Hi there,
I'm trying to access cockpit through traefik v2.3.2.
The whole setup is running on a VPS.
Traefik is running in docker-compose, using the traefik network.
I have multiple docker containers running flawlessly together with traefik.
Cockpit is running outside docker on localhost:9090
If i open the firewall to 9090, i can access cockpit with serverIP:9090
I would like to route cockpit through traefik to access via subdomain and handle https for me.
So my plan is to block 9090 with ufw and have traefik route to cockpit.
My problem is accessing a non-docker service on the same host.
My dynamic config gets picked up, and the router gets created, but the routing doesn't go through.
Depending on what i try i get errors 404, 502 or 504
- Using
network_mode: host
prevents me from using the traefik network. - I cannot bind the traefik container on 9090 because the cockpit service is using that already
ufw config
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere # ssh
[ 2] 80 ALLOW IN Anywhere # http
[ 3] 443 ALLOW IN Anywhere # https
traefik docker-compose.yml
version: "3.3"
networks:
traefik:
external: true
services:
traefik:
image: traefik:v2.3.2
restart: unless-stopped
container_name: ${TRAEFIK_GUI_SUBDOMAIN}
env_file:
- .env
ports:
- 80:80
- 443:443
# Binding port 9090 does not work because cockpit is occupying that port
#- 9090:9090
# Trying network mode host stops me from using the traefik network
# network_mode: host
# using extra hosts also does not solve my problem
# extra_hosts:
#- "dockerhost:PUBLIC_SERVER_IP" # i would be surprised if that worked
volumes:
- ./data/acme.json:/acme.json # <== for certs
- /var/run/docker.sock:/var/run/docker.sock # <== for docker access
- ./config/traefik.yml:/etc/traefik/traefik.yml # static config file
- ./config/rules:/etc/traefik/rules # dynamic config folder
- ./config/users:/etc/traefik/users # users file
networks:
- traefik
labels:
# API / Dashboard
- traefik.enable=true
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.rule=Host(`${TRAEFIK_GUI_SUBDOMAIN}.${DOMAIN}`)
- traefik.http.routers.traefik.middlewares=simple_auth@file # enable auth
traefik.yml
log:
level: ERROR #INFO #INFO #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
api:
insecure: false
debug: false
dashboard: true
global:
sendAnonymousUsage: true
certificatesResolvers:
cloudflare:
acme:
storage: /acme.json
email: MY_EMAIL
dnschallenge:
provider: cloudflare
resolvers: 1.1.1.1:53,1.0.0.1:53
# caserver: https://acme-staging-v02.api.letsencrypt.org/directory # Staging Server
entryPoints:
web:
address: :80
websecure:
address: :443
http:
tls:
certresolver: cloudflare
providers:
docker:
exposedbydefault: false
network: traefik
endpoint: unix:///var/run/docker.sock
file:
directory: /etc/traefik/rules/
watch: true
Inside /etc/traefik/rules i have:
auth.yml (works)
http:
middlewares:
simple_auth:
basicauth:
headerField: X-WebAuth-User
usersFile: /etc/traefik/users
http-redirect.yml (works)
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true
# dummy service for https redirect, the URL will be never called
services:
noop:
loadBalancer:
servers:
- url: "http://192.168.0.1"
routers:
http-catchall:
rule: "hostregexp(`{host:[a-z-.]+}`)"
entrypoints:
- web
middlewares:
- redirect-to-https
service: noop
cockpit.yml (works, but the routing doesn't)
http:
routers:
cockpit:
rule: "Host(`{{ env "COCKPIT_SUBDOMAIN" }}.{{ env "DOMAIN" }}`)"
entryPoints:
- websecure
middlewares:
- simple_auth
service: cockpit
# tls:
# certResolver: cloudflare
services:
cockpit:
loadBalancer:
# healthCheck shows always good, but that's a problem for another time
healthCheck:
interval: "5s"
timeout: "3s"
servers:
# These are all the different urls i tried to route
# - url: "http://host.docker.internal:9090"
# - url: "http://172.17.0.1:9090"
# - url: "http://localhost:9090"
# - url: "http://SERVERS_PUBLIC_IP:9090" # no surprise here
# - url: "https://dockerhost:9090" # together with extra_hosts => dockerhost:PUBLIC_SERVER_IP on the traefik container, also didn't expect this to work
# - url: "http://host.docker.internal:9090"
# - url: "http://172.17.0.1:9090"
- url: "http://172.18.0.1:9090" # this is the ip from traefik network, but also no success
I also set the config for cockpit to allow reverse proxying
[WebService]
Origins = http://cockpit.mydomain.com ws://cockpit.mydomain.com https://cockpit.mydomain.com wss://cockpit.mydomain.com
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted=true
I'm pretty new to traefik and tried this now for a few days with no success. Can you give me any pointers on how i can get that working?