Traefik 1.7 to 2.0 Docker for Windows

zespri · October 3, 2019, 2:05am

Each time you have slightly different issues, you fix one, next crops up, so sorry, but I cannot really tell what certificates and HTTPS redirect problem is.

Can you explain a bit more? Thanks.

Iosif · October 3, 2019, 3:33am

No swarm here and now I just have the compose file wich is being modified whenever I have the time to test.

Iosif · October 3, 2019, 3:36am

Well, what puzzled me was the fact that the last time the log had only one line. Not an error message which is good but one line can't help you identify what worked and what not.

At that moment bazarr.domain.com was accessible through http. I restarted the container and then it stopped being reachable through internet.

I'll start digging again today and see what's going on..

Iosif · October 3, 2019, 10:53am

I guess that there was only one line in the log because I had traefik.log specified, now it's out.

Today's progress:

I managed to make the certificates going (according to the logs at least at some point, then apparently I've hit my rate limit).
However.

bazarr.DOMAIN.com - doesn't have a certificate and now is giving me a 404 page not found (might be the redirect scheme but not sure)
traefik.localhost - is not accessible as well (404) although I think I configured it properly.

Also today I realised that I had some syntax issues in my compose file.

current compose contents

  bazarr:
    image: 'linuxserver/bazarr:latest'
    container_name: bazarr
    hostname: bazarr
    volumes:
      - '.\bazarr\config:/config'
    ports:
      - '6767:6767'
    environment:
      - TZ=Europe/Bucharest
      - com.ouroboros.enable=true
    restart: unless-stopped
    env_file:
      - .env
    labels:
#      - traefik.frontend.passHostHeader=true
#      - traefik.port=6767
      - "traefik.enable=true"
      - "traefik.http.routers.bazarr.rule=Host(`bazarr.DOMAIN.com`)"
      - "traefik.http.routers.bazarr.entrypoints=web"      
      - "traefik.http.routers.bazarr.tls=true"
      - "traefik.http.routers.bazarr.tls.certresolver=basic"
      - "traefik.http.routers.bazarr.tls.domains[0].main=DOMAIN.com"
      - "traefik.http.routers.bazarr.tls.domains[0].sans=*.DOMAIN.com"      
      - "traefik.http.routers.bazarr.entrypoints=web-secure"      
      - "traefik.http.services.bazarr.loadbalancer.server.port=6767"  
  traefik_2.0.1:
    image: 'traefik:2.0'
    container_name: traefik_2.0
    hostname: traefik_2.0
    ports:
      - '443:443'
      - '80:80'
      - '8080:8080'
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
#      - '.\traefik_2.0.1\traefik.yml:/etc/traefik/traefik.yml'
    env_file:
      - .env
    restart: unless-stopped
    domainname: '${ZONE}'
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"      
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=basic"
#      - "traefik.http.routers.traefik_https.service=api@internal"
      - "traefik.http.routers.traefik.tls.domains[0].main=DOMAIN.com"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.DOMAIN.com"         
      - "traefik.http.routers.http_traefik.middlewares=https_redirect"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"      
    environment:
      - 'CF_API_EMAIL=${EMAIL}'
      - 'CF_API_KEY=${API_KEY}'
      - com.ouroboros.enable=true
      - TZ=Europe/Bucharest
    command:
      - '--log.level=DEBUG'
      - '--log.format=json'
      - '--global.checkNewVersion=true'
      - '--global.sendAnonymousUsage=false'
      - '--entryPoints.web.address=:80'
      - '--entryPoints.web-secure.address=:443'
      - '--api'
      - '--api.debug'
      - '--api.insecure'
      - '--api.dashboard'
      - '--ping'
      - '--providers.docker.exposedByDefault=false'
      - '--providers.docker.watch=true'
      - '--providers.docker.swarmMode=false'
      - '--certificatesresolvers.basic.acme.email=EMAIL@gmail.com'
      - '--certificatesresolvers.basic.acme.storage=/acme.json'
      - '--certificatesresolvers.basic.acme.dnschallenge=true'
      - '--certificatesresolvers.basic.acme.dnschallenge.provider=cloudflare'
#      - '--certificatesresolvers.basic.acme.dnsChallenge.delayBeforeCheck=60'
      - '--certificatesresolvers.basic.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53'

latest log after a reboot of the container:

