Expose Traefik to the web

Traefik Traefik v2
1

Good afternoon,

Im new to Traefik and have read a lot of documentation. I have succesfully migrated from nginx (synology) and got apps published to the web with Traefik on a Synology nas.

Me next step is to get a password on the Treafik Web interface and expose it to the web aswell but im keep getting a 404 page.

Im not 100% sure what is everything and if i did setup thing correcly.

Radarr, Sonarr, Lidarr, Bazarr, Portainer, and lots of things are working now after a few days of working things out. Here is my docker-compose file. Does anyone know what i should adjust to get traefik also exposed,with a password to the internet?

Also my plex geving me a 502 bad gateway error. Which i cannot solve. Are there any in app things i need to change?

Thank you very much

version: "3.7"

########################### NETWORKS
networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

########################### SERVICES
services:





# -------------------------------------------------------------------------------------------# 
#                                Traefik 2 - Reverse Proxy                                   #
# -------------------------------------------------------------------------------------------#
  traefik:
    container_name: traefik
    image: traefik # the chevrotin tag refers to v2.2.x
    restart: always
    command: # CLI arguments
    ##Global
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false

      
    ## Logs
      - --log=true                       #  <--- Enabled logs
      - --log.level=DEBUG                #  <--- Log values: DEBUG, INFO, WARN, ERROR, FATAL, PANIC (Default: error)
      - --log.format=json                #  <--- Log format
      - --log.filePath=/traefik.log      #  <--- Location of the Logs

    ## Access Logs
      - --accessLog=true                                # <--- enable access logs
      - --accessLog.filePath=/traefik_access.log        # <--- Location of Log files
      - --accessLog.bufferingSize=100                   # <--- Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-49          # <--- Only get codes in the 400 range

    ## API
      - --api.insecure=true
      - --api.dashboard=true
      - --api=true

    ## Entry Points - listen for incoming traffic (ports, ...)
      - --entrypoints.websecure.address=:443        # <--- Listen on port 443 for incoming requests. Friendly name websecure has been given
      - --entrypoints.traefik.address=:8080
      - --entrypoints.web.address=:80

      #### Add cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services.
      - --entrypoints.websecure.http.tls.certresolver=cloudflare
      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME
      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22

    ## Providers - discover the services that live on your infrastructure (their IP, health, ...)
      - --providers.docker.network=traefik_proxy
      - --providers.docker=true                     #  <--- Enable Traefik on Docker
      - --providers.docker.exposedbydefault=false   #  <--- Do not expose all Docker Containers by default
      - --providers.file.directory=/rules           #  <--- Folder to store rules in
      - --providers.file.watch=true                 #  <--- Only works on top level files in the rules folder

    ## DNS Challenge Challenge
      #### (cloudflare can be anything you want, called it cloudfare to give it some meaning)
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true                   #  <--- What type of Cert Challenge to LetEncrypt ... DNS is used not HTTP or TLS
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare    #  <--- Where is the DNS Hosted (Used Cloudflare in this case)
      - --certificatesresolvers.cloudflare.acme.email=$CLOUDFLARE_EMAIL             #  <--- Username for Cloudfare
      - --certificatesresolvers.cloudflare.acme.storage=/acme.json 
      
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --serversTransport.insecureSkipVerify=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=HostHeader(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.swarmMode=false
      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate

    networks:
      traefik_proxy:
#        ipv4_address: 192.168.1.6 # You can specify a static IP
    security_opt:
      - no-new-privileges:true
    ports:                #  <--- Ports outside container for local entering webUI
      - "80:80"        # <--- Web
      - "443:443"      # <--- WebSecure
      - "8080:8080"    # <--- Traefik Dashboard
    expose:
      - "8080" 
    volumes:
      - $DOCKERDIR/traefik2/rules:/rules # file provider directory
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting the container
      - $DOCKERDIR/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL                 #  <--- Cloudflare username
      - CF_API_KEY=$CLOUDFLARE_API_KEY                 #  <--- Cloudflare Api key
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.auth.basic='user:$apr1$f3alpveh$clEwnPNBKply6./kWBPdl1'"
      - "traefik.frontend.rule:Host:traefik.$DOMAINNAME.com"
      - "traefik.port:8080"
      - "traefik.http.routers.traefik.service=api@internal"

      ## HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      ## HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=HostHeader(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencryptresolver"

      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"

      ## Middlewares
 #     - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
      ## Services - API

      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewareshttp.routers.traefik-rtr.middlewares=middlewares-basic-auth@file" 
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-basic-auth@file" 
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-secure-headers@file,middlewares-rate-limit@file,middlewares-basic-auth@file" 
      - "traefik.http.routers.dashboard.rule=Host(`foo.bar.dev`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls"
      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$8EVjn/nj$$GiLUZqcbueTFeD23SuB6x0"



