --api
- --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.leresolver.acme.email=your@email.com
- --certificatesresolvers.leresolver.acme.storage=/acme.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./acme.json:/acme.json"
labels:
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.docker.localhost`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
zespri
September 9, 2020, 10:52pm
9
What's not working? Enable debug logging and examine logs.
Kaaedan
September 9, 2020, 11:04pm
10
The navigator always says that this site is dangerous and not securised.
I just added :
- --log.filePath=/opt/traefik/traefik.log
- --log.level=DEBUG
In the command line but nothing appears, do I set it up the wrong way ?
I just tried to use a whoami.example.com and there is the results in the dashboard :
The TLS does appear but not working.
Kaaedan
September 9, 2020, 11:05pm
11
In case you ask for the docker-compose.yml for the whoami :
my-app:
image: containous/whoami:v1.3.0
labels:
- "traefik.http.routers.my-app.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.my-app.middlewares=auth"
- "traefik.http.routers.my-app.entrypoints=websecure"
- "traefik.http.routers.my-app.tls=true"
- "traefik.http.routers.my-app.tls.certresolver=leresolver"
- "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password
zespri
September 9, 2020, 11:08pm
12
The log would be inside the container if you chose to write it to file.
Examine the cert. If it's staging let's encrypt cert as per your configuration, then the security warning is normal.
Kaaedan
September 9, 2020, 11:22pm
13
Nothing inside the container.
Here is the content of acme.json :
{
"leresolver": {
"Account": {
"Email": "your@email.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:your@email.com"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/96253089"
},
"PrivateKey": "PrivateKey",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "traefik.example.com"
},
"certificate": "*certificate*",
"key": "*key*",
"Store": "default"
},
{
"domain": {
"main": "whoami.example.com"
},
"certificate": "*certificate*",
"key": "*key*",
"Store": "default"
}
]
}
The uri return an error thought but can't fix it
zespri
September 10, 2020, 4:41am
14
Could you please post commands you used to verify it and the output of these commands. Also it would be interesting to find out if /opt/traefik exists and if the user traefik running under has permissions to write to /opt/traefik/traefik.log In general I'd recommend to start with omitting log.filePath altogether and simply inspecting the container log.
Also I would advise to examine the certificate. If it's staging let's encrypt cert as per your configuration, then the security warning is normal. You can tell if it's a staging cert by looking at the issuer field.
Kaaedan
September 10, 2020, 5:25am
15
I just used docker-compose logs. I'm new to docker-compose / traefik maybe I don't know how to check logs properly.
How am i suppose to find the issuer field ? I don't see any
jnovack
September 11, 2020, 3:31pm
17
I don't think so.. The traefik binary is the only thing that's IN the container, and without an OS, nothing can mkdir /opt/traefik.
You are probably better off making log.filePath=/traefik.log, at least we know the root directory exists.
But, normally, logs written by Traefik are sent to STDOUT, so you do not have any weird logging overrides in docker, a simple docker-compose logs should work just fine.
zespri
September 11, 2020, 9:36pm
18
@jnovack are you talking about traefik v1? this is a traefik v2 topic. All traefik v2 containers come with an OS.
Surely traefik can do it itself if programmed though, and has permissions but I do not think it is.
jnovack:
But, normally, logs written by Traefik are sent to STDOUT, so you do not have any weird logging overrides in docker, a simple docker-compose logs should work just fine.
Yep, I already explained that above.
jnovack
September 14, 2020, 3:18pm
19
Yep, I stand corrected. Haven't checked since, so I just assumed it didn't have it. #mybad .
brian
September 17, 2020, 6:40am
20
@Kaaedan Could you try using DNS challenge to see if that works as this works slightly better with subdomains. I made some examples here - https://github.com/56kcloud/traefik-training/tree/master/04-HTTPS-TLS
