[docker-compose.yml] traefik v1.7.18 to v2.0 migration worked out / need help

I had Traefik:latest setup in my docker-compose.yml file, but when updating my docker images i got Traefik v2 which is off course not compatible with the old syntax.

Based on various sources (documentation, topics here and blogposts) i've noticed that there is not yet a 'complete' docker-compose.yml' kind of migration done or i couldn't find it.

In order for more people to learn, i've come up with this transformation for my v1 config to v2 but before i test it out i need to have some extra set of eyes to go over it.

This is my old, working v1.7.18 config:

  core-traefik:
    container_name: core-traefik
    image: traefik:v1.7.18
    restart: unless-stopped
    command: >
      --accessLog
      --acme
      --acme.email=docker@vdhoven.info
      --acme.storage="/acme/certs.json"
      --acme.entryPoint=https
      --acme.httpChallenge.entryPoint=http
      --acme.onhostrule=true
      --acme.acmelogging=true
      --api
      --constraints=tag==traefik-exposed
      --docker
      --docker.watch=true
      --docker.exposedbydefault=false
      --entrypoints='Name:http Address::80 Redirect.EntryPoint:https'
      --entrypoints='Name:https Address::443 TLS'
      --logLevel=INFO
      --insecureskipverify=true
    networks:
      - traefik
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
      - core-traefik-acme:/acme
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:traefik.at.vdhoven.info
      - traefik.port=8080
      - traefik.tags=traefik-exposed
      - traefik.docker.network=traefik
      # Security
      - traefik.frontend.headers.SSLRedirect=true
      - traefik.frontend.headers.forceSTSHeader=true
      - traefik.frontend.headers.STSSeconds=315360000
      - traefik.frontend.headers.STSIncludeSubdomains=true
      - traefik.frontend.headers.STSPreload=true
      - traefik.frontend.headers.browserXSSFilter=true
      - traefik.frontend.headers.contentTypeNosniff=true
      - traefik.frontend.headers.frameDeny=true
      # Traefik forward auth
      - traefik.frontend.auth.forward.address=http://core-traefik-forward-auth:4181
      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
      - traefik.frontend.auth.forward.trustForwardHeader=true
      # Traefik service that listens on HTTPS
      - traefik.webservice.frontend.entryPoints=https

I have no clue if i actually need all 'security' headers but the were advised by another blog when i initially setup the stuff. Here is my converted code, which does not yet use traefik-forward-auth:

  core-traefik:
    container_name: core-traefik
    image: traefik:v2.0.0
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --api
      - --certificatesresolvers.letsencrypt.acme.email=docker@domain.ext
      - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web
    networks:
      - traefik
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
      - core-traefik-acme:/acme
    labels:
      # Enable traefik
      - traefik.enable=true
      - traefik.docker.network=traefik

      # Dashboard
      - traefik.http.routers.traefik.rule=Host('traefik.at.domain.ext')
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls.certresolver=leresolver
      - traefik.http.routers.traefik.entrypoints=websecure

      # Forward auth setup
      - traefik.http.routers.traefik.middlewares=authtraefik
      - traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/ # user/password

      # global redirect to https
      - traefik.http.routers.http-catchall.rule=hostregexp('{host:.+}')
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

      # Security headers
      - traefik.http.middlewares.general.headers.SSLRedirect=true
      - traefik.http.middlewares.general.headers.forceSTSHeader=true
      - traefik.http.middlewares.general.headers.STSSeconds=315360000
      - traefik.http.middlewares.general.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.general.headers.STSPreload=true
      - traefik.http.middlewares.general.headers.browserXSSFilter=true
      - traefik.http.middlewares.general.headers.contentTypeNosniff=true
      - traefik.http.middlewares.general.headers.frameDeny=true

Questions i have regarding above config:

  1. Is my assumption correct that all backticks (`) should actually be single quotes in the documentation (e.g. contents of Host(...) method?)
  2. Where is the 'websecure' coming from? Is that something Traefik internal? Couldn't find it in the docs.
  3. Do i need both the 'global redirect to https' and the 'middleware redirect' ?
  4. Can i make the security headers global by appending them to traefik.http.routers.http-catchall.headers.X ?

That would be it for now, then i can focus on adding thomseddon/traefik-forward-auth in the mix.

Sources used:

Is my assumption correct that all backticks () should actually be single quotes in the documentation (e.g. contents of Host(...)` method?)

Those normally should be left as back-ticks. You can also use escaped double quoted. It all comes down to the fact that your strings might go through a few different parsers (docker-compose yaml, golang templates, etc) and each adds it's own quote parsing considerations. To alleviate this pain somewhat the traefik team decided to use back-ticks that are used neither by yaml nor by golang, to make those lines a bit more portable between different configuration sources.

Where is the 'websecure' coming from? Is that something Traefik internal? Couldn't find it in the docs.

This is just a name of entry point you define. It does not have to be called websecure you can call it george if you like. Here is the doco link: https://docs.traefik.io/routing/entrypoints/

Do i need both the 'global redirect to https' and the 'middleware redirect' ?

It does not appear that global redirect to https exists in traefik 2. You will need to create a separate router(s) for that.

Can i make the security headers global by appending them to traefik.http.routers.http-catchall.headers.X ?

I'm not sure about that. Again http-catchall is just a name. I do not think there is global facility in traefik with regard to routers. It looks you need to refer that middleware in each one where you need that functionality.

1 Like