Maintenance-free Docker config, how

Hey everyone,

earlier I had a config with the following:

  • Docker
  • Default domain (let’s call it s.example.com)
  • Opt-in container exposure
  • HTTPS redirect
  • Let’s Encrypt

If I wanted to make a container available, I’d just use the traefik.enable=true label and boom the container was available at container_name.s.example.com. Awesome stuff!

# Traefik 1.7 traefik.toml
checkNewVersion = true
sendAnonymousUsage = true
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
    address = "1.2.3.4:80"
    [entryPoints.http.redirect]
      entryPoint = "https"
      permanent = true

  [entryPoints.https]
    address = "1.2.3.4:443"
    [entryPoints.https.tls]
      sniStrict = true
      minVersion = "VersionTLS12"

[acme]
  email = "traefik@example.com"
  storage = "/etc/traefik/acme.json"
  entryPoint = "https"
  onHostRule = true
  [acme.httpChallenge]
    entryPoint = "http"

[docker]
  endpoint = "tcp://localhost:2375"
  domain = "s.example.com"
  exposedByDefault = false

I’m currently trying to somehow replicate this config on Traefik 2.0 and to be honest, I’m horrified. I have to put at least three labels on a container (+1 because of a bug?):

  • traefik.enable=true – That’s ok.
  • traefik.http.routers.whoami-https.entryPoints=https – Because otherwise it would uselessly bind to the HTTP entry point, too. Not okay.
  • traefik.http.routers.whoami-https.tls=true – Because I want HTTPS. Why do I even have to specify this? This should be the default in 2019.
  • traefik.http.routers.whoami-https.tls.certResolver=default – Contrary to the documentation, it will not use the ACME resolver (called default) otherwise. Probably a bug, also required in the file config. Not okay.

This has to be a joke. In Traefik 1.7, it was even possible to specify the entire template used by the Docker provider to bring a container to the network. I didn’t need it, because the provider already had all the required options. Now I have to repeat every configuration option on every container? I have to use workarounds in the config to create a universal HTTP → HTTPS redirect? I need two files, which by the way is not even remotely clear from reading the documentation?

# Traefik 2.0 traefik.toml
[global]
  checkNewVersion = true
  sendAnonymousUsage = true

[entryPoints]
  [entryPoints.http]
    address = "1.2.3.4:80"
  [entryPoints.https]
    address = "1.2.3.4:443"

[providers]
  [providers.file]
    filename = "/etc/traefik/dynamic.toml"

  [providers.docker]
    endpoint = "tcp://localhost:2375"
    exposedByDefault = false
    defaultRule = "Host(`{{ normalize .Name }}.s.example.com`)"

[tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
    sniStrict = true

[certificatesResolvers]
  [certificatesResolvers.default]
    [certificatesResolvers.default.acme]
      email = "traefik@example.com"
      storage = "/etc/traefik/acme.json"
      [certificatesResolvers.default.acme.httpChallenge]
        entryPoint = "http"

+

# Traefik 2.0 dynamic.toml
[http.routers]
  [http.routers.redirect-http]
    entryPoints = ["http"]
    rule = "HostRegexp(`{subdomain:.+\\.s\\.example\\.com}`)"
    service = "dummy@file"
    middlewares = ["http-to-https"]

[http.middlewares]
  [http.middlewares.http-to-https.redirectScheme]
    scheme = "https"
    permanent = true

[http.services]
  [http.services.dummy.LoadBalancer]
     [[http.services.dummy.LoadBalancer.servers]]
        url = ""

Will there be a remedy for all this verbosity in the future or will I simply have to stay on Traefik 1.7 forever? I fully understand that the old concepts had serious limitations. I even made a feature request to decouple ACME from the entry points. But now these limitations are replaced by a new set of even more ridiculous limitations + spammy container labels.

I’m sad! :slightly_frowning_face:

I'm not really bothered by it. Every container can have it's own configuration, and if it happens that all of yours have the same..., well repeating three more lines per container, is not a big strain. I mean what are practical downsides? (apart from hurt aesthetic taste) I see none.

Entrypoint has to be defined, because if you have multiple, how else traefik is supposed to know which one to use? I think if you have a single one, it will be able to pick it up without more config, but since most of the time you need both http and https, that would not kick it.

Tls without further configuration would use autogenerated cert. This is NOT what I'd want by default. http is much more sensible default.

certResolver - you refer to documentation, but you do not specify which piece, I think you misread it. People has already complained about hitting the rate limit with LE when they misconfigure, well, if it would pick up default it would be even easier to misconfigure and hit the rate limit, so I'd vote against this change.

Just want to supply a different user perspective. Many thanks!

EDIT: The above is not to say that the changes you are suggested are not welcome, everything that makes live easier to someone is good. It's just I would not be surprised if traefik team could not fit those sooner than some much more critical and impactful changes.

Because I don’t orchestrate my containers in any way, having to make sure all these labels are there is quite annoying. It’s simply extra work that I don’t want. And didn’t have to do earlier! We could have defaults without sacrificing any flexibility in per-container configuration.

The Routers documentation says the following on TLS:

image

The info box is incorrect. If there isn’t already a certificate for the host in question, the Traefik default certificate will be used, not ACME. That’s why this is very likely a bug. Or maybe the documentation is wrong.

I don’t see any problem with the Let’s Encrypt rate limits. Certificates are requested on-demand, once, and renewed as required. Unless you have a lot of different domains coming online all at once, you won’t hit any rate limits. I’m not sure what to misconfigure to break this.

Hello,

I fixed the wrong doc https://github.com/containous/traefik/pull/5837

But also note:

https://docs.traefik.io/https/acme/

1 Like

Alright, cool. :+1:

Still, I think defaults should be possible.

There’s another problem (maybe 2) with the way it currently works:

  • I have to know how the certificate resolver is called
  • I (may) have to make sure my router names don’t conflict with other containers

That’s fine for me because I manage everything. If multiple people are involved, things get more complicated.