The dashboard is not accessible: bug or wrong code?

Milano2022 · September 30, 2022, 5:08pm

Hello everybody,
I use this code:

version: "3.9"

services:
  traefik:
    image: traefik:v2.9
    container_name: traefik
    restart: always
    networks:
      - eb
    command:
      - --log.level=INFO
      - --log.filePath=/data-log/traefik.log
      - --log.format=json
      - --accesslog=true
      - --api.insecure=false
      - --api.dashboard=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=eb
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certresolver=leresolver
      - --certificatesresolvers.leresolver.acme.tlsChallenge=true
      - --certificatesresolvers.leresolver.acme.email=test@gmail.com
      - --certificatesresolvers.leresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./volumes/data-letsencrypt/:/letsencrypt
      - ./volumes/data-log/:/data-log/
    ports:
      - 80:80
      - 443:443
    labels:
      traefik.enable: true
      traefik.http.routers.dashboard.rule: Host(`www.traefik.localhost`)
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.middlewares: auth
      # User: test
      # Password: test
      traefik.http.middlewares.auth.basicauth.users: test:$$1$$Jj.XJmO8$$oZnOy/vww23c4/adYEwKo.
      traefik.http.routers.unmatchedwww.rule: HostRegexp(`{name:^www\..*}`) 
      traefik.http.routers.unmatchedwww.service: noop@internal
      traefik.http.routers.unmatchedwww.priority: 2
      traefik.http.routers.matchlast.rule: PathPrefix(`/`)
      traefik.http.routers.matchlast.priority: 1
      traefik.http.routers.matchlast.middlewares: addwww
      traefik.http.middlewares.addwww.redirectregex.regex: ^https://(?:www\.)?(.*)
      traefik.http.middlewares.addwww.redirectregex.replacement: https://www.$${1}

  whoami:
    image: traefik/whoami:v1.8.1
    container_name: whoami
    restart: always
    networks:
      - eb
    depends_on:
      - traefik
    labels:
      traefik.enable: 'true'
      traefik.http.services.apache-php-store.loadbalancer.server.port: 80
      traefik.http.services.apache-php-store.loadbalancer.server.scheme: http
      traefik.http.routers.apache-php-store.rule: Host(`www.whoami.localhost`)
      traefik.http.routers.apache-php-store.tls.domains[0].main: whoami.localhost
      traefik.http.routers.apache-php-store.tls.domains[0].sans: www.whoami.localhost
      traefik.http.routers.apache-php-store.tls.certresolver: leresolver
  
networks:
  eb:
    name: eb

docker compose up -d --build

Locally:

After starting the project I write the following URLs in the browser.

# ERRORS:
#
# https://www.traefik.localhost/
# https://traefik.localhost/
# http://www.traefik.localhost/
# http://traefik.localhost/
# www.traefik.localhost/
# traefik.localhost/
#
# OK:
#
# https://www.whoami.localhost/
# https://whoami.localhost/
# http://www.whoami.localhost/
# http://whoami.localhost/
# www.whoami.localhost/
# whoami.localhost/

The services are reachable from any URL while the dashboard is not.

On a real server with a real domain name:

I write the same URLs above replacing localhost with the domain name and removing 'certificatesresolvers ... ... directory'.
The services are reachable from any URL while the dashboard is not.
The browser warns me that the certificate is not secure.

Is it a Traefik bug or is my code wrong?

PLEASE NOTE:

PLEASE NOTE: Locally the problem goes away when I enter the credentials on a random URL. If you enter the credentials on the first link and then go to the second, the code seems to be perfect but it is not.

PLEASE NOTE: On the real server, after the credentials have been entered, the certificate is authentic. If you pay attention to the certificate after entering the credentials the code seems to be perfect but it is not.

bluepuma77 · October 4, 2022, 7:32am

You set leresolver to be used with websecure in the static configuration.

But with whoami you set it again in the labels. Have you tried setting it in labels for dashboard, too?

Have you tried without your unmatchedwww, matchlast and addwww lines for dashboard?

Milano2022 · October 7, 2022, 3:13pm

First of all thanks for the reply.

