Dear all!
I am trying to secure my nextcloud installation (docker on Ubuntu 18.04 on ESXi 6.7) with traefik & letsencrypt. However, when I try to access the NC instance via https, my browser either redirects to https://_/ (Vivaldi) or gives an error ("The plain HTTP request was sent to HTTPS port", curl / Firefox).
The dashboard works via https as well as another simple whoami container. Only nextcloud does not work as expected and I am losing my mind over what I could have done wrong. So far I mostly followed guides & tutorials (starting with the excellent one on medium), modifying and adding where necessary. Maybe I have created an amalgamate of several configurations, which leads to the current problems but even restarting from scratch does not work anymore.
My config files:
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.0.4
container_name: traefik
restart: unless-stopped
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /root/traefik/acme.json:/acme.json
- /root/traefik/traefik.yml:/traefik.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.net`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=user:pass"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.net`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
whoami:
image: "containous/whoami"
container_name: "simple-whoami"
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.net`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.tls.certresolver=http"
nextcloud:
image: linuxserver/nextcloud
container_name: "nextcloud"
networks:
- proxy
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Berlin
volumes:
- /home/dockeruser/nextcloud:/config
- /home/dockeruser/nextcloud_data:/data
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud-secure.entrypoints=https"
- "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.domain.net`)"
- "traefik.http.routers.nextcloud-secure.tls=true"
- "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
- "traefik.http.routers.nextcloud-secure.service=nextcloud"
networks:
proxy:
external: true
traefik.yml
api:
dashboard: true
log:
level: DEBUG
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: email@domain.net
storage: acme.json
httpChallenge:
entryPoint: http
last part of docker-compose logs
traefik | time="2019-11-07T12:30:39Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"M
ethod\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":
false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"]
,\"User-Agent\":[\"curl/7.58.0\"],\"X-Forwarded-Host\":[\"nextcloud.domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-P
roto\":[\"https\"],\"X-Forwarded-Server\":[\"b3bbad79f113\"],\"X-Real-Ip\":[\"ip-address\"]},\"ContentLength\":0,\"TransferEncod
ing\":null,\"Host\":\"nextcloud.domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAdd
r\":\"ip-address:36902\",\"RequestURI\":\"/\",\"TLS\":null}"
Any ideas?
In case you were wondering why the traefik directory is under /root - I first tried /opt/traefik but somehow it did not recognize the docker-compose.yml there. A simple cp to /root was sufficient to make it run.