moltra
April 16, 2024, 2:46pm
1
I have 2 files that work under 2.7.3, but if I upgrade my Traefik docker to 2.8.8 I get error on both saying that the respective service not found.
Thanks in advance.
http:
routers:
jelly-rpi-rtr:
rule: "Host(`jelly.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
entryPoints:
- http
middlewares:
- chain-oauth
service:
- jelly-rpi-svc
tls:
certResolver: dns-cloudflare
services:
jelly-rpi-svc:
loadBalancer:
servers:
- url: "http://192.168.0.116:8096" # or whatever your external host's IP:port is
http:
routers:
ebook-rpi-rtr:
rule: "Host(`ebook.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
entryPoints:
- https
middlewares:
- chain-oauth
service:
- ebook-rpi-svc
tls:
certResolver: dns-cloudflare
services:
ebook-rpi-svc:
loadBalancer:
servers:
- url: "http://192.168.0.116:8080" # or whatever your external host's IP:port is
Here is the access log under 2.7.3
[15/Apr/2024:03:18:08 +0000] "GET /book-get-annotations/Books4Work/154-EPUB?1713151029724 HTTP/2.0" 404 30 "-" "-" 44570 "ebook-rpi-rtr@file" "http://192.168.0.116:8080 " 13ms
Here is teh acces log under 2.8.8
[16/Apr/2024:02:32:35 +0000] "GET /api/http/services/%E2%95%9124%E2%95%91ebook-rpi-svc@file HTTP/2.0" 404 60 "-" "-" 83 "traefik-rtr@docker" "-" 1ms
Jelly uses "http" entrypoint
but enables TLS?
Why would you upgrade to an almost 2 year old version? Just last week another CVE was fixed.
Share your full Traefik static and dynamic config, and docker-compose.yml
if used.
moltra
April 17, 2024, 2:04am
3
version: "3.9"
########################### NETWORKS
# You may customize the network subnet (192.168.90.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.
networks:
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.91.0/2
# t2_proxy:
# name: t2_proxy
# driver: bridge
# ipam:
# config:
# - subnet: 192.168.90.0/24
########################### SECRETS
secrets:
traefik_forward_auth:
file: $DOCKERDIR/secrets/traefik_forward_auth
########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
# Common environment values
x-environment: &default-tz-puid-pgid
TZ: $TZ
PUID: $PUID
PGID: $PGID
# Keys common to some of the core services that we always to automatically restart on failure
x-common-keys-core: &common-keys-core
networks:
# - t2_proxy
- socket_proxy
security_opt:
- no-new-privileges:true
restart: always
# Keys common to some of the dependent services/apps
x-common-keys-apps: &common-keys-apps
networks:
# - t2_proxy
- socket_proxy
security_opt:
- no-new-privileges:true
restart: unless-stopped
# Keys common to some of the services in media-services.txt
x-common-keys-media: &common-keys-media
networks:
# - t2_proxy
- socket_proxy
security_opt:
- no-new-privileges:true
restart: "no"
########################### SERVICES
services:
# Traefik 2 - Reverse Proxy
traefik:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: traefik
image: traefik:2.8
profiles: ["db_setup", "frontend"]
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.postgres.address=:5432
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
- --api.dashboard=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
# - --log.filePath=/logs/cloudserver/traefik/traefik.log
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/logs/cloudserver/traefik/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true
# --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
- --providers.docker.endpoint=tcp://socket-proxy:2375 # Use this instead of the previous line if you have socket proxy.
- --providers.docker.exposedByDefault=false
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
# - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
# - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
- --providers.docker.network=socket_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- --providers.file.watch=true # Only works on top level files in the rules folder
#- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
networks:
# t2_proxy:
# ipv4_address: 192.168.90.254 # You can specify a static IP
- socket_proxy
# - default
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- 5432:5432 #<<<<<<<<<<<<<<<< to access PostgreSQL
# - "8080:8080"
#- target: 8080 # insecure api wont work
# published: 8080
# protocol: tcp
# mode: host
volumes:
- $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
# - /var/run/docker.sock:/var/run/docker.sock:ro # If you use Docker Socket Proxy, comment this line out
- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this empty file and change permissions to 600
- $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
- $DOCKERDIR/shared:/shared
environment:
- TZ=$TZ
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
- DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules.