     
# -------------------------------------------------------------------------------------------# 
#                                        Portainer                                           #
# -------------------------------------------------------------------------------------------#
  portainer:
    container_name: "portainer"
    image: portainer/portainer
    restart: always
    command: -H unix:///var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $DOCKERDIR/portainer/data:/data
      - $DOCKERDIR/shared:/shared      
    networks:
      - traefik_proxy
    ports:                #  <--- Ports outside container for local entering webUI
      - "9000:9000"
    environment:
      - TZ=${TZ}
    labels:
#Traefik Global Settings
      - "traefik.enable=true"
      - "traefik.backend=portainer"
#Traefik Network & DNS Settings      
      - "traefik.protocol=http"
      - "traefik.port=9000"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.rule=Host:portainer.${DOMAINNAME}"
      - "traefik.frontend.headers.SSLHost=portainer.${DOMAINNAME}" 
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /portainer"
      - "traefik.frontend.passHostHeader=true" #push CNAME to DNS zone
#Traefik Other Settings
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
#      - "traefik.frontend.headers.frameDeny: true" #customFrameOptionsValue overrides this
      - "traefik.frontend.headers.customFrameOptionsValue: allow-from https:${DOMAINNAME}" 





# -------------------------------------------------------------------------------------------# 
#                            Cloudflare DDNS - Dynamic DNS Updater                           #
# -------------------------------------------------------------------------------------------#  
  cf-ddns:
    container_name: "cf-ddns"
    image: oznu/cloudflare-ddns:latest
    restart: always
    networks:
      - traefik_proxy
    environment:
      - API_KEY=$CLOUDFLARE_API_TOKEN
      - ZONE=$DOMAINNAME
      - PROXIED=true
      - RRTYPE=A
      - DELETE_ON_STOP=false
      - DNS_SERVER=1.1.1.1





# -------------------------------------------------------------------------------------------# 
#                     Cloudflare-Companion - Automatic CNAME DNS Creation                    #
# -------------------------------------------------------------------------------------------#     
  cf-companion:
    container_name: "cf-companion"
    image: tiredofit/traefik-cloudflare-companion:latest
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik_proxy
    environment:
      - TIMEZONE=$TZ
      - TRAEFIK_VERSION=2
      - CF_EMAIL=$CLOUDFLARE_EMAIL # Same as traefik
      # - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000.
      - CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik
      - TARGET_DOMAIN=$DOMAINNAME
      - DOMAIN1=$DOMAINNAME
      - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page
      - DOMAIN1_PROXIED=TRUE
    labels:
      # Add hosts specified in rules here to force cf-companion to create the CNAMEs
      # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps
#Traefik Network & DNS Settings      
      - "traefik.http.routers.cf-companion-rtr.rule=HostHeader(`cf-companion.$DOMAINNAME`) || HostHeader(`cf-companion.$DOMAINNAME`)"





# -------------------------------------------------------------------------------------------# 
#                      Google OAuth - Single Sign On using OAuth 2.0                         #
# -------------------------------------------------------------------------------------------#
  oauth:
    container_name: "oauth"
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    networks:
      - traefik_proxy
    security_opt:
      - no-new-privileges:true
    environment:
      - CLIENT_ID=$GOOGLE_CLIENT_ID
      - CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      - WHITELIST=$MY_EMAIL
      - LOG_LEVEL=info
      - LOG_FORMAT=text
      - LIFETIME=2592000 # 30 days
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth-rtr.entrypoints=https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth-rtr.tls=true"
      ## HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
      ## Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
 
 
 
 
 
# -------------------------------------------------------------------------------------------# 
#                                         Organizr                                           #
# -------------------------------------------------------------------------------------------#
  organizr:
    container_name: "organizr"
    image: lsiocommunity/organizr
    restart: always
    volumes:
      - $DOCKERDIR/organizr:/config
      - $DOCKERDIR/shared:/shared
    networks:
      - traefik_proxy
    ports:                #  <--- Ports outside container for local entering webUI
      - "9998:80"
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
#Traefik Global Settings
      - "traefik.enable=true"
      - "traefik.backend=organizr"
#Traefik Network & DNS Settings      
      - "traefik.protocol=http"
      - "traefik.port=80"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.rule=Host:organizr.${DOMAINNAME}"
      - "traefik.frontend.headers.SSLHost=organizr.${DOMAINNAME}" 
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /organizr"
      - "traefik.frontend.passHostHeader=true" #push CNAME to DNS zone
#Traefik Other Settings
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
#      - "traefik.frontend.headers.frameDeny: true" #customFrameOptionsValue overrides this
      - "traefik.frontend.headers.customFrameOptionsValue: allow-from https:${DOMAINNAME}" 


#          traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
#          traefik.frontend.headers.SSLForceHost: "true"
         #traefik.frontend.auth.forward.address: http://oauth:418
          #traefik.frontend.auth.basic.users: xxx:xxx





