GED8006
February 29, 2024, 11:45am
1
Good morning,
I need help, my hours of reading did not allow me to successfully call WHOAMI in https. I get a 404 error. However, I successfully made this type of call with Dozzle in a similar context. I tried to go with the docker providers, but also with the file providers that I show you below. I have access to whoami URL 192.168.2.81:8086 through my browser. I also temporarily disabled my synology firewall to remove this variable from the equation.
Thanks for your help.
My container is installed on a Synology NAS
# Docker-compose
version: "3.3"
services:
traefik:
image: "traefik:v2.11"
command:
- "--api.dashboard=true"
- "--api.insecure=true"
- "--api.debug=true"
container_name: "traefik"
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- published: 4888 # web
target: 80
protocol: tcp
mode: host
- published: 4333 # websecure
target: 443
protocol: tcp
mode: host
- published: 8555 # UI
target: 8080
protocol: tcp
mode: host
volumes:
- /volume1/docker/traefik/traefik.yaml:/etc/traefik/traefik.yaml
- /volume1/docker/traefik/dynamic:/etc/traefik/dynamic
- /volume1/docker/traefik/certificats:/etc/traefik/certs:ro
whoami:
image: "traefik/whoami"
container_name: "traefik-whoami"
ports:
- published: 8666
target: 80
protocol: tcp
mode: host
# traefik.yml (Static file)
global:
checkNewVersion: true
sendAnonymousUsage: false
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
domains:
- main: "abc.synology.me"
sans:
- "*.abc.synology.me"
providers:
file:
directory: etc/traefik/dynamic
watch: true
tls:
certificates:
- certFile: /etc/traefik/certs/cert.pem
keyFile: /etc/traefik/certs/privkey.pem
api:
dashboard: true
insecure: true
debug: true
log:
level: DEBUG
accessLog: {}
# config.yml (dynamic file)
http:
routers:
dozzle-router:
rule: "Host(`dozzle.abc.synology.me`)"
service: dozzle-service
entryPoints:
- websecure
whoami-router:
rule: "Host(`whoami.abc.synology.me`)"
service: whoami-service
entryPoints:
- secureweb
services:
dozzle-service:
loadBalancer:
serversTransport: insecureTransport
servers:
- url: http://192.168.2.81:8001/
whoami-service:
loadBalancer:
serversTransport: insecureTransport
servers:
- url: http://192.168.2.81:8086/
serversTransports:
insecureTransport:
insecureSkipVerify: true
You can only have one static config, traefik.yml file or command:.
TLS certificates need to be defined in a dynamic config file, not static config.
Dashboard needs /dashboard/ path when called in browser.
When you use Docker, why not use Configuration Discovery, see simple Traefik example .
GED8006
February 29, 2024, 8:00pm
3
Thanks!
I followed your advice. I decided to only use the docker-compose commands like your example. I can now access whoami via https.
However, I have two problems:
1. failed to decode configuration from flags: field not found, node: asDefault
This error prevents me from starting the container. This starts when I comment out this command line.
--entrypoints.websecure.asDefault=true
This is strange, because the documentation seems consistent with your instructions: Traefik EntryPoints Documentation - Traefik
2. Unable to append certificate to store: unable to generate TLS certificate: tls: failed to find any PEM data in certificate input
This error, which I didn't have before, worries me. This is a tls certificate that comes from my synology NAS. I extracted 2 PEM files there.
Here are my modified files. Thank you for your valuable help.
# Docker-compose
version: "3.3"
services:
traefik:
image: traefik:v2.11
container_name: traefik
restart: unless-stopped
networks:
- proxy
security_opt:
- no-new-privileges:true
ports:
- published: 4888 # web
target: 80
protocol: tcp
mode: host
- published: 4883 # websecure
target: 443
protocol: tcp
mode: host
- published: 8555 # interface
target: 8080
protocol: tcp
mode: host
volumes:
- /volume1/docker/traefik/dynamic:/etc/traefik/dynamic
- /volume1/docker/traefik/certificats:/etc/traefik/certs:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
command:
# GLOBAL
- --global.checknewversion=true
- --global.sendAnonymousUsage=false
# LOGS
- --log.level=INFO #DEBUG
- --accesslog=true
# ENTRYPOINT
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
#- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.domains.main=abc.example.com
- --entrypoints.websecure.http.tls.domains.sans=*.abc.example.com
# DASHBOARD
- --api.dashboard=true
- --api.insecure=true
- --api.debug=true
# DOCKER PROVIDERS
- --providers.docker=true
- --providers.docker.network=proxy
- --providers.docker.exposedbydefault=false
# FILE PROVIDERS
- --providers.file=true
- --providers.file.directory=/etc/traefik/dynamic
- --providers.file.watch=true
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.abc.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
whoami:
image: traefik/whoami
container_name: traefik-whoami
networks:
- proxy
ports:
- published: 8666 # web
target: 80
protocol: tcp
mode: host
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.abc.example.com`) || Host(`www.whoami.abc.example.com`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.routers.mywhoami.middlewares=mywwwredirect
networks:
proxy:
name: proxy
The readme of the repository clearly states that asDefault is a Traefik v3 parameter, remove it for v2.
You only need tls.domains.main/sans if you want to create wildcard certs with Traefik LetsEncrypt. Traefik reads the domains from the existing TLS cert files and matches automatically.
You should not publish ports on any service besides Traefik, that would circumvent any potential Traefik middlewares for security purposes. Traefik connects to the target services inside the Docker network, where ports are open anyway.
Not sure why your TLS cert files don't work. Check inside Traefik container if files have content and if .pem has the usual 3 parts.
Alternatively you should be able to create your own certs (but no wildcard) when you use ports 80 or 443 with Traefik LetsEncrypt and httpChallenge or tlsChallenge. Traefik then uses the domain names from Host().
GED8006
February 29, 2024, 11:29pm
5
Thank you for these tips.
Everything seems to be working correctly and I understand each intervention better.
For certificates, it was a syntactic problem in dynamic configuration.
Here is the final result
# Docker-compose
version: "3.3"
services:
traefik:
image: traefik:v2.11
container_name: traefik
restart: unless-stopped
networks:
- proxy
security_opt:
- no-new-privileges:true
ports:
- published: 4888 # web
target: 80
protocol: tcp
mode: host
- published: 4333 # websecure
target: 443
protocol: tcp
mode: host
volumes:
- /volume1/docker/traefik/dynamic:/etc/traefik/dynamic
- /volume1/docker/traefik/certificats:/etc/traefik/certs:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
command:
# GLOBAL
- --global.checknewversion=true
- --global.sendAnonymousUsage=false
# LOGS
- --log.level=INFO #DEBUG
- --accesslog=true
# ENTRYPOINT
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
# DASHBOARD
- --api.dashboard=true
- --api.insecure=true
- --api.debug=true
# DOCKER PROVIDERS
- --providers.docker=true
- --providers.docker.network=proxy
- --providers.docker.exposedbydefault=false
# FILE PROVIDERS
- --providers.file=true
- --providers.file.directory=/etc/traefik/dynamic
- --providers.file.watch=true
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.abc.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
whoami:
image: traefik/whoami
container_name: traefik-whoami
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.abc.example.com`) || Host(`www.whoami.abc.example.com`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.routers.mywhoami.middlewares=mywwwredirect
networks:
proxy:
name: proxy
# Dynamic config
tls:
certificates:
- certFile: /etc/traefik/certs/cert.pem
keyFile: /etc/traefik/certs/privkey.pem
stores:
- default