I have configured a traefik/docker environment so that url's get redirected to their respective docker containers running several web apps. Now i have basicauth set up for some of the management packages that i use, and that works fine. However, it only works when i go to the url (for example portainer.mysite.com). If i go to mysite.com:9443, portainer is also reached, but it bypasses the basicauth set up through treafik. My prefered solution would be that the port url would redirect to the actual url. (mysite.com:9443 redirects to portainer.mysite.com). I would also be satisfied if the first URL is also protected by the traefik htpassword rule.
Now i also understand that traefik can only listen to ports that it's designated to, however if i switch ports around, i still have to define a port to the portainer container by which it is supposed to be reachable, so that won't solve the problem.
I have searched around, but could not find a way to block a user from directly accessing the tool through a port. I was thinking i could use nginx to catch these urls, but using both nginx and traefik feels like it's not a solution. I also tried setting multiple host rules, but i have yet to see it work if i define ports with it. What would be the right solution to tackle this? Thank you in advance!
Here is my portainer run command, and traefik docker-compose as they are right now:
docker run -d -p 8000:8000 -p 9443:9443 --name portainer \ --restart=always \ -v /var/run/docker.sock:/var/run/docker.sock \ -v portainer_data:/data \ -l traefik.enable="true" \ -l traefik.http.routers.portainer.entrypoints="web, websecure" \ -l traefik.http.routers.portainer.rule="Host(\`portainer.mysite.com\`)" \ -l traefik.http.routers.portainer.tls="true" \ -l traefik.http.routers.portainer.tls.certresolver="production" \ -l traefik.http.middlewares.portainer-basicauth.basicauth.users="user:password" \ -l traefik.http.middlewares.portainer-chain.chain.middlewares="portainer-basicauth" \ -l traefik.http.routers.portainer.middlewares="portainer-chain" \ cr.portainer.io/portainer/portainer-ce:latest
version: '3' volumes: traefik-ssl-certs: driver: local services: traefik: image: "traefik:v2.5" container_name: "traefik" ports: - "80:80" - "443:443" - "3306:3306" volumes: - /etc/traefik:/etc/traefik - traefik-ssl-certs:/ssl-certs - /var/run/docker.sock:/var/run/docker.sock:ro
I have kind of found a solution. I removed exposing port 9443 from portainer, and added a loadbalancer line to the labels that points to port 9443. This completely removes the port issue, however now i am getting the error that says "Client sent an HTTP request to an HTTPS server.". Now since this is an admin tool, i don't really care for SSL on that specific container, but since it will be mandatory in a short while, i will need a solution. I will update when i know more.
I think i got it now. I use the Let's Encrypt bot from traefic to SSL my connection, and then pass the connection through port 9000 on the portainer container. That way it serves the HTTP version of the dashboard, but the SSL encryption is done by traefik. This works as intended!