Hello,
I don't know much about the use and configuration of Traefik and I need help because I have searched a lot on the net but I can't find an answer to my problem.
Here it is:
I have a server on my local network on which I want to serve my Gitlab instance behind Traefik. I bought a domain name for my website, let's call it "foo.com". And I want gitlab to be accessible via HTTPS on the subdomain "gitlab.foo.com".
Gitlab is only accessible from my local network or once connected to my VPN and that's perfectly what I want.
To do so, in my DNS zone, I have a redirection from gitlab.foo.com to the local IP address of my server.
Also, as my server is not directly accessible via HTTP (local IP) I use DNS challenge for letsencrypt to generate my certificate, and I think this part is OK, I check my acme.json file and it seems to be OK.
I use Traefik via docker-compose and here is my configuration file (I replaced some part with '###' for security reasons):
version: '3.7'
networks:
web:
external: true
services:
# The reverse proxy service (Traefik)
traefik:
image: traefik # The official Traefik docker image
restart: always
networks:
- web
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
#- "###/traefik/traefik.toml:/traefik.toml"
- "###/traefik/certs/acme.json:/acme.json"
#- "###/traefik/conf.d:/etc/traefik/conf.d"
container_name: traefik
command:
- "--global.sendAnonymousUsage"
- "--log.level=DEBUG"
- "--accesslog=true"
- "--api.insecure=true"
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--entrypoints.foo.address=:80"
- "--entrypoints.foo_secure.address=:443"
- "--entrypoints.foo.http.redirections.entrypoint.scheme=https"
- "--entrypoints.foo.http.redirections.entrypoint.to=foo_secure"
- "--certificatesresolvers.foo_certs.acme.email=contact@foo.com"
- "--certificatesresolvers.foo_certs.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.foo_certs.acme.storage=/acme.json"
- "--certificatesresolvers.foo_certs.acme.dnschallenge=true"
- "--certificatesresolvers.foo_certs.acme.dnschallenge.provider=ovh"
environment:
- "OVH_ENDPOINT=ovh-eu"
- "OVH_APPLICATION_KEY=##############"
- "OVH_APPLICATION_SECRET=#################################"
- "OVH_CONSUMER_KEY=###########################"
# The GitLab container itself
gitlab:
image: 'gitlab/gitlab-ce:14.9.0-ce.0'
restart: always
hostname: 'gitlab.foo.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.foo.com'
nginx['listen_https'] = false
nginx['listen_port'] = 80
# backup
gitlab_rails['backup_archive_permissions'] = 0644 # See: https://docs.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions
gitlab_rails['backup_keep_time'] = 1468800 # 17 days, we'll do a full backup every 5 days
gitlab_rails['backup_upload_connection'] = {
:provider => 'Local',
:local_root => '###/backups'
}
gitlab_rails['backup_upload_remote_directory'] = 'gitlab_backups'
volumes:
- '###/gitlab/config:/etc/gitlab'
- '###/gitlab/logs:/var/log/gitlab'
- '###/gitlab/data:/var/opt/gitlab'
- '###/backups:/mnt/backups'
networks:
- web
ports:
- "2222:22"
labels:
- "traefik.http.routers.gitlab-https.entrypoints=foo_secure"
- "traefik.http.routers.gitlab-https.rule=Host(`gitlab.foo.com`)"
- "traefik.http.routers.gitlab-https.tls=true"
- "traefik.http.routers.gitlab-https.tls.certresolver=foo_certs"
openvpn:
image: "kylemanna/openvpn:latest"
container_name: openvpn
ports:
- "1194:1194/udp"
volumes:
- "#############"
cap_add:
- NET_ADMIN
restart: always
When I try to access gitlab.foo.com I get an error because traefik serves the default certicifate.
I'm sure I'm wrong in my configuration but I don't know where cause I'm far from beeing an expert !
Can anyone help me ?
Thanks in advance and have a nice day !