Help with Traefik / Cloudflare / sub domains

Traefik Traefik v2
1

Hello,
I have installed a Traefik server with Docker which works fine and I have deployed my nodejs app, and configured the container which works fine too (app.mydomain.com).
The things is that I start new docker-compose stacks on same network but urls are accessible randomly: tool1.mydomain.com, tool2.mydomain.com.

Here is the traefik conf (I hide all passwords and keys):

version: '3'

services:
  traefik:
    image: "traefik:v2.6"
    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./certs-traefik.yaml:/etc/traefik/dynamic/certs-traefik.yaml
      - ./certs:/etc/certs/
    environment:
      - CF_API_EMAIL=contact@bridgeit.fr
      - CF_API_KEY=MYKEY
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=admin:{SHA}/XXXXXXXX"
    networks:
      - app

networks: #TAG_INCLUDE_NETWORKS
  app:
    external: true

The app conf:

  node:
    image: app-node
    container_name: app-node
    restart: always
    env_file:
      - ./.env
    build: .
    volumes:
      - ./app:/src/app
      - ./dockerEnv:/src/app/dockerEnv
      - ./tasks:/src/app/tasks:rw
    ports:
      - "3000:3000"
    networks:
      - app
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mainApp.rule=Host(`app.mydomain.com`)"
      - "traefik.http.routers.mainApp.entrypoints=websecure"
      - "traefik.http.routers.mainApp.tls=true"
      - "traefik.http.services.mainApp.loadbalancer.server.port=3000"

And here is one service which works fine 10 seconds and after, the web navigator hangs:

  phpmyadmin:
    image: phpmyadmin
    container_name: phpmyadmin
    expose:
      - 8080
    env_file:
      - ./.env
    environment:
      - UPLOAD_LIMIT=200M
    restart: always
    networks:
      - 9nnqShIyYyboVuFH
      - app
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pma9nnqshiyyybovufh.rule=Host(`pma.magentodocker.com`)"
      - "traefik.http.routers.pma9nnqshiyyybovufh.entrypoints=websecure"
      - "traefik.http.routers.pma9nnqshiyyybovufh.tls=true"
      - "traefik.http.services.pma9nnqshiyyybovufh.loadbalancer.server.port=80"

I also deploy a dozzle and another app, but it's the same results.

Thanks a lot for your help, I am quite stucked :confused:

2

Why do you use a 2 year old Traefik version?

For security reasons you should only expose ports on Traefik, not in your target service, as potential Traefik security middlewares can be circumvented.

When target service has multiple networks, you should set docker.network in labels for the one shared with Traefik.

Check Traefik debug log and Dashboard.

3

Wow, thanks @bluepuma77 you're right. Thanks a lot ! I will check this and come back here.

4

Ok, here is what I did:

  • I removed all ports in docker-compose
  • I added - "traefik.docker.network=app" on each container (where I needed it)
  • Compose up -d

It seems that accesses work. Now I have to solve one last access, but Traeffik is magic.

However, I needed to keep both networks applied on phpmyadmin (app and the other one).

5

So it works but my Varnish container doesn't receive traffic. I tried a wget from the traefik container and the request arrives on Varnish !

here is the varnish container:

  varnish:
    image: <hidden registry>
    container_name: 9nnqShIyYyboVuFH-varnish
    env_file:
      - ./.env
    volumes:
      - varnish-data:/var/lib/varnish
      - varnish-conf:/etc/varnish/conf.d
    restart: always
    networks:
      - 9nnqShIyYyboVuFH
      - app
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app9nnqshiyyybovufh.rule=Host(`app-9nnqshiyyybovufh.mydomain.com`)"
      - "traefik.http.routers.app9nnqshiyyybovufh.entrypoints=websecure"
      - "traefik.http.routers.app9nnqshiyyybovufh.tls=true"
      - "traefik.docker.network=app"
      - "traefik.http.routers.app9nnqshiyyybovufh.loadbalancer.server.port=80"

I get a 404 page not found when I try to access app-9nnqshiyyybovufh.mydomain.com....

2 hours to check everything.

6

Where are your TLS certs coming from?

You created custom ones? Where do you read them?

You want to use LetsEncrypt? Where is the certresolver?

You created a DNS entry for the sub-domain? The 404 is shown in the Traefik logs, DNS points the right server?

7

@bluepuma77

Where are your TLS certs coming from?
From Cloudflare directly

You created custom ones? Where do you read them?
No custom ones.

You want to use LetsEncrypt? Where is the certresolver?
No letsencrypt, I use the root certificate for all subdomains (*.mydomain.com)

You created a DNS entry for the sub-domain? The 404 is shown in the Traefik logs, DNS points the right server?
No entry for the subdomains. All other tools from the docker stack work fine and were working when I was using Nginx.

Hope it'll help you

8

I found why ! @bluepuma77 , I removed the loadbalancer :slight_smile:

It works fine now !

So, to summarize:

  1. Add this on containers and remove use of letsencrypt
  • "traefik.docker.network=app"
  1. Remove the load balancer on varnish container
9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.