Hello friends!
I had a previously perfectly working traefik (v2.0.0) set up. Today I got myself a router (ubiquiti dream machine) and in the process forced an ip change (i have a static ip) from my isp. I changed the new static ip for my dns over at cloudflare and when I ping my dns it goes to my current ip.
I have set up correct port forwarding in my router.;
(Old rules in dd-wrt)
to
I had initially not even touched my traefik file yet when I initially tried to login it timed out. I have since then changed my config to use a staging server for cloudflare, which generates new certs, but when I try to access my site I simply get a SSL error.
This is my traefik.yml :
version: "3.4"
secrets:
cloudflare_api_key:
file: "/share/appdata/config/secrets/cloudflare_api_key.secret"
cloudflare_api_email:
file: "/share/appdata/config/secrets/cloudflare_api_email.secret"
services:
app:
image: traefik:v2.0.0
secrets:
- cloudflare_api_email
- cloudflare_api_key
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_api_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
ports:
- "80:80"
- "443:443"
- "8090:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /share/appdata/config/traefik:/etc/traefik
networks:
- traefik_public
command: --configFile=/etc/traefik/traefik-static.yaml
deploy:
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.REDACTED.sexy`) || (Host(`REDACTED.sexy`) && Path(`/traefik`))"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik.service: api@internal"
- "traefik.http.routers.traefik.middlewares=forward-auth@file"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
whoami:
image: containous/whoami
networks:
- traefik_public
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.rule=Host(`whoami.REDACTED.sexy`)"
- "traefik.http.routers.whoami.tls.certresolver=cloudflare"
- "traefik.http.routers.whoami.middlewares=forward-auth@file"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
auth:
image: dniel/forwardauth:latest
networks:
- traefik_public
ports:
- 8080:8080
volumes:
- /share/appdata/config/traefik/application.yaml:/config/application.yaml
deploy:
resources:
limits:
memory: 512M
reservations:
memory: 256M
labels:
- "traefik.enable=true"
- "traefik.http.routers.auth.entrypoints=https"
- "traefik.http.routers.auth.rule=Host(`auth.REDACTED.sexy`)"
- "traefik.http.routers.auth.tls.certresolver=cloudflare"
- "traefik.http.routers.auth.middlewares=forward-auth@file"
- "traefik.http.services.auth.loadbalancer.server.port=8080"
www:
image: dniel/blogr-www
networks:
- traefik_public
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.www.entrypoints=https"
- "traefik.http.routers.www.rule=Host(`www.REDACTED.sexy`)"
- "traefik.http.routers.www.tls.certresolver=cloudflare"
- "traefik.http.routers.www.middlewares=forward-auth@file"
- "traefik.http.services.www.loadbalancer.server.port=80"
networks:
traefik_public:
external: true
this is my traefik-static.yaml
# Traefik Static Configuration
# Host Path: /share/docker/config/traefik/traefik-static.yaml
# Internal Path: /etc/traefik/dynamic/traefik-static.yaml
global:
checkNewVersion: true
serversTransport:
insecureSkipVerify: true
entryPoints:
http:
address: ":80"
# Trust IPv4 Private Address Space
forwardedHeaders:
trustedIPs:
- "172.16.0.0/12"
- "10.0.0.0/8"
- "192.168.0.0/16"
https:
address: ":443"
# Trust IPv4 Private Address Space
forwardedHeaders:
trustedIPs:
- "172.16.0.0/12"
- "10.0.0.0/8"
- "192.168.0.0/16"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
# Alternative endpoint:
# endpoint: "tcp://127.0.0.1:2375"
watch: true
swarmMode: true
network: traefik_public
# Optional defaultRule: "Host(`{{ .Name }}.localhost`)"
useBindPortIP: false
exposedByDefault: false
file:
# Optional instead of directory:
# filename: /etc/traefik/traefik-dynamic.yaml
directory: /etc/traefik/dynamic
watch: true
debugLogGeneratedTemplate: true
api:
dashboard: true
insecure: true
debug: false
#metrics:
# prometheus:
# buckets:
# - "0.1"
# - "0.3"
# - "1.2"
# - "5"
# addEntryPointsLabels: true
# addServicesLabels: true
# entryPoint: metrics
#ping:
# entryPoint: ping
log:
level: ERROR, DEBUG, #INFO, WARN, ERROR, FATAL, PANIC
filePath: "/etc/traefik/traefik.log"
accessLog:
filePath: "/etc/traefik/access.log"
certificatesResolvers:
cloudflare:
acme:
email: "XXXX"
storage: "/etc/traefik/acme.json"
# Alternative ACME Staging CA Server (not ratelimited like prod):
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# PROD Acme Staging CA Server - once you have everything working and acme.json saving your cert data, comment out the staging server and uncomment this one.
#caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 30
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
Grateful for any advice!