Yes, I tried this way but it doesn't work:

    labels:
      traefik.enable: 'true'
      traefik.http.services.dashboard.loadbalancer.server.port: 80
      traefik.http.services.dashboard.loadbalancer.server.scheme: http
      traefik.http.routers.dashboard.rule: Host(`www.traefik.domainname.com)
      traefik.http.routers.dashboard.tls.domains[0].main: traefik.domainname.com
      traefik.http.routers.dashboard.tls.domains[0].sans: www.traefik.domainname.com
      traefik.http.routers.dashboard.tls.certresolver: leresolver
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: test:$$1$$Jj.XJmO8$$oZnOy/vww23c4/adYEwKo.
      traefik.http.routers.unmatchedwww.rule: HostRegexp(`{name:^www\..*}`) 
      traefik.http.routers.unmatchedwww.service: noop@internal
      traefik.http.routers.unmatchedwww.priority: 2
      traefik.http.routers.matchlast.rule: PathPrefix(`/`)
      traefik.http.routers.matchlast.priority: 1
      traefik.http.routers.matchlast.middlewares: addwww
      traefik.http.middlewares.addwww.redirectregex.regex: ^https://(?:www\.)?(.*)
      traefik.http.middlewares.addwww.redirectregex.replacement: https://www.$${1}

I get this solution:

Before entering the credentials, the browser informs me that the connection is not secure. After entering the credentials, the connection becomes secure.

Yes, I have tried thousands of solutions, now I do not remember the result and therefore I cannot answer this specific question. But I can't be left without the redirect services. If I remove the lines and the dashboard works, I don't solve the problem anyway, on the contrary I worsen the functionality of the entire script.

Milano2022 · October 13, 2022, 1:17pm

@bluepuma77, Is my code poorly written or is what I detect is a Traefik bug?

bluepuma77 · October 14, 2022, 8:25am

Thousands of organizations use Traefik, so I doubt this is a newly discovered bug. Personally I feel Traefik is complicated to configure (static, dynamic), so its usually a config issue. But I am just a regular curious Traefik user.

Usually Traefik Dashboard is set to a different entrypoint (port). You seem to want to use it on the regular ports (80/443). Difference in config to whoami is certresolver, try setting that for dashboard.

Milano2022 · October 14, 2022, 9:31pm

In my opinion, do you underestimate yourself anyway because only you are involved and not a Traefik expert? Am I so obnoxious?

Thank you for your suggestion. I tried using the following code:
traefik.http.services.dashboard.loadbalancer.server.port: 8080
I have not noticed any changes.

I don't understand this tip. Can you explain yourself better?
I tried to write this:
#traefik.http.routers.dashboard.tls.certresolver: leresolver
I also tried to write this:
traefik.http.routers.dashboard.tls.certresolver: leresolver
I do not solve.

bluepuma77 · October 16, 2022, 4:20pm

Traefik is a commercial company. You can subscribe to their support starting around €3000/year and I am sure they are very happy to help you with your individual problem.

Not sure what brings me here, just wasting my time

A # is used to „comment out“, so adding that will bring no change.

traefik.http.routers.dashboard.tls.certresolver: leresolver

looks good to me. Needs to be in Traefik labels. Enable debug and check every line.

Milano2022 · October 16, 2022, 8:40pm

I understood, thanks. So, on this forum, subscribers who don't pay don't get answers? In practice, the forum is only apparently free. Is that so?

I am inexperienced but I know the meaning of #.

Below are the error codes:

