My configuration files are as such,
docker-compose.yml
services:
traefik:
image: traefik:3.1.0
container_name: traefik
command:
- --providers.docker=true
- --providers.docker.network=proxy
- --providers.docker.exposedbydefault=false
- --providers.file.watch=true
- --providers.file.filename=/domus/cx_traefik/fileConfig.yml
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --api.dashboard=true
- --api.insecure=true
- --entrypoints.websecure.http.middlewares=security-headers@file,rate-limit@file
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --entrypoints.websecure.http.tls.domains[0].main=[domain.com](http://domain.com)
- --entrypoints.websecure.http.tls.domains[0].sans=traefik.domain.com
- --entrypoints.websecure.http.tls.domains[0].sans=auth.domain.com
- --entrypoints.websecure.http.tls.domains[0].sans=pve-git.domain.com
- --entrypoints.websecure.http.tls.domains[0].sans=proxmox.domain.com
- --certificatesresolvers.myresolver.acme.email=alerts@domain.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/domus/cx_traefik/acme.json
- --log.level=INFO
- --accesslog=true
- --accesslog.filepath=/logs/traefik.log
- --accesslog.format=json
- --accesslog.bufferingsize=0
- --accesslog.filters.statuscodes=400-599
- --accesslog.fields.headers.defaultmode=drop
- --serversTransport.insecureSkipVerify=true
labels:
- traefik.enable=true
- traefik.http.routers.api.rule=Host(`traefik-api.domain.com`)
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.middlewares.admin.basicauth.users=admin:password
- traefik.http.routers.dashboard.rule=Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.dashboard.service=api@internal
# - traefik.http.services.proxmox.loadbalancer.serverstransport=pve-transport
ports:
- 80:80
- 443:443
- 8080:8080
- 3128:3128
networks:
- proxy
environment:
- TZ=America/Chicago
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/domus/cx_traefik
- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs
- /domus/cx_traefik:/domus/cx_traefik
- /run/secrets/basic_auth_credentials:/run/secrets/basic_auth_credentials:ro
- /domus/cx_traefik/traefik.yml:/domus/cx_traefik/traefik.yml
- /domus/cx_traefik/acme.json:/domus/cx_traefik/acme.json
- /domus/cx_traefik/fileConfig.yml:/domus/cx_traefik/fileConfig.yml
restart: always
extra_hosts:
- host.docker.internal:172.17.0.1
whoami:
image: traefik/whoami:v1.10.2
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.domain.com`) || Host(`www.whoami.domain.com`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.routers.mywhoami.middlewares=mywwwredirect
networks:
proxy:
external: true
dynamic fileConfig.yml
# Traefik 3.x fileConfig Dynamic Configuration (YAML)
# Updated 2024-June-25
################################################################
# Transports
################################################################
serversTransports:
insecureSkipVerify: true
pve-transport:
insecureSkipVerify: true
gitlab:
insecureSkipVerify: true
################################################################
# HTTP Middlewares
################################################################
http:
middlewares:
basic-auth:
basicAuth:
usersFile: "/run/secrets/basic_auth_credentials"
realm: "Traefik 2 Basic Auth"
rate-limit:
rateLimit:
average: 100
burst: 50
local-ipwhitelist:
ipAllowList:
sourceRange:
- "192.168.0.0/24"
- "10.0.0.0/24"
- "172.16.0.0/16"
redirect-to-https:
redirectScheme:
scheme: https
security-headers:
headers:
frameDeny: true
contentTypeNosniff: true
browserXssFilter: true
################################################################
# Routers
################################################################
routers:
gitlab:
rule: "Host(`pve-git.domain.com`)"
entryPoints:
- websecure
service: gitlab
tls:
certResolver: myresolver
traefik:
rule: "Host(`traefik.domain.com`)"
entryPoints:
- websecure
service: traefik-web
tls:
certResolver: myresolver
pve:
rule: "Host(`proxmox.domain.com`)"
entryPoints:
- websecure
service: proxmox
tls:
certResolver: myresolver
vault:
rule: "Host(`vault.svc.domain.com`)"
service: vault
tls:
certResolver: myresolver
consul:
rule: "Host(`consul.svc.domain.com`)"
service: consul
tls:
certResolver: myresolver
api:
rule: "Host(`traefik-api.domain.com`)"
entryPoints:
- websecure
service: api@internal
tls:
certResolver: myresolver
whoami-https:
rule: "Host(`whoami.domain.com`)"
entryPoints:
- websecure
service: whoami
