One traefik for multiple container

Forssux · September 1, 2023, 3:49pm

Hi There,

Very new to this but I was wondering if it's possible in my Proxmox server to use one Traefik for multiple containers. In essence to avoid installing in every container a Traefik instance

I think that at the very least the networks used in the different containers by docker should have the same IP ranges.

I have a Proxmox server:
105 LXC contains some docker container apps
107 LXC contains some docker container apps
109 LXC contains some docker container apps

109 contains portainer,traefik....Is it possible to connect to the apps from LXC 105 and LXC 107

bluepuma77 · September 1, 2023, 5:05pm

We run Traefik in front of 100 different services, with the help of Traefik Docker Configuration Discovery.

Check out the simple Traefik example.

Forssux · September 1, 2023, 5:39pm

Thank you for your quick answer.
I meant real containers from proxmox.
I'll adapt my question...

bluepuma77 · September 1, 2023, 9:23pm

I don’t think there is Traefik Configuration Discovery for LXC (Linux Containers). Either you change it to Docker or run a Docker Swarm inside for Configuration Discovery.

Alternatively you can declare routers and services manually in a dynamic config file, which you load via providers.file in static config.

asudave · September 10, 2023, 7:23am

If I understand @Forssux correctly, they are looking at the same situation that I am.
Basically, LXCs are similar to virtual machines, each of them have a different IP address.

I have 3 LXCs running with docker installed on each one. Within each docker service, there are several docker containers running that I want to reverse proxy. As a basic example:

LXC1: IP=192.168.0.1; Docker running with traefik and vaultwarden containers
LXC2: IP=192.168.0.2; Docker running with tautulli and overseer containers

What I want to do (and I think Forssux as well) is to have the traefik instance on LXC1 reverse proxy the containers on LXC2. Ideally, I'd like for that to happen through traefik configuration discovery.

I believe I had this set up at one time, but had to rebuild my setup and I cannot find my notes for the life of me. I'd really love not to have to set up traefik multiple times within my LAN.

bluepuma77 · September 10, 2023, 11:03am

To quote what I wrote this morning:

How do you enable inter LXC communication? Did you set up some kind of routing? Or some kind of port forwarding?

By default containers are all about isolation, so by default one Docker in LXC should not be able to talk to another Docker container in another LXC.

A Docker container can expose a port outside of the Docker container, but it’s still inside the LXC.

Forssux · September 10, 2023, 8:37pm

I didn't do anything special. The LXC is as standard as can be on my proxmox.

This is the config for LXC 103 Main

arch: amd64
cores: 4
features: nesting=1
hostname: traefik
lock: mounted
memory: 4096
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=86:C9:21:60:A7:FB,ip=192.168.1.100/24,type=veth
ostype: ubuntu
rootfs: Virtual:vm-103-disk-0,size=8G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 1003 1
lxc.idmap: g 1003 1003 1
lxc.idmap: u 1004 101004 64532
lxc.idmap: g 1004 101004 64532
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

This is the config for My apps LXC

arch: amd64
cores: 12
features: keyctl=1,nesting=1
hostname: APPS
memory: 8192
mp0: /mnt/QData/QMedia/QAnimatie,mp=/mnt/QData/QMedia/QAnimatie
mp1: /mnt/QData/QMedia/QDocu,mp=/mnt/QData/QMedia/QDocu
mp2: /mnt/QData/NonMedia/QEveline,mp=/mnt/QData/NonMedia/QEveline
mp3: /mnt/QData/NonMedia/QFoto-not-published,mp=/mnt/QData/NonMedia/QFoto-not-published
net0: name=eth0,bridge=vmbr0,gw=192.168.1.1,hwaddr=C2:92:C0:26:9B:C0,ip=192.168.1.181/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: Virtual:vm-113-disk-0,size=32G
swap: 2048
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 1003 1
lxc.idmap: g 1003 1003 1
lxc.idmap: u 1004 101004 64532
lxc.idmap: g 1004 101004 64532
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

Here is my docker-compose.yml from 103


version: "3.9"

networks:
  t2_proxy:
    name: t2_proxy
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.90.0/24
  default:
    driver: bridge

  socket_proxy:
    name: socket_proxy
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.91.0/24

