Hello, I'm trying to run basic example with traefik and whoami service.
Registered domain name with CNAME record "whoami"
defined 2 endpoints: "http" on port 80 and "https" on port 443.
The "https" endpoint received TLS certificate OK.
curl https:/whoami.*****.com
404 page not found
and access log shows:
172.71.99.76 - - [21/Oct/2024:09:33:55 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 6 "-" "-" 0ms
And, when I'm accessing "whoami" over http endpoint, I'm getting "200" response.
Here in my configuration:
services:
whoami:
container_name: whoami
image: traefik/whoami
depends_on:
- traefik
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entrypoints=http
- traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`) && Path(`/http`)
#
- traefik.http.routers.whoami-secure.entrypoints=https
- traefik.http.routers.whoami-secure.rule=Host(`whoami.${DOMAIN}`)
- traefik.http.routers.whoami-secure.tls.certresolver=letsEncrypt
- traefik.http.routers.whoami-secure.tls=true
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
ports:
- 80:80
- 443:443
- 8080:8080
command:
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--entrypoints.traefik.address=:8080"
- "--certificatesresolvers.letsEncrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsEncrypt.acme.email=janis.petke@mail.com"
- "--certificatesresolvers.letsEncrypt.acme.storage=acme.json"
- "--log.level=debug"
- "--log.filepath=/data/stdout.log"
- "--log.format=common"
- "--accessLog.filePath=/data/access.log"
- "--accessLog.filters.statusCodes=200,300-302,400-404,500-505"
- "--accessLog.filters.retryAttempts=true"
- "--accessLog.filters.minDuration=10ms"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/opt/appdata/traefik/acme.json:/acme.json"
- "/opt/appdata/traefik/logs/stdout.log:/data/stdout.log:rw"
- "/opt/appdata/traefik/logs/access.log:/data/access.log:rw"
Try to remove the line, as it is normally used to enable custom loaded TLS certs:
PavelKo:
tls=true
Compare to simple Traefik example .
removed that line:
labels:
- traefik.enable=true
#
- traefik.http.routers.whoami.entrypoints=http
- traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`) && Path(`/http`)
#
- traefik.http.routers.whoami-secure.entrypoints=https
- traefik.http.routers.whoami-secure.rule=Host(`whoami.${DOMAIN}`)
- traefik.http.routers.whoami-secure.tls.certresolver=letsEncrypt
#- traefik.http.routers.whoami-secure.tls=true
.
Share your full Traefik static and dynamic config, and docker-compose.yml if used.
Or just start with the example.
Hi, I'm not using any confog files for traefik - I have set
DOMAIN=exalple.domain.com
docker-compose.yaml:
services:
whoami:
container_name: whoami
image: traefik/whoami
depends_on:
- traefik
labels:
- traefik.enable=true
#
- traefik.http.routers.whoami.entrypoints=http
- traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`) && Path(`/http`)
#
- traefik.http.routers.whoami-secure.entrypoints=https
- traefik.http.routers.whoami-secure.rule=Host(`whoami.${DOMAIN}`)
- traefik.http.routers.whoami-secure.tls.certresolver=letsEncrypt
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
ports:
- 80:80
- 443:443
- 8080:8080
command:
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--entrypoints.traefik.address=:8080"
- "--certificatesresolvers.letsEncrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsEncrypt.acme.email=janis.petke@mail.com"
- "--certificatesresolvers.letsEncrypt.acme.storage=acme.json"
- "--certificatesresolvers.letsEncrypt.acme.httpChallenge.entryPoint=http"
- "--log.level=debug"
- "--log.filepath=/data/stdout.log"
- "--log.format=common"
- "--accessLog.filePath=/data/access.log"
- "--accessLog.filters.statusCodes=200,300-302,400-404,500-505"
- "--accessLog.filters.retryAttempts=true"
- "--accessLog.filters.minDuration=10ms"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/opt/appdata/traefik/acme.json:/acme.json"
- "/opt/appdata/traefik/logs/stdout.log:/data/stdout.log:rw"
- "/opt/appdata/traefik/logs/access.log:/data/access.log:rw"
code-server:
image: lscr.io/linuxserver/code-server:latest
container_name: code-server
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Helsinki
#- PASSWORD=password #optional
#- HASHED_PASSWORD= #optional
#- SUDO_PASSWORD=pasword #optional
#- SUDO_PASSWORD_HASH= #optional
#- PROXY_DOMAIN=code-server.my.domain #optional
- DEFAULT_WORKSPACE=/config/workspace #optional
volumes:
- /opt/appdata/code-server/config:/config
- /opt/appdata:/link-to-appdata
ports:
- 8443:8443
restart: unless-stopped
Make sure to set an absolute path to persist the file:
Don't expose ports: of target services, as that might circumvent Traefik security middlewares.