tls:
certResolver: myresolver
mywhoami:
rule: "Host(`whoami.domain.com`) || Host(`www.whoami.domain.com`)"
entryPoints:
- web
- websecure
service: whoami
tls:
certResolver: myresolver
awx:
rule: "Host(`awx.svc.domain.com`)"
entryPoints:
- websecure
service: awx
tls:
certResolver: myresolver
pve-k3s-pri:
rule: "Host(`pve-k3s-pri.mg.domain.com`)"
entryPoints:
- websecure
service: pve-k3s-pri
tls:
certResolver: myresolver
minio:
rule: "Host(`minio.svc.domain.com`)"
entryPoints:
- websecure
service: minio
tls:
certResolver: myresolver
truenas:
rule: "Host(`truenas.domain.com`)"
entryPoints:
- websecure
service: truenas
tls:
certResolver: myresolver
nvr:
rule: "Host(`nvr.domain.com`)"
entryPoints:
- websecure
service: nvr
tls:
certResolver: myresolver
dsm:
rule: "Host(`dsm.domain.com`)"
entryPoints:
- websecure
service: dsm
tls:
certResolver: myresolver
authentik-http:
entryPoints:
- web
rule: "Host(`authentik.domain.com`)"
service: authentik
middlewares:
- redirect-to-https
tls:
certResolver: myresolver
authentik-https:
entryPoints:
- websecure
rule: "Host(`authentik.domain.com`)"
service: authentik
tls:
certResolver: myresolver
auth-http:
entryPoints:
- web
rule: "Host(`auth.domain.com`)"
service: auth
middlewares:
- redirect-to-https
tls:
certResolver: myresolver
auth-https:
entryPoints:
- websecure
rule: "Host(`auth.domain.com`)"
service: auth
tls:
certResolver: myresolver
pve-k3s-pri-https:
entryPoints:
- websecure
rule: "Host(`pve-k3s-pri.mg.domain.com`)"
service: pve-k3s-pri
tls:
certResolver: myresolver
traefik-web:
entryPoints:
- websecure
rule: "Host(`traefik.svc.domain.com`)"
service: traefik
tls:
certResolver: myresolver
################################################################
# Services
################################################################
services:
gitlab:
loadBalancer:
servers:
- url: "http://10.0.0.40:80"
proxmox:
loadBalancer:
passHostHeader: true
servers:
- url: "https://10.0.0.5:8006"
# serversTransport: pve-transport
vault:
loadBalancer:
servers:
- url: "https://10.0.0.174:8200"
consul:
loadBalancer:
servers:
- url: "https://10.0.0.174:8500"
whoami:
loadBalancer:
servers:
- url: "http://whoami:80"
awx:
loadBalancer:
servers:
- url: "http://10.0.0.226:30280"
pve-k3s-pri:
loadBalancer:
servers:
- url: "https://10.0.0.226:6443"
traefik-web:
loadBalancer:
servers:
- url: "https://10.0.0.14:8080"
traefik:
loadBalancer:
servers:
- url: "https://10.0.0.14:8080"
minio:
loadBalancer:
servers:
- url: "https://10.0.0.9:9002"
truenas:
loadBalancer:
servers:
- url: "https://10.0.0.9"
nvr:
loadBalancer:
passHostHeader: true
servers:
- url: "https://10.0.0.24:5001"
dsm:
loadBalancer:
passHostHeader: true
servers:
- url: "https://10.0.0.25:5001"
authentik:
loadBalancer:
servers:
- url: "http://authentik:9000"
auth:
loadBalancer:
servers:
- url: "http://auth:9000"
auth-http:
loadBalancer:
servers:
- url: "http://auth:9000"
auth-https:
loadBalancer:
servers:
- url: "https://auth:9000"
log:
level: DEBUG
################################################################
# Metrics
################################################################
metrics:
prometheus:
entryPoint: metrics
addEntryPointsLabels: true
addServicesLabels: true
addRoutersLabels: true
root@traefik:/domus/cx_traefik#
traefik.yml
# Traefik 3.x (YAML)
# Updated 2024-June-25
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
spice:
address: ":3128"
spice-tls:
address: ":61000"
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
insecure: false
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
exposedByDefault: true
file:
filename: "/domus/cx_traefik/middlewares"
network: traefik
################################################################
# Let's Encrypt (ACME)
################################################################
certificatesResolvers:
myresolver:
acme:
email: loser@domain.com
storage: acme.json
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
tlsChallenge: {}
Why are secure connections not being allowed to the SPICE console, the Web IDE and other places, or simply, what is the resolution to this problem? How do I fix this and allow connections to the https url instead of having to continue to use the IP address when I want to access these areas?
I've also noticed I have to often times reload my dsm and nvr (also a Synology DVA series) several times before they will actually load.
Thank you.