Installation problem on docker compose

Traefik Traefik v2 (latest)
,
1

hello everyone,
i am trying to install traefik via docker compose on docker swarm, but i am experiencing the following problems:

  1. enabling dashboard login and putting api.insecure=false the dashboard doesn't show up.

  2. by enabling dashboard login and leaving api.insecure=true the dashboard remains reachable without authentication.

  3. by setting the labels in the docker compose balanced services, the routing does not work and I do not see them as routers in the dashboard

  4. by enabling tls and putting the self-signed wildcard certificate in the configuration file, it always tells me "404 page not found" and in the logs I see the error "uknown certificate"

I leave you below the contents of my files, can you tell me how to configure it so that I have the following aspects?

  1. reach the dashboard via traefik.company.local
  2. have authentication on the dashboard.
  3. balance the docker compose services using the correct labels and self-signed certificate.

thank you very much

traefik.yml:

global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
log:
  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level: DEBUG

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
accesslog:
   format: common  # common, json, logfmt
   filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: true  # true by default
  insecure: true # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    #http:
    #  redirections:
    #    entryPoint:
    #      to: websecure
    #      scheme: https

  websecure:
    address: :443
# Configure your CertificateResolver here...
# ---
# certificatesResolvers:
#   staging:
#     acme:
#       email: your-email@example.com
#       storage: /etc/traefik/certs/acme.json
#       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
#       httpChallenge:
#         entryPoint: web
#
#   production:
#     acme:
#       email: your-email@example.com
#       storage: /etc/traefik/certs/acme.json
#       caServer: "https://acme-v02.api.letsencrypt.org/directory"
#       httpChallenge:
#         entryPoint: web

# (Optional) Overwrite Default Certificates
tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/cert.pem
        keyFile: /etc/traefik/certs/cert-key.pem
# (Optional) Disable TLS version 1.0 and 1.1
   options:
     default:
       minVersion: VersionTLS12

providers:
  docker:
    swarmMode: true
    exposedByDefault: true
  file:
    #filename: /etc/traefik/middlewares.yml
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true
    
dynamicConfiguration:
  middlewares:
    # Include il file middlewares.yml
    - file:
        filename: /etc/traefik/middlewares.yml

docker-compose.yml:

version: '3.8'

services:
  traefik:
    image: traefik:v2.10
    container_name: Traefik
    restart: unless-stopped
    command:
      - "--providers.docker.network=Traefik" 
    ports:
      - 80:80
      - 443:443
      - 8080:8080  
    deploy:
      placement:
        constraints:
          - "node.labels.tipo == produzione"
    volumes:
      - /data/docker/appdata/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /data/docker/logs/traefik:/var/log/traefik
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      #- "traefik.http.routers.http-catchall.entrypoints=http"
      #- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      #- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      #- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      #- "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.company.local`)"
      #- "traefik.http.services.traefik.loadbalancer.server.port=8080"
      #- "traefik.http.routers.traefik.tls=true" # Some people had 404s without this
      #- "traefik.http.routers.traefik.tls.domains[0].main=company.local"
      #- "traefik.http.routers.traefik.tls.domains[0].sans=*.company.local"
      #- "traefik.http.routers.traefik.middlewares=middlewares-basic-auth@file"
      #- "traefik.http.services.traefik-rtr.loadbalancer.server.port=8080"
      ## Services - API
      #- "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      #- "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"
    networks:
      - Traefik

networks:
  Traefik:
    external: true

middlewares.yml:

http:
  middlewares:
    test-auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
2

You can’t use traefik.yml and command together, decide for one.

When using insecure=true all middlewares for Dashboard will be ignored.

1 Like
3

There is a complete example for dashboard in the docs: Traefik Dashboard Documentation - Traefik be sure to select the Docker Swarm example.

api.insecure does a lot of things, it sets up an entrypoint, router and the dashboard all in one option. The way to set it up correctly is in the example at the aforementioned link.

All labels need to be nested under the deploy: label for traefik to recognise them. When running in Swarm you have both Service level labels and Container labels Traefik will only look at the Service labels.

Likely this is related to the Labels not being under deploy: the router is not defined hence the 404.

You are also mixing static and dynamic options in the same static file, you should split out the dynamic options an reference

4

thanks @bluepuma77,
could you please tell me what is the best way and possibly how to configure traefik.yml? i would like to do so that i have the best solution with least hassle and dynamic.

my need is to:

  1. proxying services such as portainer, mysql and apache on port 80 and 443 with wildcard certificate inserted on the server.

  2. protect access to the dashboard

  3. make the dashboard reachable from the subdomain on 80 instead of 8080

  4. make the subdomain xyz.company.com point to another server also on 443 and 8080

Thanks again

5

Some of your requirements you can find in the simple Traefik example. This will use individual certs (per router Host()s), no wildcard.

But MySQL database is not running on http protocol, I don’t even know if it uses plain TLS, so better use a different port.

6

thanks @bluepuma77,
I was able to get it working by putting everything in the traefik.yml file without using docker compose.

the only thing I ask is if you can help me to reach an external service.

i have a nas reachable on port 8080, i created the traefik-dynamic.yml file as follows, but i get bad gateway, as traefik can't connect to the outside and only connects to its default network, how do i get it to balance external services to its network as well?

Thanks

traefik-dynamic.yml:

http:
  routers:
    qnap-nas:
      rule: "Host(`nas.mgmt.company.it`)"
      middlewares:
        - https-redirect
        - nas-secure-headers
      tls:
        domains:
          - main: "nas.mgmt.company.it"
            sans:
              - "*.company.it"
      service: qnap-nas
  services:
    qnap-nas:
      loadBalancer:
        servers:
          - url: "http://:10.0.68.99:8080"
        passHostHeader: true
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

   nas-secure-headers:
     headers:
       hostsProxyHeaders:
         - "X-Forwarded-Host"
       referrerPolicy: "same-origin"
       customResponseHeaders:
         X-Robots-Tag: "none"
7

Looks good except for the invalid url:

✗ http://:10.0.68.99:8080
✓ http://10.0.68.99:8080
8

Hi @cakiwi,
I corrected the ip, but it still doesn't go it tells me bad gateway.

if i do docker exec -it traefik sh and then telnet 10.0.68.99 8080 i reach it no problem, but when i look for the interface, i see this in the logs:

"level":"debug","msg":"'502 Bad Gateway' caused by: dial tcp: lookup :10.0.68.99: no such host","time":"2023-06-09T12:47:25Z"}

come posso fare?

Grazie