########################### SECRETS
secrets:
  htpasswd:
    file: $DOCKERDIR/secrets/htpasswd
  cf_email:
    file: $DOCKERDIR/secrets/cf_email
  cf_api_key:
    file: $DOCKERDIR/secrets/cf_api_key
  cf_token:
    file: $DOCKERDIR/secrets/cf_token
  traefik_forward_auth:
    file: $DOCKERDIR/secrets/traefik_forward_auth
  mysql_root_password:
    file: $DOCKERDIR/secrets/mysql_root_password
  smtp_password:
    file: $DOCKERDIR/secrets/smtp_password
  guac_db_name:
    file: $DOCKERDIR/secrets/guac_db_name
  guac_mysql_user:
    file: $DOCKERDIR/secrets/guac_mysql_user
  guac_mysql_password:
    file: $DOCKERDIR/secrets/guac_mysql_password
  # Authentik Postgres
  authentik_postgresql_db:
    file: $DOCKERDIR/secrets/authentik_postgresql_db
  authentik_postgresql_user:
    file: $DOCKERDIR/secrets/authentik_postgresql_user
  authentik_postgresql_password:
    file: $DOCKERDIR/secrets/authentik_postgresql_password
  # Authentik
  authentik_secret_key:
    file: $DOCKERDIR/secrets/authentik_secret_key
  # GMail Auth Account
  NORDVPN_USER:
    file: $DOCKERDIR/secrets/NORDVPN_USER
  NORDVPN_PASSWD:
    file: $DOCKERDIR/secrets/NORDVPN_PASSWD
  #traefik_hub_agent_token:
  #  file: $DOCKERDIR/secrets/traefik_hub_agent_token

########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228

# Common environment values
x-environment: &default-tz-puid-pgid
  TZ: $TZ
  PUID: $PUID
  PGID: $PGID
  tty: true

# Keys common to some of the services in basic-services.txt
x-common-keys-core: &common-keys-core
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: always
  tty: true
  # profiles:
  # - core

# Keys common to some of the services in basic-services.txt
x-common-keys-monitoring: &common-keys-monitoring
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: always
  tty: true
  # profiles:
  # - monitoring

# Keys common to some of the dependent services/apps
x-common-keys-apps: &common-keys-apps
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: unless-stopped
  tty: true
  # profiles:
  # - apps

# Keys common to some of the services in media-services.txt
x-common-keys-media: &common-keys-media
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: "no"
  tty: true
  # profiles:
  # - media

########################### SERVICES
services:
  ############################# FRONTENDS

  # Traefik 2 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $DOCKERDIR/appdata/traefik2/acme/acme.json
  # chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json
  # touch $DOCKERDIR/logs/cloudserver/traefik.log
  # touch $DOCKERDIR/logs/cloudserver/access.log

  traefik:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: traefik
    image: traefik:2.9
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --entryPoints.traefik.address=:8080
      # - --entryPoints.ping.address=:8081
      - --api=true
      # - --api.insecure=true
      - --api.dashboard=true
      #- --ping=true
      # - --serversTransport.insecureSkipVerify=true
      - --log.level=debug
      - --log.filePath=/logs/traefik.log
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
      - --providers.docker.endpoint=tcp://socket-proxy:2375
      # Automatically set Host rule for services
      # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      # - --entrypoints.https.http.middlewares=chain-oauth@file
      - --entrypoints.https.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
      # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
      # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
      - --providers.file.watch=true # Only works on top level files in the rules folder
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
      # - --metrics.prometheus=true
      # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.254 # You can specify a static IP
      socket_proxy:
    #healthcheck:
    #  test: ["CMD", "traefik", "healthcheck", "--ping"]
    #  interval: 5s
    #  retries: 3
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      # - target: 8080 # insecure api wont work
      #   published: 8080
      #   protocol: tcp
      #   mode: host
    volumes:
      - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory
      # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this emtpy file and change permissions to 600
      - $DOCKERDIR/logs:/logs
    environment:
      - TZ=$TZ
      - CF_API_EMAIL_FILE=/run/secrets/cf_email
      - CF_API_KEY_FILE=/run/secrets/cf_api_key
      - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
      - DOMAINNAME # Passing the domain name to traefik container to be able to use the variable in rules. 
    secrets:
      - cf_email
      - cf_api_key
      - htpasswd
    labels:
      #- "autoheal=true"
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
      # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Healthcheck/ping
      #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME`) && Path(`/ping`)"
      #- "traefik.http.routers.ping.tls=true"
      #- "traefik.http.routers.ping.service=ping@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
      #- "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-https-redirectscheme@file,middlewares-secure-headers@file,middlewares-basic-auth@file"
      #- "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Basic HTTP Authentication
      #- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # For Google OAuth
      #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # For Authelia Authentication

  # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
  socket-proxy:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: socket-proxy
    image: tecnativa/docker-socket-proxy
    networks:
      socket_proxy:
        ipv4_address: 192.168.91.254 # You can specify a static IP
    # privileged: true # true for VM. False for unprivileged LXC container.
    ports:
    # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
    # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
      - "2375:2375"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
      # 0 to revoke access.
      # 1 to grant access.
      ## Granted by Default
      - EVENTS=1
      - PING=1
      - VERSION=1
      ## Revoked by Default
      # Security critical
      - AUTH=0
      - SECRETS=0
      - POST=1 # Watchtower
      # Not always needed
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1 # Traefik, portainer, etc.
      - DISTRIBUTION=0
      - EXEC=0
      - IMAGES=1 # Portainer
      - INFO=1 # Portainer
      - NETWORKS=1 # Portainer
      - NODES=0
      - PLUGINS=0
      - SERVICES=1 # Portainer
      - SESSION=0
      - SWARM=0
      - SYSTEM=0
      - TASKS=1 # Portainer
      - VOLUMES=1 # Portainer

  # Portainer - WebUI for Containers
  portainer:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: portainer
    image: portainer/portainer-ce:2.16.1
    # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security
    command: -H tcp://socket-proxy:2375
             --log-level DEBUG
    networks:
      t2_proxy:
      socket_proxy:
        ipv4_address: 192.168.91.5
    ports:
      #- "$PORTAINER_PORT:9000"
      - 9900:9900
   volumes:
      # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved ecurity
      - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfe config locally
    environment:
      - TZ=$TZ
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.portainer-rtr.entrypoints=https"
      - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
      - "traefik.http.routers.portainer-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=middlewares-basic-auth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-basic-auth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-authentik@file"
      ## HTTP Services
      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"





  postgresql:
    image: postgres:12-alpine
    container_name: authentik_postgres
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      - t2_proxy
    volumes:
      - "$DOCKERDIR/appdata/authentik/postgresql/data:/var/lib/postgresql/data"
    environment:
      - POSTGRES_DB
      - POSTGRES_USER
      - POSTGRES_PASSWORD
    secrets:
      - authentik_postgresql_db
      - authentik_postgresql_user
      - authentik_postgresql_password
#      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
#      - POSTGRES_USER=${PG_USER:-authentik}
#      - POSTGRES_DB=${PG_DB:-authentik}
#    env_file:
#      - .env
  redis:
    image: docker.io/library/redis:alpine
    container_name: authentik_redis
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - t2_proxy
#    volumes:
#      - redis:/data

  authentik:
    container_name: authentik_server
    hostname: authentik_server
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: server
    networks:
      - t2_proxy
    environment:
      - AUTHENTIK_REDIS__HOST
      - AUTHENTIK_POSTGRESQL__HOST
      - AUTHENTIK_POSTGRESQL__NAME
      - AUTHENTIK_POSTGRESQL__USER
      - AUTHENTIK_POSTGRESQL__PASSWORD
      - AUTHENTIK_EMAIL__PASSWORD
      - AUTHENTIK_ERROR_REPORTING__ENABLED
      - AUTHENTIK_SECRET_KEY
      - AUTHENTIK_COOKIE_DOMAIN
      # - WORKERS
    volumes:
      - "$DOCKERDIR/appdata/authentik/media:/media"
      - "$DOCKERDIR/appdata/authentik/custom-templates:/templates"
      - "$DOCKERDIR/appdata/authentik/geoip/data:/geoip"
    secrets:
      - authentik_postgresql_db
      - authentik_postgresql_user
      - authentik_postgresql_password
      - smtp_password
      - authentik_secret_key
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
    labels:
          - "traefik.enable=true"
          ## HTTP Routers
          #- traefik.http.routers.authentik-rtr.rule: Host(`authentik.$DOMAINNAME`)
          - "traefik.http.routers.authentik-rtr.rule=Host(`authentik.$DOMAINNAME`)|| HostRegexp(`{subdomain:[A-Za-z0-9]+}.$DOMAINNAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
          #- "traefik.http.routers.authentik-rtr.rule:=Host(`authentik.$DOMAINNAME`)&& HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.$DOMAINNAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
          - "traefik.http.routers.authentik-rtr.entrypoints=https"
          - "traefik.http.routers.authentik-rtr.priority=1"
          - "traefik.http.routers.authentik-rtr.tls=true"
          - "traefik.http.routers.authentik-rtr.tls.certresolver=dns-cloudflare"
          ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)  