{"level":"info","msg":"Shutting down","time":"2019-10-03T13:44:14+03:00"},
time="2019-10-03T13:44:18+03:00" level=info msg="Configuration loaded from flags.",
{"level":"info","msg":"Traefik version 2.0.1 built on 2019-09-26T16:18:03Z","time":"2019-10-03T13:44:18+03:00"},
{"level":"debug","msg":"Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web-secure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true,\"debug\":true},\"ping\":{\"entryPoint\":\"traefik\"},\"log\":{\"level\":\"DEBUG\",\"format\":\"json\"},\"certificatesResolvers\":{\"basic\":{\"acme\":{\"email\":\"EMAIL@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]}}}}}","time":"2019-10-03T13:44:18+03:00"},
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n","time":"2019-10-03T13:44:18+03:00"},
{"level":"debug","msg":"No default certificate, generating one","time":"2019-10-03T13:44:18+03:00"},
{"level":"info","msg":"Starting provider aggregator.ProviderAggregator {}","time":"2019-10-03T13:44:18+03:00"},
{"entryPointName":"web","level":"debug","msg":"Start TCP Server","time":"2019-10-03T13:44:18+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Start TCP Server","time":"2019-10-03T13:44:18+03:00"},
{"entryPointName":"web-secure","level":"debug","msg":"Start TCP Server","time":"2019-10-03T13:44:18+03:00"},
{"level":"info","msg":"Starting provider *acme.Provider {\"email\":\"EMAIL@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]},\"ResolverName\":\"basic\",\"store\":{},\"ChallengeStore\":{}}","time":"2019-10-03T13:44:18+03:00"},
{"level":"info","msg":"Testing certificate renew...","providerName":"basic.acme","time":"2019-10-03T13:44:18+03:00"},
{"level":"info","msg":"Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}","time":"2019-10-03T13:44:18+03:00"},
{"level":"debug","msg":"Configuration received from provider basic.acme: {\"http\":{},\"tls\":{}}","providerName":"basic.acme","time":"2019-10-03T13:44:18+03:00"},
{"level":"debug","msg":"No default certificate, generating one","time":"2019-10-03T13:44:18+03:00"},
{"level":"debug","msg":"Provider connection established with docker 19.03.2 (API 1.40)","providerName":"docker","time":"2019-10-03T13:44:18+03:00"},
{"container":"kibana-media-server-c1316fbc05f3a7eb527d270d1f1a037f84d0b8fff256f0abd5d5392bd8668291","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"filebeat-media-server-f80e988ab2b068b18cdc6fb193817361377435241652be1cf18f20b37346bae5","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"elasticsearch-media-server-48620b88fa282f6d4471f3ae2a36155d0e3c12d78dda63e59b49a1218e6111a8","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"ouroboros-media-server-2c373d7a804d3b62c02c16fe99dda574996cbe0f7bb0c004a245b8a1c41166df","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"chronograf-media-server-42f5ff510c4cae99e65defc4f42a9ce0c04466cda021117f9879cf3376f6504e","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"influxdb-telegraf-media-server-5ea37b993a0dfa03a961971d7ca28b8cd9cc745642de30e541963e2b03259c93","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"portainer-media-server-c5d350f8f78bd181729c91f52e3a9cbcfca18b4072c807a321307a5aca415a60","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"logarr-media-server-c7cf89bea2d8bc5b4ffbfc25ab4513b9e5ffb714ecb18f46b793a7bdf93fd7f5","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"cloudflare-ddns-media-server-c885127c8daf936bcec87b253a9aa404500bf662ff7c50f7e6fc63f898ae55c4","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"container":"piholeinflux-media-server-462d6822c39e3da20a725b24ad3c60ed7a2a61d37a996f9bf33431aeceada7b9","level":"debug","msg":"Filtering disabled container","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"Configuration received from provider docker: {\"http\":{\"routers\":{\"bazarr\":{\"entryPoints\":[\"web\"],\"service\":\"bazarr\",\"rule\":\"Host(`bazarr.DOMAIN.com`)\",\"tls\":{\"certResolver\":\"basic\",\"domains\":[{\"main\":\"DOMAIN.com\",\"sans\":[\"*.DOMAIN.com\"]}]}},\"grafana-media-server\":{\"service\":\"grafana-media-server\",\"rule\":\"Host(`grafana-media-server`)\"},\"heimdall-media-server\":{\"service\":\"heimdall-media-server\",\"rule\":\"Host(`heimdall-media-server`)\"},\"http_traefik\":{\"middlewares\":[\"https_redirect\"],\"service\":\"traefik-2-0-1-media-server\",\"rule\":\"Host(`traefik-2-0-1-media-server`)\"},\"ombi-media-server\":{\"service\":\"ombi-media-server\",\"rule\":\"Host(`ombi-media-server`)\"},\"organizr-media-server\":{\"service\":\"organizr-media-server\",\"rule\":\"Host(`organizr-media-server`)\"},\"tautulli-media-server\":{\"service\":\"tautulli-media-server\",\"rule\":\"Host(`tautulli-media-server`)\"},\"traefik\":{\"service\":\"traefik-2-0-1-media-server\",\"rule\":\"Host(`traefik.localhost`)\",\"tls\":{\"certResolver\":\"basic\",\"domains\":[{\"main\":\"DOMAIN.com\",\"sans\":[\"*.DOMAIN.com\"]}]}}},\"middlewares\":{\"https_redirect\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}}},\"services\":{\"bazarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.17:6767\"}],\"passHostHeader\":true}},\"grafana-media-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.3:3000\"}],\"passHostHeader\":true}},\"heimdall-media-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.6:80\"}],\"passHostHeader\":true}},\"ombi-media-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.18:3579\"}],\"passHostHeader\":true}},\"organizr-media-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.8:80\"}],\"passHostHeader\":true}},\"tautulli-media-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.11:8181\"}],\"passHostHeader\":true}},\"traefik-2-0-1-media-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.10:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}","providerName":"docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"grafana-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"heimdall-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"ombi-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"organizr-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"tautulli-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"http_traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"grafana-media-server@docker","serviceName":"grafana-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating load-balancer","routerName":"grafana-media-server@docker","serviceName":"grafana-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating server 0 http://172.18.0.3:3000","routerName":"grafana-media-server@docker","serverName":0,"serviceName":"grafana-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware grafana-media-server","routerName":"grafana-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"heimdall-media-server@docker","serviceName":"heimdall-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating load-balancer","routerName":"heimdall-media-server@docker","serviceName":"heimdall-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating server 0 http://172.18.0.6:80","routerName":"heimdall-media-server@docker","serverName":0,"serviceName":"heimdall-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware heimdall-media-server","routerName":"heimdall-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"ombi-media-server@docker","serviceName":"ombi-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating load-balancer","routerName":"ombi-media-server@docker","serviceName":"ombi-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating server 0 http://172.18.0.18:3579","routerName":"ombi-media-server@docker","serverName":0,"serviceName":"ombi-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware ombi-media-server","routerName":"ombi-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"organizr-media-server@docker","serviceName":"organizr-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating load-balancer","routerName":"organizr-media-server@docker","serviceName":"organizr-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating server 0 http://172.18.0.8:80","routerName":"organizr-media-server@docker","serverName":0,"serviceName":"organizr-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware organizr-media-server","routerName":"organizr-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"tautulli-media-server@docker","serviceName":"tautulli-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating load-balancer","routerName":"tautulli-media-server@docker","serviceName":"tautulli-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating server 0 http://172.18.0.11:8181","routerName":"tautulli-media-server@docker","serverName":0,"serviceName":"tautulli-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware tautulli-media-server","routerName":"tautulli-media-server@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"http_traefik@docker","serviceName":"traefik-2-0-1-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating load-balancer","routerName":"http_traefik@docker","serviceName":"traefik-2-0-1-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","msg":"Creating server 0 http://172.18.0.10:80","routerName":"http_traefik@docker","serverName":0,"serviceName":"traefik-2-0-1-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware traefik-2-0-1-media-server","routerName":"http_traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"https_redirect@docker","middlewareType":"RedirectScheme","msg":"Creating middleware","routerName":"http_traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"https_redirect@docker","middlewareType":"RedirectScheme","msg":"Setting up redirection to https ","routerName":"http_traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"https_redirect@docker","msg":"Adding tracing to middleware","routerName":"http_traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","msg":"Creating middleware","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web-secure","level":"debug","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","msg":"Creating middleware","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","msg":"Creating middleware","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"traefik@docker","serviceName":"traefik-2-0-1-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","msg":"Creating load-balancer","routerName":"traefik@docker","serviceName":"traefik-2-0-1-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","msg":"Creating server 0 http://172.18.0.10:80","routerName":"traefik@docker","serverName":0,"serviceName":"traefik-2-0-1-media-server","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware traefik-2-0-1-media-server","routerName":"traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"bazarr@docker","serviceName":"bazarr","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","msg":"Creating load-balancer","routerName":"bazarr@docker","serviceName":"bazarr","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","msg":"Creating server 0 http://172.18.0.17:6767","routerName":"bazarr@docker","serverName":0,"serviceName":"bazarr","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware bazarr","routerName":"bazarr@docker","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web","level":"debug","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","msg":"Creating middleware","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"traefik","level":"debug","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","msg":"Creating middleware","time":"2019-10-03T13:44:19+03:00"},