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.docker.network=socket_proxy"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
# - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Middlewares
## Healthcheck/ping
#- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`) && Path(`/ping`)"
#- "traefik.http.routers.ping.tls=true"
#- "traefik.http.routers.ping.service=ping@internal"
## Middlewares
#- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
#- "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Basic HTTP Authentication
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # For Google OAuth
# Dozzle - Real-time Docker Log Viewer
dozzle:
image: amir20/dozzle:latest
container_name: dozzle
security_opt:
- no-new-privileges:true
restart: unless-stopped
profiles: ["db_setup","frontend"]
networks:
# - t2_proxy
- socket_proxy
ports:
- "8082:8080"
environment:
DOZZLE_LEVEL: info
DOZZLE_TAILSIZE: 300
DOZZLE_FILTER: "status=running"
# DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label
DOCKER_HOST: tcp://socket-proxy:2375
# volumes:
# - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.dozzle-rtr.entrypoints=https"
- "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.dozzle-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
- "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"
# Heimdall - Application Dashboard
heimdall:
<<: *common-keys-core # See EXTENSION FIELDS at the top
image: lscr.io/linuxserver/heimdall
container_name: heimdall
# ports:
# - "$HEIMDALL_HTTP_PORT:80" # 80 used by Traefik
# - "$HEIMDALL_HTTPS_PORT:443" # 443 used by Traefik. Disabled because we will put Heimdall behind proxy.
networks:
- socket_proxy
volumes:
- $DOCKERDIR/appdata/heimdall:/config
profiles: ["db_setup", "frontend"]
environment:
<<: *default-tz-puid-pgid
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.heimdall-rtr.entrypoints=https"
- "traefik.http.routers.heimdall-rtr.rule=Host(`$DOMAINNAME_CLOUD_SERVER`,`www.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.heimdall-rtr.tls=true"
## Middlewares
- "traefik.http.routers.heimdall-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.heimdall-rtr.service=heimdall-svc"
- "traefik.http.services.heimdall-svc.loadbalancer.server.port=80"
# Google OAuth - Single Sign On using OAuth 2.0
oauth:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: oauth
image: thomseddon/traefik-forward-auth:latest
# image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi
profiles: ["db_setup", "frontend"]
environment:
- CONFIG=/config
- COOKIE_DOMAIN=$DOMAINNAME_CLOUD_SERVER
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.$DOMAINNAME_CLOUD_SERVER
- URL_PATH=/_oauth
- LOG_LEVEL=info
- LOG_FORMAT=text
- LIFETIME=2592000 # 30 days
- DEFAULT_ACTION=auth
- DEFAULT_PROVIDER=google
secrets:
- source: traefik_forward_auth
target: /config
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.oauth-rtr.tls=true"
- "traefik.http.routers.oauth-rtr.entrypoints=https"
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.oauth-rtr.service=oauth-svc"
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
it-tools:
image: corentinth/it-tools
container_name: it-tools
security_opt:
- no-new-privileges:true
restart: unless-stopped
profiles: ["db_setup", "frontend"]
networks:
- socket_proxy
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.it-tools-rtr.entrypoints=https"
- "traefik.http.routers.it-tools-rtr.rule=Host(`tools.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.it-tools-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.it-tools-rtr.service=it-tools-svc"
- "traefik.http.services.it-tools-svc.loadbalancer.server.port=80"
# Docker-GC - Automatic Docker Garbage Collection
# Create docker-gc-exclude file
dockergc:
<<: *common-keys-apps # See EXTENSION FIELDS at the top
image: clockworksoul/docker-gc-cron:latest
container_name: docker-gc
profiles: ["frontend"]
volumes:
# - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy and comment this line for improved security.
- $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude # Create empty file
environment:
CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * *
FORCE_IMAGE_REMOVAL: 1
FORCE_CONTAINER_REMOVAL: 0
GRACE_PERIOD_SECONDS: 604800
DRY_RUN: 0
CLEAN_UP_VOLUMES: 1
TZ: $TZ
DOCKER_HOST: tcp://socket-proxy:2375 # Use this if you have Socket Proxy enabled.
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
socket-proxy:
container_name: socket-proxy
image: tecnativa/docker-socket-proxy
profiles: ["db_setup", "frontend"]
restart: always
networks:
socket_proxy:
