Hey everyone,
earlier I had a config with the following:
- Docker
- Default domain (let’s call it
s.example.com
) - Opt-in container exposure
- HTTPS redirect
- Let’s Encrypt
If I wanted to make a container available, I’d just use the traefik.enable=true
label and boom the container was available at container_name.s.example.com
. Awesome stuff!
# Traefik 1.7 traefik.toml
checkNewVersion = true
sendAnonymousUsage = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = "1.2.3.4:80"
[entryPoints.http.redirect]
entryPoint = "https"
permanent = true
[entryPoints.https]
address = "1.2.3.4:443"
[entryPoints.https.tls]
sniStrict = true
minVersion = "VersionTLS12"
[acme]
email = "traefik@example.com"
storage = "/etc/traefik/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[docker]
endpoint = "tcp://localhost:2375"
domain = "s.example.com"
exposedByDefault = false
I’m currently trying to somehow replicate this config on Traefik 2.0 and to be honest, I’m horrified. I have to put at least three labels on a container (+1 because of a bug?):
-
traefik.enable=true
– That’s ok. -
traefik.http.routers.whoami-https.entryPoints=https
– Because otherwise it would uselessly bind to the HTTP entry point, too. Not okay. -
traefik.http.routers.whoami-https.tls=true
– Because I want HTTPS. Why do I even have to specify this? This should be the default in 2019. -
traefik.http.routers.whoami-https.tls.certResolver=default
– Contrary to the documentation, it will not use the ACME resolver (calleddefault
) otherwise. Probably a bug, also required in the file config. Not okay.
This has to be a joke. In Traefik 1.7, it was even possible to specify the entire template used by the Docker provider to bring a container to the network. I didn’t need it, because the provider already had all the required options. Now I have to repeat every configuration option on every container? I have to use workarounds in the config to create a universal HTTP → HTTPS redirect? I need two files, which by the way is not even remotely clear from reading the documentation?
# Traefik 2.0 traefik.toml
[global]
checkNewVersion = true
sendAnonymousUsage = true
[entryPoints]
[entryPoints.http]
address = "1.2.3.4:80"
[entryPoints.https]
address = "1.2.3.4:443"
[providers]
[providers.file]
filename = "/etc/traefik/dynamic.toml"
[providers.docker]
endpoint = "tcp://localhost:2375"
exposedByDefault = false
defaultRule = "Host(`{{ normalize .Name }}.s.example.com`)"
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = "traefik@example.com"
storage = "/etc/traefik/acme.json"
[certificatesResolvers.default.acme.httpChallenge]
entryPoint = "http"
+
# Traefik 2.0 dynamic.toml
[http.routers]
[http.routers.redirect-http]
entryPoints = ["http"]
rule = "HostRegexp(`{subdomain:.+\\.s\\.example\\.com}`)"
service = "dummy@file"
middlewares = ["http-to-https"]
[http.middlewares]
[http.middlewares.http-to-https.redirectScheme]
scheme = "https"
permanent = true
[http.services]
[http.services.dummy.LoadBalancer]
[[http.services.dummy.LoadBalancer.servers]]
url = ""
Will there be a remedy for all this verbosity in the future or will I simply have to stay on Traefik 1.7 forever? I fully understand that the old concepts had serious limitations. I even made a feature request to decouple ACME from the entry points. But now these limitations are replaced by a new set of even more ridiculous limitations + spammy container labels.
I’m sad!