{"entryPointName":"web-secure","level":"debug","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","msg":"Creating middleware","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No entryPoint defined for this router, using the default one(s) instead: [traefik web-secure web]","routerName":"traefik@docker","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"No default certificate, generating one","time":"2019-10-03T13:44:19+03:00"},
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"DOMAIN.com\" \"*.DOMAIN.com\"]...","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Domains [\"DOMAIN.com\" \"*.DOMAIN.com\"] need ACME certificates generation for domains \"DOMAIN.com,*.DOMAIN.com\".","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"DOMAIN.com\" \"*.DOMAIN.com\"]...","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Domains [\"DOMAIN.com\" \"*.DOMAIN.com\"] need ACME certificates generation for domains \"DOMAIN.com,*.DOMAIN.com\".","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Loading ACME certificates [DOMAIN.com *.DOMAIN.com]...","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Building ACME client...","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"https://acme-v02.api.letsencrypt.org/directory","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Loading ACME certificates [DOMAIN.com *.DOMAIN.com]...","providerName":"basic.acme","time":"2019-10-03T13:44:20+03:00"},
{"level":"debug","msg":"Using DNS Challenge provider: cloudflare","providerName":"basic.acme","time":"2019-10-03T13:44:21+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com, *.DOMAIN.com] acme: Obtaining bundled SAN certificate","time":"2019-10-03T13:44:21+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com, *.DOMAIN.com] acme: Obtaining bundled SAN certificate","time":"2019-10-03T13:44:21+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/614059449","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/614059451","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: use dns-01 solver","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Could not find solver for: tls-alpn-01","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Could not find solver for: http-01","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: use dns-01 solver","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Preparing to solve DNS-01","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/614059449","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/614059451","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: use dns-01 solver","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Could not find solver for: tls-alpn-01","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Could not find solver for: http-01","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: use dns-01 solver","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Preparing to solve DNS-01","time":"2019-10-03T13:44:22+03:00"},
{"level":"debug","msg":"legolog: [INFO] cloudflare: new record for DOMAIN.com, ID 947d616c0e7143959887c4f470f67407","time":"2019-10-03T13:44:23+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Preparing to solve DNS-01","time":"2019-10-03T13:44:23+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Preparing to solve DNS-01","time":"2019-10-03T13:44:23+03:00"},
{"level":"debug","msg":"legolog: [INFO] cloudflare: new record for DOMAIN.com, ID b51297c9025c562a167087f7d774d15b","time":"2019-10-03T13:44:24+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Trying to solve DNS-01","time":"2019-10-03T13:44:24+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Checking DNS record propagation using [1.1.1.1:53 8.8.8.8:53]","time":"2019-10-03T13:44:24+03:00"},
{"level":"debug","msg":"legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]","time":"2019-10-03T13:44:24+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:24+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Cleaning DNS-01 challenge","time":"2019-10-03T13:44:24+03:00"},
{"level":"debug","msg":"legolog: [INFO] [DOMAIN.com] acme: Cleaning DNS-01 challenge","time":"2019-10-03T13:44:25+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:26+03:00"},
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"DOMAIN.com,*.DOMAIN.com\" : unable to generate a certificate for the domains [DOMAIN.com *.DOMAIN.com]: acme: Error -\u003e One or more domains had a problem:\n[*.DOMAIN.com] [*.DOMAIN.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[],\\\"result\\\":null}\"\n[DOMAIN.com] [DOMAIN.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[],\\\"result\\\":null}\"\n","providerName":"basic.acme","time":"2019-10-03T13:44:26+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:28+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:30+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:32+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:34+03:00"},
{"level":"debug","msg":"legolog: [INFO] [*.DOMAIN.com] acme: Waiting for DNS record propagation.","time":"2019-10-03T13:44:36+03:00"},

