Basically I am trying to setup traefik as a proxy on my Unraid box for all of my services (Plex, Ombi, etc...).
The issue I am having seems to be to do with the SSL certs being registered but that is only a guess, I am posting as much of my config as possible as well as the error when starting everything up.
Here is my docker-compose.yml
:
---
version: '3'
services:
traefik:
image: traefik:v1.7.12
command: --web --docker --docker.watch --docker.domain=${DOMAIN} \
--docker.exposedbydefault=false --acme.domains=${DOMAIN}
container_name: traefik
hostname: traefik
networks:
br0:
ipv4_address: 192.168.1.253
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${CONFIG}/traefik/acme.json:/acme.json
- ${CONFIG}/traefik/traefik.log:/traefik.log
- ${CONFIG}/traefik/access.log:/access.log
- ${CONFIG}/traefik/traefik.toml:/etc/traefik/traefik.toml
- ${CONFIG}/traefik/.htpasswd:/etc/traefik/.htpasswd:ro
environment:
- DO_AUTH_TOKEN=???
labels:
traefik.enable: "true"
traefik.frontend.rule: "Host:monitor.${DOMAIN}"
traefik.port: "8080"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
ouroboros:
image: pyouroboros/ouroboros
container_name: ouroboros
networks:
- br0
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- PGID
- PUID
- TZ
- CLEANUP=true
- INTERVAL=86400 # 24hrs
- SELF_UPDATE=true
- LABELS_ONLY=true
restart: unless-stopped
plex:
image: linuxserver/plex
container_name: plex
hostname: plex
networks:
br0:
ipv4_address: 192.168.1.252
volumes:
- ${CONFIG}/plex:/config
- ${DATA}/TV:/media/tv
- ${DATA}/Movies:/media/movies
- ${DATA}/Music:/media/music
- ${DATA}/Anime:/media/anime
environment:
- PGID
- PUID
- TZ
- VERSION=latest
labels:
traefik.enable: "true"
traefik.port: "32400"
traefik.frontend.rule: "Host:plex.${DOMAIN}"
com.ouroboros.enable: "true"
restart: unless-stopped
plexpy:
image: linuxserver/tautulli:latest
container_name: tautulli
hostname: tautulli
networks:
br0:
ipv4_address: 192.168.1.251
volumes:
- ${CONFIG}/plexpy:/config
- ${CONFIG}/plex/Library/Application Support/Plex Media Server/Logs:/logs:ro
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "8181"
traefik.frontend.rule: "Host:tautulli.${DOMAIN}"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
heimdall:
image: linuxserver/heimdall:latest
container_name: heimdall
hostname: heimdall
networks:
br0:
ipv4_address: 192.168.1.250
volumes:
- ${ENVIRONMENT}/heimdall/.env:/var/www/localhost/heimdall/.env
- ${CONFIG}/heimdall:/config
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "80"
traefik.frontend.rule: "Host:${DOMAIN}"
traefik.frontend.auth.basic: "${HTPASSWD}"
com.ouroboros.enable: "true"
restart: unless-stopped
ombi:
image: linuxserver/ombi
container_name: ombi
hostname: ombi
networks:
br0:
ipv4_address: 192.168.1.249
volumes:
- ${CONFIG}/ombi:/config
environment:
- PGID
- PUID
- TZ
labels:
traefik.enable: "true"
traefik.port: "3579"
traefik.frontend.rule: "Host:ombi.${DOMAIN}"
com.ouroboros.enable: "true"
restart: unless-stopped
networks:
br0:
external: true
Now you may have noticed, I have put all of the containers on the br0
network, this is a macvlan network provided by Unraid and it is needed to give the traefik proxy it's own IP (which I want because I am not interested in exposing Unraids webUI) and in order for traefik to be able to see the other containers they also need to be on it, and because it is a macvlan they all need an IP (which I don't actually mind it can be quite useful).
Next up comes my traefik.toml
:
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[traefikLog]
filePath = "traefik.log"
format = "json"
[accessLog]
filePath = "access.log"
format = "json"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[acme]
email = "myemail@gmail.com"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.mydomain.nz"
sans = ["mydomain.nz"]
Now when I run this I get the following in my traefik.log
:
{"level":"info","msg":"Server configuration reloaded on :443","time":"2019-08-21T05:35:43Z"}
{"level":"info","msg":"Server configuration reloaded on :8080","time":"2019-08-21T05:35:43Z"}
{"level":"info","msg":"Server configuration reloaded on :80","time":"2019-08-21T05:35:43Z"}
{"level":"debug","msg":"Using DNS Challenge provider: digitalocean","time":"2019-08-21T05:35:43Z"}
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"mydomain.nz\" : unable to generate a certificate for the domains [mydomain.nz]: acme: Error -\u003e One or more domains had a problem:\n[mydomain.nz] time limit exceeded: last error: NS ns3.digitalocean.com. did not return the expected TXT record [fqdn: mydomain.nz., value: G0VSP3QFvYJzKeAdUS40iCM_wlcz0T5MJhPgveZCDag]: \n","time":"2019-08-21T05:36:48Z"}
I have also tried this with a timeout of 90 as well as using Cloudflare as my DNS service (originally I thought the issue was Cloudflare but as it turns out I get a similar error (timeout on TXT record) with Digital Ocean).
Basically if I try to access any of the sites through HTTPS they fail and I get a DNS rebind warning from pFsense.
I am totally new to this and have been at this one for a few weeks so hopefully the issue is obvious to someone.
I am modelling my code of this repo but as you can see he is not using the macvlan and has instead opted to move the ports for the Unraid web interface, I would like to avoid this if I can, and I have put so much work into getting this working at this point I just really want to see if I can get it to work.
Cheers.