{}
{"level":"info","msg":"Traefik version 2.9.1 built on 2022-10-03T14:22:13Z","time":"2022-10-14T20:56:52Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-10-14T20:56:52Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-10-14T20:56:52Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-10-14T20:56:52Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-10-14T20:56:52Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-10-14T20:56:52Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-10-14T20:56:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-10-14T20:56:52Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:56:55Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:56:55Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:00Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:00Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:03Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:03Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:05Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:05Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:09Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:09Z"}
{"level":"info","msg":"Register...","providerName":"leresolver.acme","time":"2022-10-14T20:57:13Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:23Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:23Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:25Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:25Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:27Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:27Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:31Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:31Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:36Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:36Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:37Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:37Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:39Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:39Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:40Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:40Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:43Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:43Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:54Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:54Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:57:58Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:57:58Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:58:07Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:58:07Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:58:08Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:58:08Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:58:21Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:58:21Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:58:23Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:58:23Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:58:27Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:58:27Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-14T20:58:44Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-14T20:58:44Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-10-15T20:56:52Z"}
{"level":"info","msg":"I have to go...","time":"2022-10-15T22:11:05Z"}
{"level":"info","msg":"Stopping server gracefully","time":"2022-10-15T22:11:05Z"}
{"entryPointName":"web","level":"error","msg":"accept tcp [::]:80: use of closed network connection","time":"2022-10-15T22:11:05Z"}
{"entryPointName":"web","level":"error","msg":"Error while starting server: accept tcp [::]:80: use of closed network connection","time":"2022-10-15T22:11:05Z"}
{"entryPointName":"websecure","level":"error","msg":"accept tcp [::]:443: use of closed network connection","time":"2022-10-15T22:11:05Z"}
{"entryPointName":"websecure","level":"error","msg":"Error while starting server: accept tcp [::]:443: use of closed network connection","time":"2022-10-15T22:11:05Z"}
{"level":"info","msg":"Server stopped","time":"2022-10-15T22:11:05Z"}
{"level":"info","msg":"Shutting down","time":"2022-10-15T22:11:05Z"}
{"level":"info","msg":"Traefik version 2.9.1 built on 2022-10-03T14:22:13Z","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-10-16T20:35:23Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-10-16T20:35:23Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-16T20:35:27Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-16T20:35:27Z"}

Below you will find the codes that I obtained today (October 16, 2022) by accessing the site panel.

{"level":"info","msg":"Traefik version 2.9.1 built on 2022-10-03T14:22:13Z","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-10-16T20:35:23Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-10-16T20:35:23Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-10-16T20:35:23Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-10-16T20:35:27Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-10-16T20:35:27Z"}

I selected the DEBUG layer and then ran this command too:

docker compose up -d --force-recreate

I got this:

(I am attaching the file because the code is too long)

The following message in Italian:

La tua connessione a questo sito non è sicura

matches the following in English:

Your connection to this site is not secure

Tiffany · October 17, 2022, 2:00pm

Hey @Milano2022 and @bluepuma77,

The forum is designed to be a space where community members can help each other out. It is a place to show off clever builds, help each other troubleshoot, and chat with the Traefik team about broad things like the roadmap or why Traefik Proxy is not a web server.

When they have time, someone on the technical team will pop on and help out. It happens often (you might remember, they have popped on to a few of your threads), but not so regularly that users can expect a ton of support this way.

That's why folks like @bluepuma77 are really important to helping ou. I appreciate your sense of community, bluepuma77.

@milano2022, I wouldn't say that just because we are used by big companies that you haven't found a bug, but it is really unlikely that you found a bug in the basic config. Have you checked out https://traefik.io/resources/traefik-kubernetes-tutorial/ ?

Milano2022 · October 17, 2022, 3:07pm

Hi @Tiffany, Thanks for your intervention. Yes I have read a lot and done a lot of tests but I have not solved. Ok, I'm waiting for the technical team. I am not working on a commercial project and I would not be able to pay 3000 euros.

My idea is that Traefik manages the certificate after the user has entered the credentials but in my opinion it should be the other way around. Today I tried to add a priority directive but it didn't solve.

traefik.http.routers.matchlast.priority: 1
traefik.http.routers.dashboard.priority: 2
traefik.http.routers.unmatchedwww.priority: 3

Milano2022 · November 3, 2022, 5:07pm

It has been a long time since I opened this discussion. Why am I not getting an answer?