trajano · October 3, 2019, 1:38pm

perhaps a gist then.

Iosif · October 3, 2019, 1:54pm

Here it is:

compose gist

zespri · October 3, 2019, 7:46pm

Your compose file does not contain required lines at the top:

version: "3"
services:

While you might think, that everyone who works with compose would know to add ones, there is no really reason for you to delete them: you simply making it more difficult to help you. If I want to paste your example to a file and run it, I would need to spend some valuable time to figuring out why docker-compose up throwing a error. It's not major slow down but it is a slowdown and completely unnecessary at that.

I'll ignore certificate issues for now, and deal with your 404s.

For the dashboard, you need to decide whether you are using api.insecure or not. If you are using it, it's just exposed directly, no certs, no explicit routing no nothing. If you want it on https behind a cert you need to make the following changes:

lose --api.insecure
uncomment traefik.http.routers.traefik_https.service=api@internal

If you want to listen on both web and web-secure and redirect from one to the other you will need two separate routers for that. One on web then will get use of that middleware.

Add: traefik.http.routers.traefik_https.entrypoints=web-secure, traefik.http.routers.traefik.entrypoints=web.
Create a rule that corresponds to traefik.http.routers.traefik.rule=Host(`traefik.localhost`) on the traefik_https router too, you need both.
Move tls definitions from traefik router to traefik_https router. It's the latter one you want tls on.
Move the redirect middleware from http_traefik to traefik. What's is http_traefik at all, you are not using it anywhere else?

This covers your 404 with the dashboard.

Similarly with bazar, if you want both entry points, you also want two routers, one for each. Currently you define entry point twice and this is not gonna work. Create two routers if that's what you want each with it's own entry points, both with host rules, one tls, one non-tls, one without redirect middleware and the other with one.