# This comes from the Authentik Website
#  worker:
#    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.1}
#    restart: unless-stopped
#    command: worker
#    environment:
#      AUTHENTIK_REDIS__HOST: redis
#      AUTHENTIK_POSTGRESQL__HOST: postgresql
#      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
#      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
#      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.

  authentik-worker:
    container_name: authentik_worker
    hostname: authentik_worker
    image:  ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: worker
    networks:
      - t2_proxy
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $DOCKERDIR/appdata/authentik/media:/media
      - $DOCKERDIR/appdata/authentik/templates:/templates
      - $DOCKERDIR/appdata/authentik/geoip/data:/geoip
    environment:
      - AUTHENTIK_REDIS__HOST
      - AUTHENTIK_POSTGRESQL__HOST
      - AUTHENTIK_POSTGRESQL__NAME
      - AUTHENTIK_POSTGRESQL__USER
      - AUTHENTIK_POSTGRESQL__PASSWORD
      - AUTHENTIK_EMAIL__PASSWORD
      - AUTHENTIK_ERROR_REPORTING__ENABLED
      - AUTHENTIK_SECRET_KEY
      - AUTHENTIK_COOKIE_DOMAIN
    secrets:
      - authentik_postgresql_db
      - authentik_postgresql_user
      - authentik_postgresql_password
      - smtp_password
      - authentik_secret_key
    #env_file:
    #  - .env

#volumes:
#  database:
#    driver: local
#  redis:
#    driver: local
  geoipupdate:
    image: maxmindinc/geoipupdate:latest
    container_name: geoipupdate
    restart: unless-stopped
    volumes:
      - "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP"
    environment:
      - GEOIPUPDATE_EDITION_IDS
      - GEOIPUPDATE_FREQUENCY
      - GEOIPUPDATE_ACCOUNT_ID
      - GEOIPUPDATE_LICENSE_KEY

This is my docker compose from LXC 113

version: "3.9"


networks:
  t2_proxy:
    name: t2_proxy
    driver: bridge
    ipam:
      config:
       - subnet: 192.168.90.0/24

  default:
    driver: bridge

  socket-apps-proxy:
    name: socket-apps-proxy
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.91.0/24

########################## SECRETS
secrets:

  cf_email:
    file: $DOCKERDIR/secrets/cf_email
  cf_api_key:
    file: $DOCKERDIR/secrets/cf_api_key
  cf_token:
    file: $DOCKERDIR/secrets/cf_token
  htpasswd:
    file: $DOCKERDIR/secrets/htpasswd
  traefik_forward_auth:
    file: $DOCKERDIR/secrets/traefik_forward_auth
  mysql_root_password:
    file: $DOCKERDIR/secrets/mysql_root_password
  guac_db_name:
    file: $DOCKERDIR/secrets/guac_db_name
  guac_mysql_user:
    file: $DOCKERDIR/secrets/guac_mysql_user
  guac_mysql_password:
    file: $DOCKERDIR/secrets/guac_mysql_password
  # Authentik Postgres
  authentik_postgresql_db:
    file: $DOCKERDIR/secrets/authentik_postgresql_db
  authentik_postgresql_user:
    file: $DOCKERDIR/secrets/authentik_postgresql_user
  authentik_postgresql_password:
    file: $DOCKERDIR/secrets/authentik_postgresql_password
  # Authentik
  authentik_secret_key:
    file: $DOCKERDIR/secrets/authentik_secret_key
  # GMail Auth Account
  smtp_password:
    file: $DOCKERDIR/secrets/smtp_password
  NORDVPN_USER:
    file: $DOCKERDIR/secrets/NORDVPN_USER
  NORDVPN_PASSWD:
    file: $DOCKERDIR/secrets/NORDVPN_PASSWD
  #traefik_hub_agent_token:
  #  file: $DOCKERDIR/secrets/traefik_hub_agent_token

