Dashboard not running on https with wildcard AlphaSSL

Hi all. Thank you first for this great forum, it really helped a lot in setting up everything traefik related.

Problem is docker dashboard is not visible / 404 page not found

Everything else works fine, redirect to https works, all docker containers work, all subdomains work, wildcard AlphaSSL works (all thanks to the info on this forum).

Kindly shed some light on what might be wrong. Thanks!

version: "3"
services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--log.filePath=/logs/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filepath=/logs/access.log"
      - "--api.insecure=false"
      - "--providers.docker=true"
      - "--api.dashboard=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--providers.file.directory=/configuration/"
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./config/:/configuration/"
      - "./volumes/:/logs/"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`db.${DOMAIN}`) && (PathPrefix(`/db`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}"

  app:
    container_name: app
    image: [removed but works fine on all subdomain services, no matter what image I use]
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.${DOMAIN}`)"
      - "traefik.http.routers.app.entrypoints=websecure"
      - "traefik.http.routers.app.tls=true"

You want to access Traefik at DB subdomain?

This seems wrong:

You need /api and /dashboard, access it with https://host/dashboard/. See "Dashboard Dynamic Configuration Examples“ at doc.

Hello @bluepuma77 thanks for tying to help out

The only difference between the "Dashboard Dynamic Configuration Examples“ - Docker example and the code below is that I added the two commented lines. Subdomain usage like traefik.domain is also according to docs pointed by you.

Commenting the 2 lines of code doesn't have any impact on the 404 result since in the logs traefik records that it defaulted to websecure because it didn't find any entrypoints for dashboard:
time="2023-06-29T12:29:46Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web websecure]" routerName=dashboard

Perhaps it is important to mention that auth middleware works when accessing htps://traefik.domain.com/dashboard, login credentials are handled, and if correct the 404 is being displayed.

Any other suggestions?

      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.service=api@internal"
      # - "traefik.http.routers.dashboard.entrypoints=websecure"
      # - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}"

Original did not enable the API for the dashboard to get data:

Don’t use latest, decide for v2.10 or v3, which is currently in beta.

Here is a simple Traefik example that works.

Many thanks to @bluepuma77 for helping out. Below is the final working solution for making traefik work with wildcard AlphaSSL and https traefik dashboard.

Main reason it didn't work is that my initial setup had twice labels like "traefik.http.routers.api ..." for different services, the traefik api once and then the hosted app's rest api. Solution was to basically use .api for traefiks api and to replace for my hosted apps api, api with .restApi

version: "3"
services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    env_file: .env
    command:
      - "--log.level=DEBUG"
      - "--log.filePath=/logs/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filepath=/logs/access.log"
      - "--api.insecure=false"
      - "--providers.docker=true"
      - "--api.dashboard=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      # add plain old configuration files (--providers.file) to the configuration/ directory 
      - "--providers.file.directory=/configuration/"
      # automatically reload changes with --providers.file.watch=true
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./config/:/configuration/"
      - "./volumes/:/logs/"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}"

  app:
    container_name: app
    image: [your docker image]
    env_file: .env
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.${DOMAIN}`)"
      - "traefik.http.routers.app.entrypoints=websecure"
      - "traefik.http.routers.app.tls=true"

and for adding the AlphaSSL adding the following certificates.yml to /config/ does the trick

# Dynamic configuration
# in configuration/certificates.yaml
tls:
  certificates:
    # first certificate
    - certFile: ./yourcertname.crt
      keyFile: ./yourcertname.key

That’s doubled. You only need one router for API and dashboard. You can simply use .rule=Host(`traefik.example.com`). The target service is the same.

@bluepuma77 you are right. Thanks for pointing that out. Just tested the below version and it works!

I suppose, if you would agree, the reason why the dashboard wasn't visible in the first place is that I mistakenly also used the label "traefik.http.routers.api ..." for one of the other docker services, respectivly the hosted apps rest api not the traefiks api. The dashboard started working when the .api of the api service was renamed to .restApi and traefiks .api remained .api.

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}"

As you don't have a dashboard router anymore, you can remove the assignment

@bluepuma77 Cool, just took it out and the dashboard and authentication for the dashboard still works. So basically "traefik.http.routers.api.middlewares=auth" does the job and dashboard.middlewares is not needed anymore.

The docs pointed by you states the following for enableing traefiks api in production:

Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data. In production, it should be at least secured by authentication and authorizations.

If so, wouldn't it be better to totally disable the traefik api and dashboard? Is "at least secured" with the username and password enough? The reverse proxy still functions without the api ...

The API is only used for the Dashboard. You can use middlewares (password, restrict to IPs, etc.) to secure it or disable it completely.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.