I suggest using staging environment so that does not happen, staging does not have the rate limit.

Hope this helps.

Iosif · October 4, 2019, 6:59am

Sorry for the fact that the compose wasn't usable, I moved up my two containers so now the compose should be usable for tests:

Latest compose file

Additional explanations:

The dashboard: I want it accessible only from the house (hence I thought that https is not needed) without authentication without anything.
Considering that I have a few containers in my compose file, I think that the easier thing would be to have one entrypoint (web or web-secure) and leave traefik to handle the redirect with a global option. Otherwise I think that I will have to add 10 additional labels per container
Currently bazarr is the test container that will be used as a reference to all containers that should be accessible through subdomain (container-name.DOMAIN.com) and traefik is the test one for the containers that should be accessible through container-name.localhost. After I get the hang of it, I'll update the rest of the containers too.
I had a lot of modifications throughout the time (in the config/compose file) because I used to check the traefik dashboard after each modification. I thought that I should have one router per one service, only now I realised that two routers per service might be needed and that would be ok from the config point of view. previously when I saw two containers for one serviced I panicked and tried to get only one.

In the below picture you can see how the dashboard currently looks like:
(ignore the rest of the containers, bazarr and traefik are the only ones who should be the subject of the traefik config for now)

Later Edit:

bazarr is accessible with http and a invalid certificate warning, so I'm guessing that some how I managed to make it work.
traefik.localhost is still not working. Just to make sure that we're all on the same page I have the dashboard accessible through http://localhost:8080/dashboard/#/

I'll stop here and patiently wait for your invaluable help before I mess things up again

Iosif · October 7, 2019, 6:45am

LE: Commented out some stuff and now everything seems to work. traefik.localhost still has that certificate warning but everything else seems to be working as expected. Starting to migrate my services to the new config.

Current dashboard status

Current compose status

Now as far as I could gather from the documentation I need two TCP routers ?
I have two systems installed outside docker which were handled by rules.toml previously. If someone could help me to integrate these two services into the traefik setup (preferably without any file as currently I have no config file) I would be very much appreciative.

Here's my former rules.toml content

[entryPoints]
  [entryPoints.http]
  address = ":8080"

[frontends]

  [frontends.sonarr]
  backend = "sonarr"
    [frontends.sonarr.routes.test_1]
    rule = "Host:sonarr.DOMAIN.com"

  [frontends.radarr]
  backend = "radarr"
    [frontends.radarr.routes.test_1]
    rule = "Host:radarr.DOMAIN.com"

[backends]

  [backends.sonarr]
    [backends.sonarr.servers.server1]
    url = "http://192.168.0.55:8989"

  [backends.radarr]
    [backends.radarr.servers.server1]
    url = "http://192.168.0.55:20000"

Later Edit: sometimes I noticed that I need to add https:// in front of my subdomain, otherwise I get a 404, however I don't know what causes this

Iosif · October 8, 2019, 9:20am

According to what I understood from documentation I should have a file for the TCP services that I want add.

Here's my rules.yml as I could make it
How could I use this ?
By mounting the rules.yml file and then reference it as below ?

--providers.file.filename=rules.yml

Can someone please take a look on my compose file, I am pretty sure that something is not right there but I can't actually pinpoint the exact piece of code

compose file:

Many thanks.

dduportal · October 9, 2019, 11:39am

Hi @losif, if the 2 TCP "backend services" are served outside Docker, using the file provider would be the way to go.

Enabling File provider: You figured out correctly the flag of the Traefik CLI configuration: --providers.file.filename=rules.yml enables the provider "File" and set it up to get its configuration from the file located on ./rules.yml
Providing the file rules.yml to the Traefik container: did you notice that I used a dot-slach (./) for the location of rules.yml? Because the value you've set for the flag providers.file.filename is a relative path INSIDE the Traefik container. You have to share this file between your machine and the traefik container, by mounting it on a specified path, as you did with v1.7 with the traefik.toml. My recommendation for you:
- Mount the file with docker-compose by adding the item - ./rules.yml:/rules.yml in the directive volumes: of the docker-compose "service" Traefik (https://gist.github.com/IosifZ/f85ce274e02692bea100aa0f75e422e9#file-docker-compose-yml-L38).
- Set the CLI flag --providers.file.filename to the value /rules.yml

Iosif · October 9, 2019, 11:55am

Many thanks for that one.

