Container with https internal connection

Traefik Traefik v2
1

Having issues with plex going through traefik.

If I set plex custom domain to http://plex.domain.tld:80, https://plex.domain.tld:443 and use a tool to convert acme.json to crt and key, then put them in plex's path the remote connection checker will fail, but I will be able to acsess my plex server outside of my network.

I started a thread on plex's forums but have not made any traction.

  traefik:
    image: traefik:latest
    restart: always
    env_file:
     - "./.env"
    container_name: "traefik"
    command:
        - --configFile=/static.yaml 
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
      - "./traefik/static.yaml:/static.yaml"
      - "./traefik/dynamic.yaml:/etc/traefik/dynamic.yaml"
    environment:
      - "CF_API_EMAIL:$CLOUDFLARE_EMAIL"
      - "CF_API_KEY:$CLOUDFLARE_API_KEY"
      - "TZ:$TZ"
      - "PUID:$PUID"
      - "PGID:$PGID"
    labels:
      - "traefik.enable=true"
 
      # Redirect to https Middleware
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
      # Security headers middleware
      - "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.security-headers.headers.stsPreload=true"
      - "traefik.http.middlewares.security-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
 
      # Rules and middlewares asociation with entrypoints
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" # Catchs all request
      - "traefik.http.routers.http-catchall.entrypoints=web" # Http middleware for web (http) entrypoint (see static.yaml file)
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https,security-headers" # Add redirect and security middlewares
      - "traefik.http.routers.https-catchall.rule=hostregexp(`{host:.+}`)" # Catchs all request
      - "traefik.http.routers.https-catchall.entrypoints=websecure" # Http middleware for websecure (https) entrypoint (see static.yaml file)
      - "traefik.http.routers.https-catchall.middlewares=security-headers" # add security middleware
      # fix for internal containers that require snakeoil ssl
      - "serversTransport.insecureSkipVerify=true"
 
      # Secure Dashboard
      - "traefik.http.routers.traefik-dash.service=api@internal"
      - "traefik.http.routers.traefik-dash.middlewares=admin"
      - "traefik.http.routers.traefik-dash.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-dash.entrypoints=websecure"
      - "traefik.http.routers.traefik-dash.tls=true"
      - "traefik.http.routers.traefik-dash.tls.certresolver=resolver"
      - "traefik.http.routers.traefik-dash.middlewares=security-headers"
      - "traefik.http.routers.traefik-dash.tls.options=default"

Dynamic.yaml

tls:
  options:
    default:
      minVersion: VersionTLS12 # Minimium tls 1.2
      sniStrict : true # Only browsers with SNI support
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

static.yaml

entryPoints:
  web:
    address: :80
  websecure:
    address: :443
providers:
  docker: # Enables docker to be a provider from its labels
    exposedByDefault: false # Not expose by default docker containers
  file: # Reads all files located in /etc/traefik/*
    watch: true
    directory: "/etc/traefik/"
certificatesResolvers: # Certs handler/resolver
  resolver:
    acme:
      email: mytotallyrealemail@domain.tld
      storage: "/letsencrypt/acme.json"
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
api: # Enables traefik ui dashboard and api
  insecure: true
  dashboard: true

And my plex docker container configuration

  plex:
    container_name: plex
    restart: always
    env_file:
     - "./.env"
    image: ghcr.io/linuxserver/plex:latest
    privileged: True
    devices:
      - "/dev/dri/:/dev/dri/"
    volumes:
      - "./plex:/config"
      - "./plex/transcode:/transcode"
      - "$RAIDBOSS:/data"
    environment:
      - "TZ:$TZ"
      - "PUID:$PUID"
      - "PGID:$PGID"
      - "UMASK_SET:002"
      - "VERSION:docker"
      - "PLEX_CLAIM:claim-idd_5EgwcdbyD5s7Ems9"
      - ADVERTISE_IP=https://plex.$DOMAINNAME:443
    labels:
      - "gpus=all"
      - "traefik.enable=true"
      - "traefik.http.routers.plex.rule=Host(`plex.$DOMAINNAME`)"
      - "traefik.http.routers.plex.entrypoints=websecure"
      - "traefik.http.routers.plex.tls=true"
      - "traefik.http.routers.plex.tls.certresolver=resolver"
      - "traefik.http.routers.plex.middlewares=security-headers"
      - "traefik.http.routers.plex.tls.options=default"
      - "traefik.http.services.plex.loadbalancer.server.port=32400"
    networks:
      - yeetmaster

image

image
image578×815 98.4 KB

2

image
image690×503 79 KB

image
image808×131 5.38 KB

3

Anyone?
It works outside of reverseproxy

4

Bump, please I can't get nextcloud to work

5

Plex or NextCloud ?

As you see in your Plex community thread, the remote access indicator does not appear to work behind a reverse proxy.

6

same thing, both want https connections internally

7

Add a scheme label to your services label.

traefik.http.services.myservice.loadbalancer.server.scheme=https

If using selfsigned/your own certificates then you may also need to setup a Servers Transport using certificates or insecureSkipVerify

8

Hi!

Can u tell me if you solve it @robertallbright?

Thanks