There seems to be two challenges, decide for one:
What does Traefik debug log tell you?
Hi,
- "--certificatesresolvers.letsEncrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsEncrypt.acme.email=janis.petke@mail.com"
- "--certificatesresolvers.letsEncrypt.acme.storage=/acme.json"
Still no effect.
I see nothing special in traefik log: PasteBin
Not sure what is happening. It seems whoami-secure is recognized, but no server is created, opposed to the other services.
UPDATE: The log mentions stripprefix, which is not in your config, so something is off.
Hi,
I have tried the solution given in This thread
But looking the access logs I have found that all requests were forwarded to HTTP endpoint.
172.71.102.165 - - [22/Oct/2024:19:03:31 +0000] "GET / HTTP/1.1" 200 789 "-" "-" 7 "whoami@docker" "http://172.20.0.5:80" 0ms
When the dashboard has 2 entrypoins:
https-whoami@docker
whoami@docker
I also have modified whoami container configuration so:
whoami:
container_name: whoami
image: traefik/whoami
depends_on:
- traefik
networks:
- traefik
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)
- traefik.http.routers.whoami.tls=true
So in dashboard the config looks like:
But still getting 404.
Check with docker inspect if the templating with ${DOMAIN} has worked.
PavelKo
October 23, 2024, 11:29am
11
Please explain how - this is now beyond my knowledge yet.
Check that the whoami container has labels with the correct domain, so the variable was correctly substituted.
PavelKo
October 23, 2024, 1:32pm
13
I have cut labels section of docker inspect whoami command
"Labels": {
"com.docker.compose.config-hash": "71f647e0566aead0eb93ad96ac34f5b1f6eef6d6f729ec29909fd7635d9ac225",
"com.docker.compose.container-number": "1",
"com.docker.compose.depends_on": "traefik:service_started:false",
"com.docker.compose.image": "sha256:aeef15490f2bf3144bff9167ee46eb7d9f8f072ab2c16c563bc45b0eeae3d707",
"com.docker.compose.oneoff": "False",
"com.docker.compose.project": "appdata",
"com.docker.compose.project.config_files": "/opt/appdata/docker-compose.yaml",
"com.docker.compose.project.working_dir": "/opt/appdata",
"com.docker.compose.service": "whoami",
"com.docker.compose.version": "2.29.7",
"org.opencontainers.image.created": "2024-08-22T08:05:56Z",
"org.opencontainers.image.description": "Tiny Go webserver that prints OS information and HTTP request to output",
"org.opencontainers.image.documentation": "https://github.com/traefik/whoami",
"org.opencontainers.image.revision": "dec1ed84e37648285d4ddfae911344483c77906b",
"org.opencontainers.image.source": "https://github.com/traefik/whoami",
"org.opencontainers.image.title": "whoami",
"org.opencontainers.image.url": "https://github.com/traefik/whoami",
"org.opencontainers.image.version": "1.10.3",
"traefik.enable": "true",
"traefik.http.routers.whoami.rule": "Host(`whoami.*******.com`)"
}
},
Here is only one line containing ${DOMAIN} - and it is correct.
full dump here.
PavelKo
October 25, 2024, 7:39pm
14
I have kind of progress with the issue. The problem was not in traeffic / whoami service configuration, but on DNS provider side.
I have found the way to call the whoami service this way with unsecure switch:
curl -k -H Host:whoami.*******.com https://192.168.1.21
curl -k -H Host:whoami.*******.com http://192.168.1.21
and both entrypoins responded fine:
192.168.1.11 - - [25/Oct/2024:19:11:44 +0000] "GET / HTTP/1.1" 200 369 "-" "-" 32 "whoami@docker" "http://172.20.0.4:80" 0ms
192.168.1.11 - - [25/Oct/2024:19:12:01 +0000] "GET / HTTP/2.0" 200 371 "-" "-" 33 "https-whoami@docker" "http://172.20.0.4:80" 0ms
So, this proofs that traefik and whoami configuration is correct.
My problem appears in Cloudfare SSL/TLS encryprion scheme. It was "Flexible", and it shall be turned to "Full" in order to use https entrypoint in traefik.
issue is closed.
