How can i enable https on custom port in Docker-compose using LetsEncrypt

sagor_kuet · September 26, 2023, 5:40pm

I have a domain name api.test-external.com hosted in cloud dns server. Now i want to have enable https like https://api.test-external.com: **port** for multiple services using same domain. Here is my docker-compose file where i wanted to enable https for both traefik dashboard and pgadmin4 with custom port.

However, https://api.test-external.com:7070 is working fine but could not be able to get working for https://api.test-external.com:5050. Its showing ERR_SSL_PROTOCOL_ERROR

I have multiple services exposed in other ports. Can anyone Please help on how can i have enabled https in port 5050 like https://api.test-external.com:5050 or others port like (7800,4000).

docker-compose.yaml

version: "3.7"

services:
  reverse-proxy:
    image: traefik:v2.10
    command:
      - "--log.level=DEBUG"  
      - "--providers.docker"
      - "--api=true"
      - "--providers.docker.exposedByDefault=false"
      - "--accesslog=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web-secure.address=:443"
      - "--entrypoints.pgadmin4.address=:5050"
      - "--entrypoints.web.http.redirections.entryPoint.to=web-secure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.lets-resolver.acme.email=xxx2@gmail.com"
      - "--certificatesresolvers.lets-resolver.acme.storage=/etc/traefik/acme/acme.json"
      - "--certificatesresolvers.lets-resolver.acme.dnschallenge=true"
      - "--certificatesresolvers.lets-resolver.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.lets-resolver.acme.dnschallenge.delaybeforecheck=0"
    environment:
      - CF_API_EMAIL=xxx2@gmail.com
      - CF_DNS_API_TOKEN=token goes here
    ports:
      - "80:80"
      - "7070:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./letsencrypt/acme.json:/etc/traefik/acme/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reverse-proxy.entrypoints=web-secure"
      - "traefik.http.routers.reverse-proxy.rule=Host(`api.test-external.com`)"
      - "traefik.http.routers.reverse-proxy.tls=true"
      - "traefik.http.routers.reverse-proxy.tls.certresolver=lets-resolver"
      - "traefik.http.routers.reverse-proxy.service=api@internal"

    restart: always


  db:
    image: postgis/postgis:13-3.1-alpine
    env_file:
      .env
    volumes:
      - postgis:/var/lib/postgresql/data
    networks:
      - app-network
    ports:
      - '5432:5432'
    restart: always
    labels:
      - "traefik.enable=false"

  pgadmin4:
    image: dpage/pgadmin4
    container_name: pgadmin4
    ports:
        - '5050:80'
    environment:
        PGADMIN_DEFAULT_EMAIL: test@test.com
        PGADMIN_DEFAULT_PASSWORD: test
    links:
        - db
    networks:
      - app-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pgadmin4.entrypoints=pgadmin4"
      - "traefik.http.routers.pgadmin4.rule=Host(`api.test-external.com`)"
      - "traefik.http.routers.pgadmin4.tls=true"
      - "traefik.http.routers.pgadmin4.tls.certresolver=lets-resolver"
      - "traefik.http.routers.pgadmin4.service=pgadmin4"
    restart: always

networks:
  app-network:
    driver: bridge

volumes:
  postgis:

bluepuma77 · September 26, 2023, 5:48pm

You can’t mix traefik.yml/toml and command, decide for one.

sagor_kuet · September 26, 2023, 5:55pm

ok updating the questions then

bluepuma77 · September 26, 2023, 6:33pm

You declare entrypoints with ports in Traefik, but then you do not expose those ports from the Traefik container, but instead on the target service/container. That’s probably a mistake.

sagor_kuet · September 27, 2023, 1:00pm

Did you mean, i need to expose 5050 port in traefik container as well like following. you can not expose same port for two containers. Can you please briefly explain what did you mean?

    ports:
      - "80:80"
      - "7070:443"
      - "5050:80"

bluepuma77 · September 27, 2023, 5:23pm

i would say the standard setting is that only Traefik exposes ports, no other service/container.

Instead the other services are connected to a Docker network and Traefik can forward requests internally, no open ports needed.

That way the services are only available via proxy, all Traefik (security) middlewares in place, no way to go around.

See simple Traefik example.

sagor_kuet · September 27, 2023, 5:37pm

I have checked by exposing the port only in traefik container but still does not solve my problem

bluepuma77 · September 27, 2023, 6:52pm

What does Traefik debug log tell you?

Topic		Replies	Views
Https on additional custom port (8080) Traefik v2 docker	9	8384	May 14, 2021
Issue with SSL Certificate and Redirection in Traefik Docker Compose Setup Traefik v2 docker	1	1400	August 26, 2023
Setting up HTTPS with Lets Encrypt on Traefik and getting errors Traefik v2 docker , letsencrypt-acme	0	2268	March 13, 2020
I can't set up redirect http to https Traefik v2 docker , middleware	2	255	July 1, 2024
Configuring Let's Encrypt Wildcard certificates for many services in v2 Traefik v2 docker , file , letsencrypt-acme	0	661	August 31, 2019

How can i enable https on custom port in Docker-compose using LetsEncrypt

docker-compose.yaml

Related topics