ipv4_address: $socket_proxy_ip # 192.168.91.254 You can specify a static IP
# privileged: true # true for VM. False for unprivileged LXC container.
ports:
- "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
# I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
# - "2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
# Security critical
- AUTH=0
- SECRETS=0
- POST=1 # Watchtower
# Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=0
- EXEC=0
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portainer
- VOLUMES=1 # Portainer
# Grafana - Graphical data visualization for InfluxDB data
grafana:
image: grafana/grafana:latest
container_name: grafana
security_opt:
- no-new-privileges:true
restart: unless-stopped
profiles: ["frontend"]
networks:
- socket_proxy
ports:
- "3000:3000"
user: $PUID
volumes:
- $DOCKERDIR/appdata/grafana:/var/lib/grafana
environment:
GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.grafana-rtr.entrypoints=https"
- "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.grafana-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.grafana-rtr.service=grafana-svc"
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
portainer:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: portainer
image: portainer/portainer-ee:latest
profiles: ["db_setup","frontend"]
# command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security
command: -H tcp://socket-proxy:2375
networks:
- socket_proxy
volumes:
# - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security
- $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
# WatchTower - Automatic Docker Container Updates
watchtower:
image: containrrr/watchtower
profiles: ["db_setup","frontend"]
container_name: watchtower
restart: unless-stopped
networks:
- socket_proxy
depends_on:
- socket-proxy
environment:
TZ: $TZ
WATCHTOWER_CLEANUP: "true"
WATCHTOWER_REMOVE_VOLUMES: "true"
WATCHTOWER_INCLUDE_STOPPED: "true"
WATCHTOWER_NO_STARTUP_MESSAGE: "false"
WATCHTOWER_SCHEDULE: "00 30 12 * * *" # Everyday at 12:30
# WATCHTOWER_NOTIFICATIONS: shoutrrr
# WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID"
# WATCHTOWER_NOTIFICATIONS_LEVEL: info
DOCKER_HOST: tcp://socket-proxy:2375
DOCKER_API_VERSION: "1.40"
# InfluxDB - Database for sensor data
influxdb:
image: influxdb:latest
container_name: influxdb
networks:
socket_proxy:
ipv4_address: $influxdb_ip
security_opt:
- no-new-privileges:true
restart: unless-stopped
environment:
- LOG-LEVEL=debug
ports:
- "8086:8086"
volumes:
- $DOCKERDIR/appdata/influxdb2/config:/etc/influxdb2
- $DOCKERDIR/appdata/influxdb2/db:/var/lib/influxdb2
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.influxdb-rtr.entrypoints=https"
- "traefik.http.routers.influxdb-rtr.rule=Host(`infl.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.influxdb-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.influxdb-rtr.service=influxdb-svc"
- "traefik.http.services.influxdb-svc.loadbalancer.server.port=8086" # Glances - System Information
glances:
<<: *common-keys-apps # See EXTENSION FIELDS at the top
image: nicolargo/glances:latest-full
container_name: glances
profiles: ["db_setup","frontend"]
# privileged: true # Only for VM
# network_mode: host
networks:
- socket_proxy
ports:
- "61208:61208"
pid: host
volumes:
- $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file
- $USERDIR:/data/home:ro
- /media/data:/data/data:ro
# - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
environment:
# GLANCES_OPT: "-C /glances/conf/glances.conf --export influxdb2 -q"
# GLANCES_OPT: "--export influxdb"
GLANCES_OPT: "-w"
DOCKER_HOST: tcp://socket-proxy:2375
TZ: $TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.glances-rtr.entrypoints=https"
- "traefik.http.routers.glances-rtr.rule=Host(`glances.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.glances-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.glances-rtr.service=glances-svc"
- "traefik.http.services.glances-svc.loadbalancer.server.port=61208"
node-red:
image: nodered/node-red:latest
environment:
- TZ=$TZ
- CODER_HTTP_ADDRESS:0.0.0.0:1880
ports:
- "1880:1880"
profiles: ["db_setup","frontend"]
container_name: nodered
networks:
- socket_proxy
volumes:
- $DOCKERDIR/appdata/node-red-data:/data
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.nodered-rtr.entrypoints=https"
- "traefik.http.routers.nodered-rtr.rule=Host(`nodered.$DOMAINNAME_CLOUD_SERVER`)"
## Middlewares
- "traefik.http.routers.nodered-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.nodered-rtr.service=nodered-svc"
- "traefik.http.services.nodered-svc.loadbalancer.server.port=1880"
I started following a tutorial online. I have not been keeping up with the changes.
if you want any other files, just let me know.
moltra
April 17, 2024, 3:54am
4
a little more testing the problem is between 2.8.1 and 2.8.3
I might be adding an R610 server with dockers soon, so updating to the most recent version will be great.
I have to admit that I don’t understand your setup.
On one side you have a super complicated setup with templates, dedicated users and even a Docker socket proxy, so it seems you care about security.
Then you make the Docker socket proxy accessible to all services, instead of using a separate network.
You want to run a two year old version of Traefik, although there are bug fixes like every months and security fixed every couple of months.
This doesn’t make sense to me. Sorry, I do care about making the Internet a safer place.
Regarding use of Docker socket proxy, maybe check this recent discussion .