I've recently switched from Caddy to Traefik v2 and have been finding it very intuitive to setup so far. However I've run into an issue. I've setup Traefik based on this guide:
I'm trying to reverse proxy to my wireguard setup on another local server. I'm having issues with the entryPoint of the router. I'm trying to setup wireguard.domain.com:58120 to route to LOCAL_IP:51820
I've set this up in config/rules/app-wireguard.toml which I understand is a dynamic config. The file looks like this:
Seems you are mixing static and dynamic configuration. I would suggest to first create a static config file and define all entrypoints. In the new file you can create the dynamic configuration.
Please also note that there 3 ways to define static configuration:
a file
CLI arguments
environment variables
however, they are mutually exclusive, so you can use only one at the same time.
So I removed the [entryPoints] from the .toml file and just maintained the CLI argument in the docker compose. So for clarity here is the traefik docker-compose section:
docker-compose
traefik:
container_name: traefik
image: traefik:livarot
restart: unless-stopped
command:
- --pilot.token=8a288e7b-d2e3-4e01-817b-e4f9e231e673
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.10$
- --entryPoints.traefik.address=:8080
- --entryPoints.wireguard.address=:51820/udp #wireguard
- --api=true
- --api.dashboard=true
# - --api.insecure=true
- --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsE$
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
- target: 51820 # wireguard
published: 51820
protocol: udp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
# - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
#- "traefik.http.routers.nas.router=nas-rtr@file"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
After recreating the traefik container I still get the same error entryPoint "wireguard" doesn't exist
Should I move the entire rules/app-wireguard.toml file into the labels part of the docker-compose? Is this what you mean that these methods are mutually exclusive?
You can create routes in a file as a part of the dynamic configuration or you can use labels. Traefik has a file provider and this is exactly what you are just using.
It is not related to the configuration types that I mentioned earlier.
What are the Traefik DEBUG logs when you run that compose file? Can you please check that defined entrypoint has been started? Are there any errors, warning?
In the logs I read this line: level=debug msg="Start UDP Server" entryPointName=wireguard which made me realise that I've been creating a UDP entrypoint but an http router and service this whole time. I modified app-wireguard.toml as follows:
I commented out variables which were not compatible with UDP according to the docs. Now the router is setup properly. (Everything OK in the dashboard.)
However this raises another question, how do I point my wireguard clients to a specific host.domain? Since UDP does not accept HostHeader rule I can only connect if I input my home IP directly.