Enable a secure dashboard using a PathPrefix

Traefik Traefik v2
1

Hey folks!

I carefully followed and tested the post Traefik 2.0 & Docker 101. It's all good when I followed each sections. Well done!

Question #1)

For the secured dashboard, this works:

"traefik.http.routers.traefik.rule=Host(`dashboard.mydomain.club`)"

But does not work using PathPrefix.

"traefik.http.routers.traefik.rule=Host(`mydomain.club`) && PathPrefix(`/dashboard`)"

I see "404 page not found". See my docker compose files on this gist. You will see how I use PathPrefix for my webapp.

Question #2)

static config - To enable the dashboard, the post indicates to add --api.

But on the other hand, the docs says to add ‌--api.dashboard=true.

    command:
      …
      - --api
      …

Which one is true?

Thanks!

2

Hello,

  1. https://docs.traefik.io/v2.1/operations/dashboard/#dashboard-router-rule
"traefik.http.routers.traefik.rule=Host(`mydomain.club`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))"
  1. https://docs.traefik.io/v2.1/operations/api/#dashboard

api.dashboard is true by default, so --api=true == --api=true --api.dashboard=true

3

Hi again,

  1. I updated my yaml but I get the same result ==> "404 page not found".
  • I did docker-compose -f compose-traefik.yml down && docker-compose -f compose-traefik.yml up -d
  • I confirm that basicauth prompt for my user/pass
  • I confirm that my two webapps are working
    • mydomain.club
    • mydomain.club/green
  1. Oh got it!
4 
version: "3.7"

services:
  traefik:
    image: traefik:v2.1.2
    command: >
      --api
      --entryPoints.web.address=:80
      --entryPoints.websecure.address=:443
      --providers.docker.exposedByDefault=false
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      traefik.enable: true
      traefik.http.routers.traefik.rule: Host(`subdomain.localhost`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.entrypoints: web
      traefik.http.routers.traefik.middlewares: strip

      traefik.http.middlewares.strip.stripprefix.prefixes: /traefik

curl  subdomain.localhost/traefik/
<a href="/traefik/dashboard/">Found</a>.
5

I think I found a bug :sweat_smile:

The "stripprefix example" you shared, worked as expect over http://mydomain.club/traefik. Nice. Then I thought it was an issue with my TLS setup. After many try and error and thought « let's disable the basic auth ».

To my surprise, it worked over TLS as well. See my updated compose file.

So it looks that the basicauth middleware is in conflict with the stripprefix middleware.

6

There are no bug.

$ curl -k  https://subdomain.localhost/traefik/
404 page not found

You forgot to define your entry point on the traefik router and on all routers:

    labels:
      #### set core configs
      - "traefik.enable=true"

      - "traefik.http.routers.traefik.rule=Host(`mydomain.club`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      
      #### stripprefix for dashboard
      - "traefik.http.routers.traefik.middlewares=mystrip"
      - "traefik.http.middlewares.mystrip.stripprefix.prefixes=/traefik"
      
      #### set TLS
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=leresolver"
      
      #### set a rule to redirect all http requests to https
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

Also remember that label key (by example traefik.http.routers.traefik.middlewares) must be unique: it's a map.
So to use multiple middlewares:

traefik.http.routers.traefik.middlewares=mystrip,myauth
7

Yes this is cleaner!

traefik.http.routers.traefik.middlewares=mystrip,myauth

entrypoints

As we have a http-catchall router, we actually have two entrypoints ==> web + websecure

On my side, my two webapps and the dashboard works regardless I use the label traefik.http.routers.traefik.entrypoints=websecure or not. So, I feel that the traefik.http.routers.http-catchall.entrypoints=web does it's job in any case.

works good

    labels:
      #### set core configs
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`mydomain.club`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"

      #### set traefik dashboard
      - "traefik.http.routers.traefik.service=api@internal"

      #### set middlewares: stripprefix for dashboard
      - "traefik.http.routers.traefik.middlewares=mystrip"
      - "traefik.http.middlewares.mystrip.stripprefix.prefixes=/traefik"

      #### set TLS
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=leresolver"

      #### set a rule to redirect all http requests to https
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

no bueno

But my glitch persist, when I use basic auth, the dashboard is not available.

    labels:
      #### set core configs
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`mydomain.club`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"

      #### set traefik dashboard
      - "traefik.http.routers.traefik.service=api@internal"

      #### set middlewares: stripprefix for dashboard + BasicAuth
      - "traefik.http.routers.traefik.middlewares=mystrip,myauth"
      - "traefik.http.middlewares.mystrip.stripprefix.prefixes=/traefik"
      - "traefik.http.middlewares.myauth.basicauth.users=pascalandy:$$2y$$05$$W10189ezy/7skshywvcz9.nc8yR6M8GvFZmnKugkzsoIGQycJS8Y6"

      #### set TLS
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=leresolver"

      #### set a rule to redirect all http requests to https
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
9

I don't think it's related to the issue I have but I redefine the "basicauth middleware" for each services (green + home). Would it be better to define only one and reuse it on all service?

10

Middleware names must be unique.

so, I recommend to create the middleware in only one place.

11

Good news!!! By regrouping the middlewares and re-using them across all my services, the basicauth issue is gone :star_struck: :innocent: :cowboy_hat_face: :sunglasses: :nerd_face:

lesson learn

I guess the lesson learn here is that you can brake your middlewares when you redefine them across multiple compose files.

final result

Here are my updated compose files.

1 Like