########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228

# Common environment values
x-environment: &default-tz-puid-pgid
  TZ: $TZ
  PUID: $PUID
  PGID: $PGID
  tty: true

# Keys common to some of the services in basic-services.txt
x-common-keys-core: &common-keys-core
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: always
  tty: true
  # profiles:
  # - core

# Keys common to some of the services in basic-services.txt
x-common-keys-monitoring: &common-keys-monitoring
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: always
  tty: true
  # profiles:
  # - monitoring

# Keys common to some of the dependent services/apps
x-common-keys-apps: &common-keys-apps
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: unless-stopped
  tty: true
  # profiles:
  # - apps

# Keys common to some of the services in media-services.txt
x-common-keys-media: &common-keys-media
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: "no"
  tty: true
  # profiles:
  # - media

########################### SERVICES
services:

  Docker-socket-apps-proxy:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: socket-apps-proxy
    image: tecnativa/docker-socket-proxy
    networks:
      socket-apps-proxy:
        ipv4_address: 192.168.91.254 # You can specify a static IP
    # privileged: true # true for VM. False for unprivileged LXC container.
    ports:
    # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use th>
    # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
      - "2375:2375"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
      # 0 to revoke access.
      # 1 to grant access.
      ## Granted by Default
      - EVENTS=1
      - PING=1
      - VERSION=1
      ## Revoked by Default
      # Security critical
      - AUTH=0
      - SECRETS=0
      - POST=1 # Watchtower
      # Not always needed
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1 # Traefik, portainer, etc.
      - DISTRIBUTION=0
      - EXEC=0
      - IMAGES=1 # Portainer
      - INFO=1 # Portainer
      - NETWORKS=1 # Portainer
      - NODES=0
      - PLUGINS=0
      - SERVICES=1 # Portainer
      - SESSION=0
      - SWARM=0
      - SYSTEM=0
      - TASKS=1 # Portainer
      - VOLUMES=1 # Portainer

  portainerapps:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: portainerapps
    image: portainer/portainer-ce:2.16.1
    # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security
    command: -H tcp://socket-apps-proxy:2375
    #         --log-level DEBUG
    #command: -H unix///var/run/docker.sock:/var/run/docker.sock

    networks:
      t2_proxy:
        ipv4_address: 192.168.90.15
      socket-apps-proxy:
        ipv4_address: 192.168.91.15
    ports:
      #- "$PORTAINERAPPS_PORT:9990"
      - "127.0.0.1:9990:9990"
    volumes:
      # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally
    environment:
      - TZ=$TZ
    labels:
      - "traefik.enable=true"
      ## HTTP Routers Auth Bypass#  
      - "traefik.http.routers.portainerapps-rtr-bypass.entrypoints=https"
      #- "traefik.http.routers.prowlarr-rtr-bypass.rule=Host(`sonarr.$DOMAINNAME`) && (Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`,>
      #- "traefik.http.routers.prowlarr-rtr-bypass.rule=Headers(`traefik-auth-bypass-key`, `$TRAEFIK_AUTH_BYPASS_KEY`)" # Bypass Auth for LunaSea on iOS
      - "traefik.http.routers.portainerapps-rtr-bypass.priority=100"
      ## HTTP Routers
      - "traefik.http.routers.portainerapps-rtr.entrypoints=https"
      - "traefik.http.routers.portainerapps-rtr.rule=Host(`portainerapps.$DOMAINNAME`)"
      - "traefik.http.routers.portainerapps-rtr.priority=99"
      #- "traefik.http.routers.portainerapps-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.portainerapps-rtr.middlewares=chain-no-auth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=middlewares-basic-auth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-basic-auth@file"
      #- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file"
      #- "traefik.http.routers.portainerapps-rtr.middlewares=chain-authentik@file"
      ## HTTP Services
      - "traefik.http.routers.portainerapps-rtr.service=portainerapps-svc"
      - "traefik.http.services.portainerapps-svc.loadbalancer.server.port=9990"
      - "traefik.http.routers.portainerapps-rtr-bypass.service=portainerapps-svc"

