Traefik 2.1 and docker-compose over https

Traefik Traefik v2
,
1

Hi there

i have done some research on this forum prior to posting but maybe i miss something fundamental. I run multiple applications behind traefik on my server and let traefik manage ssl certs etc with let's encrypt.

My latest project uses a docker-compose with a nginx that calls the php-fpm cgi. I have read that inside the traefik network the access is done via http which leads the php application missing some server variables which would detect that it has been called via https (missing HTTPS Server variable f.e.)

Is there some (not to fancy) way to make traefik communicate with the docker container over https?

I tried the loadbalancer way or routing the ssl-traefik to the container (which obviously woulnd't work without the certs from traefik)

My current files:

Traefik

version: "3.7"

services:

  traefik:
    image: "traefik:v2.1"
    restart: always
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=my@mail"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./solar.yml:/var/www/solar.yml"
    networks:
      - traefik

networks:
  traefik:
    external: true
    name: traefik

Application

version: "3.7"

networks:
  traefik:
    external: true
  backend:
    driver: bridge

volumes:
  seatplus-code:
    driver: local
  mariadb:
    driver: local

    #networks:
      #backend:

services:

  ### MariaDB ##############################################
  mariadb:
    image: mariadb:10.3
    restart: always
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_USER: ${DB_USERNAME}
      MYSQL_PASSWORD: ${DB_PASSWORD}
      MYSQL_DATABASE: ${DB_DATABASE}
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
      - backend

  ### Redis ################################################
  redis:
    image: redis:5-alpine
    restart: always
    networks:
      - backend

  ### nginx ################################################
  nginx:
    image: seatplus/nginx:latest
    depends_on:
      - seat-plus
    restart: always
    environment:
      - NGINX_HOST=${NGINX_HOST}
    volumes:
      - "seatplus-code:/var/www"
      # Remove the comment below to enable nginx logs to disk.
      #- ./logs/nginx/:/var/log/nginx/
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.seatplus.rule=Host(`seatplus.domain.tld`)"
      - "traefik.http.routers.seatplus.entrypoints=websecure"
      - "traefik.http.routers.seatplus.tls=true"
      - "traefik.http.routers.seatplus.tls.certresolver=myresolver"
      #- "traefik.http.services.seatplus.loadbalancer.server.scheme=https"
      #- "traefik.http.services.seatplus.loadbalancer.server.port=443"
      #- "traefik.http.routers.seatplus.tls.passthrough=true"
      - "traefik.http.routers.unsecure-seatplus.rule=Host(`seatplus.domain.tld`)"
      - "traefik.http.routers.unsecure-seatplus.entrypoints=web"
      - "traefik.http.middlewares.https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https.redirectscheme.permanent=true"
      - "traefik.http.routers.unsecure-seatplus.middlewares=https"
    #ports:
      #- "${NGINX_HTTP}:80"
      #- "${NGINX_HTTPS}:443"
    command: /bin/sh -c "envsubst '${NGINX_HOST}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && nginx -g 'daemon off;'"
    networks:
      - backend
      - traefik

  ### seat-plus ################################################
  seat-plus:
    image: seatplus/app:latest
    restart: always
    environment:
      DB_HOST: mariadb
      REDIS_HOST: redis
    env_file:
      - ./.env
    volumes:
      - "seatplus-code:/var/www"
      # Remove the comment below to enable SeAT plus logs to disk.
      #- ./logs:/var/www/storage/logs
    depends_on:
      - mariadb
      - redis
    networks:
      - backend

 ### worker ################################################
  worker:
    image: seatplus/worker:latest
    restart: always
    environment:
      DB_HOST: mariadb
      REDIS_HOST: redis
    env_file:
      - ./.env
    volumes:
      - "seatplus-code:/var/www"
    depends_on:
      - seat-plus # for the seatplus-code volume
      - mariadb
      - redis
    networks:
      - backend

  ### cron ################################################
  cron:
    image: seatplus/worker:latest
    restart: always
    environment:
      CONTAINER_ROLE: cron
      DB_HOST: mariadb
      REDIS_HOST: redis
    env_file:
      - ./.env
    volumes:
      - "seatplus-code:/var/www"
    depends_on:
      - seat-plus
      - mariadb
      - redis
    networks:
      - backend
2

It would help if could say what the error message was. If it's not being able to connect to the app from traeifik due to untrusted cert on the app, then insecureskipverify should help.

3

The issue i am facing is that the application (Laravel) creates urls f.e. for paginated responses. To do so it gets the URL Scheme from the request. However it does so by f.e. relying on the $_Server variables generated from the request.

as the traefik -> nginx is done over port 80/ http, the $_Server['HTTPS]' is false/not present

image

One way i think of overcome this, is securing the traefik->nginx communication ... is that possible with traefik?

4

Yes, it is possible, you do it similar to some of the lines you have commented out in your configuration. Apparently it has not worked for you, so once again I’m asking you what exactly did not work and what error message are you getting.

5

I'm guessing the URLS are for the app itself, they should not(IMO) return a scheme for the links just the path. The browser will know which scheme it is using.

Vendor provided apps will often have setting for use behind a Reverse-Proxy i.e. Alassian Confluence.
Some do not and you will have to perform URL rewrites, which Traefik does not do.