Here's what my log says now:

{"level":"error","msg":"Cannot start the provider *file.Provider: yaml: line 14: did not find expected alphabetic or numeric character","time":"2019-10-09T14:49:58+03:00"}

Here's my rules file
Could I use the tags from .env file inside the rules.yml file as I am using it inside compose ? It's a real PITA to always replace the domain name all the time

Here's my updated compose file

Also I am not sure that I have the correct setup for HTTP to HTTPS global redirect and for subdomain entrypoint. I still need someone to take a look on that one (the whole compose file).

dduportal · October 9, 2019, 12:04pm

This error means that you're on the right path: Traefik tells you that it cannot parse the YAML line 14 in your file. It means that you enabled the file provider successfully!

Now, time for you to read a bit documentation:

Rules for the TCP routers are different than HTTP routers: https://docs.traefik.io/v2.0/routing/routers/#rule_1. TCP does NOT provide concepts as "hostname" or "path" or even "headers", so you cannot do advanced routing. You should use the generic rule HostSNI(`*`) as a starter: it means you need one entrypoint per backend, as there is no concepot of "virtual host".
The error message is quite clear: it cannot parse the first character of the value on line 14. Please check the syntax at https://docs.traefik.io/v2.0/routing/routers/#domains_1 : you forgot something

Iosif · October 9, 2019, 12:19pm

On line 14 is the sans which is usually mentioned in all other routers.
I've replaced Host with HostSNI, same behaviour

update file

Got it, I had to put:

rule: "HostSNI(`sonarr.DOMAIN.com`)"

instead of

rule: HostSNI(`sonarr.DOMAIN.com`)

final file

Now I'm back to the compose file who still needs some in depth analysis.

dduportal · October 9, 2019, 12:39pm

The error on the line 14 is a syntax error, not a semantic error. It means it's about the parsing , not about the meaning/intent. Compare your line sans and domains on the documentation at https://docs.traefik.io/v2.0/routing/routers/#domains_1 (click on the "File (YAML)" tab) with yours: "something" is missing to allow Traefik to parse the value (you need to search a little on this to learn it)
I am missing information to help you about the applications sonarr.DOMAIN.com and radarr.DOMAIN.com:
- What are the application protocol used for these applications? HTTP(S) ? something else (then what is it)?
- Which component is responsible for terminating TLS and decrypting traffic: Traefik with the Let's Encrypt certificates? The backend services (which have their own certificates)?

=> The goal is to decide:

What kind of Traefik router to use (HTTP or TCP)?
Decide when enabling TLS for the routers, or when enabling TLS pass-trough, or when using Let's Encrypt.

Iosif · October 9, 2019, 1:33pm

The syntax is fixed and the Traefik dashboard now successfully displys my two additional services (installed outside Docker).
Although now I get a 404 for those services.
Those two services were configured in rules.toml previously and they were making use of the let's encrypt certificate obtained by traefik 1.7.

So coming back to my initial goals.

Certificates:
I would like to have certificates issued only for my domain and not one per subdomain. This should also include the additional services that are mentioned in the file provided and installed outside docker.

TCP or HTTP ?
I thought that I should use TCP instead of HTTP for those 2 services because they are accessible through local IP and port which is outside docker network.