Milano2022 · November 3, 2022, 10:44pm

Whether there is a bug or an error in the code, the dashboard cannot be reached immediately with a secure connection and this constitutes a strong limitation of the product. If I don't solve by writing in the specific Traefik forum, I don't think that elsewhere I can get a solution. This problem that I have presented I hope will be useful to the developers of Traefik to further improve its product in the following versions.

bluepuma77 · November 4, 2022, 2:53pm

Here is an example with Traefik Dashboard and Let's Encrypt.

docker-compose.yml:

version: '3.9'

services:
  traefik:
    image: traefik:v2.9
    ports:
      # listen on host ports without ingress network (Docker Swarm)
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    command:
      --providers.docker=true
      --providers.docker.exposedByDefault=false
      --entryPoints.web.address=:80
      --entryPoints.web.http.redirections.entryPoint.to=websecure
      --entryPoints.web.http.redirections.entryPoint.scheme=https
      --entryPoints.websecure.address=:443
      --entryPoints.websecure.http.tls=true
      --api.debug=true
      --api.dashboard=true
      --log.level=DEBUG
      --accesslog=true
      --certificatesResolvers.myresolver.acme.email=email@example.com
      --certificatesResolvers.myresolver.acme.storage=/certificates/acme.json
      --certificatesResolvers.myresolver.acme.httpchallenge.entrypoint=web
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.rule=Host(`traefik.example.com`)
      - traefik.http.routers.api.tls.certresolver=myresolver
      - traefik.http.routers.api.service=api@internal
      - traefik.http.routers.api.middlewares=auth
      - 'traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/'

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
      - traefik.http.routers.whoami.tls.certresolver=myresolver
      - traefik.http.services.whoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy
    external: true

volumes:
  traefik-certificates:

Milano2022 · November 6, 2022, 10:30pm

I have already tried that code, found it somewhere on this forum but it has 2 problems:

1) It uses Docker Swarm which I don't use;
2) It does not perform redirects.

Thank you very much for the effort. We hope that the new versions of Traefik no longer have this malfunction or this difficulty of use.

bluepuma77 · November 7, 2022, 9:11am

This also works for standard Docker, without Docker Swarm.

Milano2022 · November 7, 2022, 9:21am

The code you showed me does not perform the redirects that interest me. I don't question that code works but I don't need it. I want to redirect.

bluepuma77 · November 7, 2022, 10:33am

Sorry, lost the oversight what your actual problem is.

Maybe this helps. Traefik LetsEncrypt creates TLS certificates for domains that are used in Host in the labels. You should probably use

  ...rule=Host('www.whoami.localhost') || Host('whoami.localhost')

(replace ' with backticks!), so LE can create a certificate for both domains and one can redirect to the other.

Milano2022 · November 7, 2022, 11:49am

When I use the following code, do I risk exceeding the speed limits?

docker compose up -d --force-recreate

Right now on my test domain name I have exceeded the speed limit so I can't do any more tests.
You speak of 'whoami' but I speak of 'traefik'. The problem with the certificates is present on the traefik service only. The other services (whoami, java, apache, etc ...) work perfectly. Urls can be reached by a 100% valid certificate, both with www and without www. Anyway I will try to replace this:

traefik.http.routers.dashboard.rule: Host(`www.traefik.${NOME_A_DOMINIO}`)

with this:

traefik.http.routers.dashboard.rule: Host(`www.traefik.${NOME_A_DOMINIO}`) || Host(`traefik.${NOME_A_DOMINIO}`)

and I'll let you know. This problem is a real nuisance because it cannot be tried. You immediately run into the speed limits of the certificate. I prefer not to speak but I believe I have already tried the code you suggest and I seem to remember having failed.

bluepuma77 · November 7, 2022, 5:58pm

If you are talking about the LE limits for certificate creation, just set the acme file to be placed in a mounted volume, then the certificate will not be lost upon every re-creation.

Milano2022 · November 7, 2022, 7:20pm

If you see the code at the beginning of the post you will find the string.

Topic		Replies	Views
Can not access dashboard with traefik in docker swarm Traefik v2 letsencrypt-acme	17	2392	September 13, 2021
Safe mode: dashboard: 404 Traefik v2 docker , dashboard-api	1	153	September 19, 2023
Does this docker-compose allow access to the traefik dashboard? If so, on which url? Traefik v2 docker , dashboard-api , letsencrypt-acme	2	1578	April 16, 2023
Accessing secure dashboard results in 404 Traefik v2 docker , dashboard-api	10	1548	September 21, 2023
Cannot access Traefik dashboard Traefik v2 docker , dashboard-api	7	505	January 22, 2024

The dashboard is not accessible: bug or wrong code?

Related Topics