# -------------------------------------------------------------------------------------------# 
#                                      Home Assistant                                        #
# -------------------------------------------------------------------------------------------#
  homeassistant:
    container_name: "homeassistant"
    restart: always
    image: homeassistant/home-assistant
#    devices:
#      - /dev/ttyUSB0:/dev/ttyUSB0
#      - /dev/ttyUSB1:/dev/ttyUSB1
#      - /dev/ttyACM0:/dev/ttyACM0
    volumes:
      - ${DOCKERDIR}/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - $DOCKERDIR/shared:/shared
    networks:
      - traefik_proxy
    ports:                #  <--- Ports outside container for local entering webUI
      - "8123:8123"
    privileged: true
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
#Traefik Global Settings
      - "traefik.enable=true"
      - "traefik.backend=homeassistant"
#Traefik Network & DNS Settings
      - "traefik.protocol=http"
      - "traefik.port=8123"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.rule=Host:homeassistant.${DOMAINNAME}"
      - "traefik.frontend.headers.SSLHost=homeassistant.${DOMAINNAME}"
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /homeassistant"
      - "traefik.frontend.passHostHeader=true" #push CNAME to DNS zone
#Traefik Other Settings
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
#      - "traefik.frontend.headers.frameDeny: true" #customFrameOptionsValue overrides this
      - "traefik.frontend.headers.customFrameOptionsValue: allow-from https:${DOMAINNAME}" 



# -------------------------------------------------------------------------------------------# 
#                                     Plex Media Server                                      #
# -------------------------------------------------------------------------------------------#
  plex:
    container_name: "plex"
    restart: always
    image: plexinc/pms-docker
    devices:
      - "/dev/dri:/dev/dri"
    volumes:
      - ${DOCKERDIR}/plex:/config
      - ${DOWNLOADSDIR}/plex_transcode:/transcode
      - ${MEDIADIR}:/library
      - $DOCKERDIR/shared:/shared
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik_proxy
    ports:                #  <--- Ports outside container for local entering webUI
      - "32400:32400/tcp"
      - "3005:3005/tcp"
      - "8324:8324/tcp"
      - "32469:32469/tcp"
      - "1900:1900/udp"
      - "32410:32410/udp"
      - "32412:32412/udp"
      - "32413:32413/udp"
      - "32414:32414/udp"
    expose:
      - 324000
    environment:
      - TZ=${TZ}
      - HOSTNAME="Docker Plex"
      - PLEX_CLAIM="${PLEX_CLAIM}"
      - PLEX_UID=${PUID}
      - PLEX_GID=${PGID}
      - ADVERTISE_IP="https://plex.${DOMAINNAME}.nl:443"
    labels:
#Traefik Global Settings
      - "traefik.enable=true"
      - "traefik.backend=plex"
#Traefik Network & DNS Settings      
      - "traefik.protocol=http"
      - "traefik.port=32400"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.rule=Host:plex.${DOMAINNAME}"
      - "traefik.frontend.headers.SSLHost=plex.${DOMAINNAME}" 
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /plex"
      - "traefik.frontend.passHostHeader=true" #push CNAME to DNS zone
#Traefik Other Settings
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
#      - "traefik.frontend.headers.frameDeny: true" #customFrameOptionsValue overrides this
      - "traefik.frontend.headers.customFrameOptionsValue: allow-from https:${DOMAINNAME}"
      - "com.ouroboros.enable=true"
2

In order to put dashboard behind password you need to expose it in secure mode. You cannot apply middlewares to it if it is exposed insecurely. There is also an example at that link.

As far as plex goes, as far as I know traefik.port is not a thing in traefik 2, as it used to be in traefik 1. You need to configure the port on the service.

3

Sorry but i cant find the solution:

I tried:
- "traefik.http.routers.traefik-rtr.service=api@internal"
- "traefik.http.routers.traefik.service=api@internal"

## API
  - --api.insecure=true
  - --api.dashboard=true
  - --api=true

http://traefik.example.com/dashboard/

but im still getting a 404 and locally i dont need passwod: 192.168.178.2:8080

Can you suggest me a change in the yml file? Im a learner by examples, i tried the documents but its hard to learn in a week time 2hours a day, love it to get some real experienced people to help me, so when i learned i can help the others... thank you! god bless

4

This is v1 configuration it will not work with v2:

      - "traefik.enable=true"
      - "traefik.frontend.auth.basic='user:$apr1$f3alpveh$clEwnPNBKply6./kWBPdl1'"
      - "traefik.frontend.rule:Host:traefik.$DOMAINNAME.com"
      - "traefik.port:8080"

There is no forntends any more, instead there are routers services and middlewares.

I also highly recommend reading:

https://docs.traefik.io/getting-started/concepts/
https://docs.traefik.io/routing/overview/

You need to update your configuration according to what v2 expects.

5

Thats what makin the config so hard, trying to get examples all over the google.net :stuck_out_tongue:but to many exmaples with mixed content of V1 and V2. thank you for sharing your V1 config but as you said youself, it will NOT work on V2. Im trying to get along with V2 cause its yeah... the next Gen.. anyway, i have read the 2 links you have send me but its not working for me, the code i just to hard to read... Still learning do, so would love, and even donate to someone who can resue me from this Synology NGINX to docker-compose Traefik thing which really looks oK buti just fired up CloudFlare wiht traefik an still have this qustion like why i cannot get this to work? The docs are hard do, only compile if youre really in it. Like a outstander, hard to read. :slight_smile: going nap nap now

6

This is your config from the above, I merely was pointing at where your issue is.

If you do not understand anything in particular in the documentation, please do not hesitate to ask.

Good luck with your troubleshooting!