Hi @bluepuma77 ,
I tried again today, but to no avail, my current configuration is
All web apps have the following labels in the docker-compose.yml
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=web"
- "traefik.http.routers.portainer.rule=Host(`portainer.company.it`)"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
also i have a web app called fleetdm which is used to manage all the company pc's, where they connect from outside through api and its web interface is reachable internally.
since that application, has its own certificate in addition to the one on the firewall, in order to use this application behind traefik, I had to insert the labels as follows after several tests:
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"
- "traefik.tcp.routers.fleetdm.entrypoints=websecure"
- "traefik.tcp.services.fleetdm.loadbalancer.server.port=8080"
only doing so, setting other tcp routers don't work and putting HostSNI(fleetdm.company.it
)" I get the error "invalid rule: "HostSNI(fleetdm.company.it
)" , has HostSNI matcher, but no TLS on router"
I tried to disable the redirect from 80 to 443 on the pfsense firewall, in order to manage it on the traefik and be able to have applications in 80 and applications in 443, it did not work, as when traefik does the redirect it does it on the public ip, instead of doing it internally, as follows but it does not work, as traefik, it does as per photo 1 instead of doing as per photo 2(required result)
incorrect proxy behavior:
desired behaviour:
also i have a traefik-dynamic.yml file that contains the router that redirects to the nas, if i try to add more router inside it sends me to 4040 page not found all applications including traefik gui
http:
routers:
qnap-nas:
rule: "Host(`nas.company.it`)"
entryPoints:
- web
# - websecure
#tls: {}
service: qnap-nas
services:
qnap-nas:
loadBalancer:
servers:
- url: "http://10.0.68.99:8080"
passHostHeader: true
so my problem lies in the fact that I can't handle applications with https traffic and not http traffic
can you help me to achieve what is specified below?
I have several unreachable applications for misconfigured labels
I want to have the following application scenarios:
scenario 1)
client => pfsense => https(443) => traefik => https(443) => web app
scenario 2)
client => pfsense => https(443) => traefik => http(80) => web app
scenario 3)
client => pfsense => http(80) => traefik => http(80) => web app
Should I go ahead with labels or dynamic files?
my traefik static conf:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
# (Optional) Log information
# ---
log:
# Log level
#
# Optional
# Default: "ERROR"
#
level: DEBUG
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
format: json
filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
accesslog:
format: json # common, json, logfmt
filePath: /var/log/traefik/access.log
# (Optional) Enable API and Dashboard
# ---
api:
dashboard: true # true by default
insecure: false # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
# (Optional) Redirect to HTTPS
# ---
#http:
# redirections:
# entryPoint:
# to: websecure
websecure:
address: :443
#mysql:
#address: :3306
# Configure your CertificateResolver here...
# ---
#certificatesResolvers:
# staging:
# acme:
# email: webmaster@example.it
# storage: /etc/traefik/certs/acme.json
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# httpChallenge:
# entryPoint: web
# production:
# acme:
# email: webmaster@example.it
# storage: /etc/traefik/certs/acme.json
# caServer: "https://acme-v02.api.letsencrypt.org/directory"
# httpChallenge:
# entryPoint: web
# (Optional) Overwrite Default Certificates
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/cert.pem
keyFile: /etc/traefik/certs/cert-key.pem
# caFile: /etc/traefik/certs/ca.pem
# (Optional) Disable TLS version 1.0 and 1.1
# options:
# default:
# minVersion: VersionTLS12
# cipherSuites:
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
providers:
docker:
exposedByDefault: false
file:
# watch for dynamic configuration changes
directory: /etc/traefik
watch: true
# Dynamic Configuration
http:
routers:
dashboard:
rule: Host(`rproxy.company.it`) #&& (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
service: api@internal
entryPoints:
- web
#tls:
#options: default
middlewares:
- auth
middlewares:
auth:
basicAuth:
usersFile: "/etc/traefik/.htpasswd"
i have mu own certificate.
thanks very much