LE/Proxy Traefik Dashboard

Hi there,

I am attempting to set up a basic Traefik on docker via docker-compose to proxy just its own dashboard. But I continually get a 404 error. My reading suggests that a rule is not matching. I have not yet added an auth middleware as I am still just working through this.

I am just having the worst brain crunch on this and thought a second set of eyes might help.

Admittedly I have been reading through many docs and articles to troubleshoot, and some of my compose file may need to be simplified.

Versions

❯ docker version
Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 12:00:45 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:58:56 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.6
  GitCommit:        d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
❯ cat -p /etc/lsb-release
DISTRIB_ID=Pop
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Pop!_OS 21.04"
image: traefik:latest

docker-compose.tml

version: "3.3"
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    networks:
      - proxy
    command:
      #- "--log.level=debug"
    #   - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.network=proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    #   - --entrypoints.web.http.redirections.entryPoint.to=websecure
    #   - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - "--certificatesresolvers.godaddy.acme.dnschallenge=true"
      - "--certificatesresolvers.godaddy.acme.dnschallenge.provider=godaddy"
      - "--certificatesresolvers.godaddy.acme.email=me@domain.com"
      - "--certificatesresolvers.godaddy.acme.storage=/letsencrypt/acme.json"
    env_file:
        - .env
    ports:
      - "80:80"
      - "443:443"
    labels:
        # Proxy own dashboard
        # Core Config
        - "traefik.enable=true"

        - "traefik.http.routers.dashboard.rule: Host(`traefik.${DOMAIN}`) && (PathPrefix(`/traefik`) || (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
        - "traefik.http.routers.dashboard.service=api@internal"
        - "traefik.http.routers.dashboard.entrypoints=websecure"

        # Stripprefix for dashboard
        - "traefik.http.routers.dashboard.middlewares=strip"
        - "traefik.http.middlewares.strip.stripprefix.prefixes=/traefik"

        # TLS
        - "traefik.http.routers.dashboard.tls=true"
        - "traefik.http.routers.dashboard.tls.certresolver=leresolver"

        # - traefik.port=8080
        - "traefik.docker.network=proxy"
    volumes:
      - "$PWD/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

networks:
  proxy:
    external: true

Thank you for the input.

I am just updating, I think I got it working. My previous config was a mess from troubleshooting. I had mismated labels, etc.

Right now I have:

version: "3.3"

networks:
  proxy:
    external: true

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    volumes:
      - "$PWD/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    command:
      #- "--log.level=debug"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--api.debug=true"
      - "--providers.docker=true"
      - "--providers.docker.network=proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.defaultRule=Host(`{{ normalize .Name }}.${DOMAIN}`)"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge=false"
      - "--certificatesresolvers.le.acme.tlschallenge=false"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=godaddy"
      - "--certificatesresolvers.le.acme.email=${LE_EMAIL}"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    env_file:
        - .env
    labels:
        # Core Config
        - "traefik.enable=true"
        - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
        # TLS
        - "traefik.http.routers.dashboard.tls=true"
        - "traefik.http.routers.dashboard.tls.certresolver=le"

        - "traefik.http.routers.dashboard.service=api@internal"
        - "traefik.http.services.dashboard.loadbalancer.server.port=8080"

        - "traefik.http.routers.dashboard.tls.domains[0].main=${DOMAIN}"
        - "traefik.http.routers.dashboard.tls.domains[0].SANS=*.${DOMAIN}"
        - "traefik.docker.network=proxy"

If anyone has any suggestions on things to improve, I am open!

Hm, still working through this:

traefik    | time="2021-06-23T02:29:51Z" level=error msg="Unable to obtain ACME certificate for domains \"traefik.DOM.com\": unable to generate a certificate for the domains [traefik.DOM.com]: error: one or more domains had a problem:\n[traefik.DOM.com] [traefik.DOM.com] acme: error presenting token: godaddy: failed to get zone: unexpected response code 'SERVFAIL' for _acme-challenge.traefik.DOM.com.\n" providerName=le.acme routerName=dashboard@docker rule="Host(`traefik.DOM.com`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)"

(Still searching)

ok, so I am 99.9999% sure this is the GoDaddy provider. I tested the same config with the Cloudflare provider, and it worked without issue.

1 Like