  prowlarr:
    <<: *common-keys-apps # See EXTENSION FIELDS at the top
    image: ghcr.io/linuxserver/prowlarr:latest
    container_name: prowlarr
    networks:
      t2_proxy:
      socket-apps-proxy:
        ipv4_address: 192.168.91.60
#    networks:
#      t2_proxy:
#        ipv4_address: 192.168.90.160
    ports:
      - "$PROWLARR_PORT:9696"
    volumes:
      - $DOCKERDIR/appdata/prowlarr:/config
      - "/etc/localtime:/etc/localtime:ro"
  #  depends_on:
  #    gluetun:
  #      condition: service_healthy
    environment:
      <<: *default-tz-puid-pgid
    labels:
      - "traefik.enable=true"
      ## HTTP Routers Auth Bypass#  
      - "traefik.http.routers.prowlarr-rtr-bypass.entrypoints=https"
      #- "traefik.http.routers.prowlarr-rtr-bypass.rule=Host(`sonarr.$DOMAINNAME`) && (Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`,>
      #- "traefik.http.routers.prowlarr-rtr-bypass.rule=Headers(`traefik-auth-bypass-key`, `$TRAEFIK_AUTH_BYPASS_KEY`)" # Bypass Auth for LunaSea on iOS
      - "traefik.http.routers.prowlarr-rtr-bypass.priority=100"
      ## HTTP Routers Auth
      - "traefik.http.routers.prowlarr-rtr.entrypoints=https"
      - "traefik.http.routers.prowlarr-rtr.rule=Host(`prowlarr.$DOMAINNAME`)"
      - "traefik.http.routers.prowlarr-rtr.priority=99"
      ## Middlewares
      #- "traefik.http.routers.portainerapps-rtr.middlewares=chain-no-auth@file"
      - "traefik.http.routers.prowlarr-rtr.middlewares=chain-authentik@file"

      ## HTTP Services
      - "traefik.http.routers.prowlarr-rtr.service=prowlarr-svc"
      - "traefik.http.services.prowlarr-svc.loadbalancer.server.port=9696"
      - "traefik.http.routers.prowlarr-rtr-bypass.service=prowlarr-svc"

    restart: unless-stopped

Forssux · September 17, 2023, 7:51am

It seems a slight error in the portainerapps yml file made it not accesibble in http mode..
now http://192.168.1.181:9900 opens portainerapps

version: "3.9"
networks:
  t2_proxy:
    name: t2_proxy
    driver: bridge
    ipam:
      config:
       - subnet: 192.168.90.0/24

  default:
    driver: bridge

  socket-apps-proxy:  #this is another IP range that the main socket_proxy
    name: socket-apps-proxy
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.101.0/24

  portainerapps:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: portainerapps
    image: portainer/portainer-ce:2.16.1
    # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security
    command: -H tcp://socket-proxy:2375
             --log-level DEBUG
    networks:
      t2_proxy:
      socket-apps-proxy:
        ipv4_address: 192.168.101.5
    ports:
      #- "$portainerapps_PORT:9000"
      - 9900:9000
    volumes:
      # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/portainerapps/data:/data # Change to local directory if you want to save/transfer config locally
    environment:
      - TZ=$TZ
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.portainerapps-rtr.entrypoints=https"
      - "traefik.http.routers.portainerapps-rtr.rule=Host(`portainerapps.$DOMAINNAME`)"
      - "traefik.http.routers.portainerapps-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.portainerapps-rtr.middlewares=chain-no-auth@file"
      #- "traefik.http.routers.portainerapps-rtr.middlewares=chain-oauth@file"
      #- "traefik.http.routers.portainerapps-rtr.middlewares=middlewares-basic-auth@file"
      #- "traefik.http.routers.portainerapps-rtr.middlewares=chain-basic-auth@file"
      #- "traefik.http.routers.portainerapps-rtr.middlewares=chain-authelia@file"
      #- "traefik.http.routers.portainerapps-rtr.middlewares=chain-authentik@file"
      ## HTTP Services
      - "traefik.http.routers.portainerapps-rtr.service=portainerapps-svc"
      - "traefik.http.services.portainerapps-svc.loadbalancer.server.port=9000"

system · September 20, 2023, 7:52am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik in linux container LXC finding docker services in another LXC, Or 1 traefik multiple LXC Traefik v2 docker	3	2425	September 12, 2023
Traefik routing to other LAN IP Traefik v2 docker	9	8004	November 28, 2023
Traefik in a docker(Easypanel) on Proxmox Traefik v2 docker	0	1079	November 21, 2023
Single Traefik instance + Multiple Docker instances Traefik v2 docker	1	1550	August 21, 2020
Traefik proxy multiple networks, application single Traefik v3 (latest) docker	1	2333	April 23, 2024

One traefik for multiple container

Related topics