Docker traefik + portainer

Traefik Traefik v3 (latest)
1

Hello everyone, I am setting up the following tools:

  • cloudflare domain
  • docker
  • traefik
  • portainer ce

my cloudflare configuration is as follows:

DNS

type: A
name: domain-org 
content: my-ip-vps
proxy status: proxy
ttl: auto

type: cname
name: proxy (subdomain where I want to have atrafik + dashboard)
content: domain-org
proxy status: proxy
ttl: auto

type: cname
name: port (subdomain carrier) 
content: domain-org
proxy status: proxy
ttl: auto

This is my information on traefik

docker-compose:

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik
    ports:
      - 80:80
      - 443:443
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      - CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      - TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`proxy-domain-org`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`proxy-domain-org`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=domain-org"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domain-org"
      - "traefik.http.routers.traefik-secure.service=api@internal"

secrets:
  cf_api_token:
    file: ./cf_api_token.txt

networks:
  traefik:
    external: true

this is my traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: myemail@gmail.com
      storage: acme.json
      caServer: https://acme-v02-api.letsencrypt-org/directory # prod (default)
      # caServer: https://acme-staging-v02-api.letsencrypt-org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

At this point my traefik works perfectly, I can access the dashboard without problem

Now I share my portainer docker-compose.yaml

services:
  portainer:
    container_name: portainer_service
    image: portainer/portainer-ce:2.20.3-alpine
    command: -H unix:///var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./portainer_data:/data
    ports:
      - 9000:9000
      - 9443:9443
      - 8000:8000
    restart: unless-stopped    
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`port-domain-org`)"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "traefik.http.routers.portainer-secure.rule=Host(`port-domain-org`)"
      - "traefik.http.routers.portainer-secure.entrypoints=https"
      - "traefik.http.routers.portainer-secure.tls=true"
      - "traefik.http.routers.portainer-secure.tls.certresolver=cloudflare"
      
  portainer-agent:
    container_name: portainer_agent
    image: portainer/agent:2.20.3-alpine
    ports:
      - 9001:9001
    environment:
      AGENT_CLUSTER_ADDR: tasks.portainer-agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - traefik
    restart: unless-stopped  
    labels:
      - "traefik.enable=false" # El agente de Portainer no necesita ser accesible desde Internet

networks:
  traefik:
    external: true

At this point I cannot access my portainer.

Can you give me some clarity, what am I doing wrong?