Also about HTTP->HTTPS redirect:

I thought that I could use a single global redirect.
basically, I don't want to type http(s)://sub.domain.com but I would like to type sub.domain.com and puf, my application is displayed. This is how I used to have 1.7 configured. HTTPS was there but I was never aware of how things actually worked. I typed my address and when I was using the app the certificate was present there.

dduportal · October 10, 2019, 7:52am

Hi @losif, based on your previous answer:

Your requirement for TLS termination/certificates is clear. You want termination of TLS at Traefik level, with auto management of the certificates.
=> This means that you must not use the option tls.passthrough on any router. Only enable tls and specify the certificate resolver to benefit from Let's Encrypt as you already figured out successfully.
TCP vs. HTTP: the reason to choose TCP would be either "backend does NOT use HTTP(S) - for instance you want to route to MongoDB, SSH, MySQL, etc.", or "Backend uses HTTPS and terminate TLS itself, so Traefik must not manage TLS and pass trough HTTP traffic".
=> So you need to use HTTP routers, and you can revert the router rules to Host() and forget all the verbiage around "SNI".
About HTTP to HTTPS redirect globally: check this section of the blog post: https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d#49a5 . The idea is to define a "default http router" on Traefik itself, that catch all the traffic without TLS, and use a middleware for redirection.

Iosif · October 10, 2019, 8:21am

TCP vs HTTP: I arrived on the same conclusion when I made a double check with my previous rules.toml (used by 1.7).

updated rules.yaml still with 404

Regarding certificates now I got a weird error in the log:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"DOMAIN.com,*.DOMAIN.com\" : unable to generate a certificate for the domains [DOMAIN.com *.DOMAIN.com]: acme: Error -\u003e One or more domains had a problem:
\n[*.DOMAIN.com] [*.DOMAIN.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[],\\\"result\\\":null}\"
\n[DOMAIN.com] [DOMAIN.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[],\\\"result\\\":null}\"
\n","providerName":"basic.acme","time":"2019-10-10T10:18:06+03:00"}

Current compose file

I tried my luck with two skip verify flags with no luck trying to get rid of the below kind of errors:

{"level":"debug","msg":"http: TLS handshake error from 172.18.0.1:44962: remote error: tls: unknown certificate","time":"2019-10-10T11:20:44+03:00"}

dduportal · October 10, 2019, 8:55am

For the rules.yml, routers are only attached to the entrypoint web but have tls enabled: https://gist.github.com/IosifZ/f2a271d95e64c8203354273b3d496399#file-rules-yml-L15.
It means you need to hit https://domain:80./. What you want is the port 443, so you must attach the routers to web-secure as well.
About the Cloudflare error, I don't have any experience in this part so not really sure. I tend to avoid DNS wildcard as much as I can, en use the tlsChallenge easier to configure, since Traefik manages the domains and renewal for me. However given the error message, I would do the following:
- Use Let's encrypt staging to avoid hitting your quotas first (ref. https://docs.traefik.io/v2.0/https/acme/#caserver)
- Cleanup the Cloudflare DNS zone from all the TXT records created by Traefik for Let's Encrypt challenges.
- Backup the current acme.json file and try to start from scratch.

Iosif · October 10, 2019, 9:46am

Thank you, 404 solved.
However the certificates are still not being generated. I've checked my Cloudflare dashboard and there are no txt records there.

Topic		Replies	Views
Traefik + Docker + LetsEncrypt \| Migration v1.7 => v2.0 \| epic fail! Traefik v2 (latest) docker , dashboard-api , letsencrypt-acme	4	3148	November 2, 2019
How to direct traefik 2 api site to a subdomain? Traefik v2 (latest) docker	4	4045	October 1, 2019
Traefik v2 with docker compose - external services possible? Traefik v2 (latest) docker	6	8935	September 6, 2020
TCP and HTTP/s docker example Traefik v2 (latest) docker	0	3547	December 17, 2020
Traefik reverse proxy doesn't work Traefik v2 (latest) docker	3	460	July 1, 2021

Traefik 1.7 to 2.0 Docker for Windows

Related Topics