Traefik 2.2 + cloudflare

Following this post :

I tried to configure by same dynamic approach ,
where :
Need the dashboard be accessible internally on :8888
and from outside https://traefik.mydomain.com
same for HA - internally on :8123
and outside https://ha.mydomain.com
at current :
not able to reach the traefik dashboard /HA from internally or from outside network.

I configure my domain in CF as following:

docker-compose

version: "3.3"
networks:
  rev_traefik_proxy:
    external: true

services:

  traefik:
    image: traefik:v2.2.0
    container_name: traefik
    networks:
      - rev_traefik_proxy
    command:
      - --log.level=INFO
      - --log.filePath=etc/traefik/log/traefik.log
      - --accessLog.filePath=etc/traefik/log/access.log
      - --accessLog.bufferingSize=100
    
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
   
      - --api
      - --api.insecure=true
      - --entrypoints.dashboard.address=:8888
          
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
      ##test
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.myresolver.acme.storage=acme.json   
    ports:
      - 80:80
      - 443:443
      - 8888:8888
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/acme.json:/acme.json    
      - ./traefik/:/etc/traefik/log/
    labels:
      traefik.enable: true
      
      # middleware redirect
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
      
      # global redirect to https
      traefik.http.routers.redirs.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.redirs.entrypoints: web
      traefik.http.routers.redirs.middlewares: redirect-to-https
      
      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.mydomain.com`)
      traefik.http.routers.traefik.entrypoints: dashboard
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: user:$$apr1$$gnc3F4mv$$VNr.mLwolbwUF6vYVzPVs0
      
      
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:latest
    volumes:
      - "./HA/:/config"
      - /etc/localtime:/etc/localtime:ro
#    ports:
#      - 8123:8123
    restart: always
    network_mode: host
    labels:
      traefik.enable: true

      traefik.http.routers.hasss.rule: Host(`ha.mydomain.com`)
      traefik.http.routers.hasss.entrypoints: websecure
      traefik.http.routers.hasss.tls.certresolver: myresolver
      traefik.http.services.hasss.loadbalancer.server.port: 8123


log:

time="2020-04-11T12:51:50Z" level=info msg="Traefik version 2.2.0 built on 2020-03-25T17:32:57Z"
time="2020-04-11T12:51:50Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"dashboard\":{\"address\":\":8888\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"etc/traefik/log/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"etc/traefik/log/access.log\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100},\"certificatesResolvers\":{\"myresolver\":{\"acme\":{\"email\":\"xxxxxx23@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"}}}}}"
time="2020-04-11T12:51:50Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
time="2020-04-11T12:51:50Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=dashboard
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=web
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=websecure
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2020-04-11T12:51:50Z" level=info msg="Starting provider *acme.Provider {\"email\":\"xxxxxx23@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"myresolver\",\"store\":{},\"ChallengeStore\":{}}"
time="2020-04-11T12:51:50Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
time="2020-04-11T12:51:50Z" level=info msg="Starting provider *traefik.Provider {}"
time="2020-04-11T12:51:50Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2020-04-11T12:51:50Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2020-04-11T12:51:50Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/[^:\\\\/]+(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}}},\"tcp\":{},\"tls\":{}}" providerName=internal
time="2020-04-11T12:51:50Z" level=debug msg="Adding certificate for domain(s) ha.xxxxxx23.com"
time="2020-04-11T12:51:50Z" level=debug msg="No default certificate, generating one"
time="2020-04-11T12:51:50Z" level=debug msg="Provider connection established with docker 17.09.1-ce (API 1.32)" providerName=docker
time="2020-04-11T12:51:50Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"hasss\":{\"entryPoints\":[\"websecure\"],\"service\":\"hasss\",\"rule\":\"Host(`ha.xxxxxx23.com`)\",\"tls\":{\"certResolver\":\"myresolver\"}}},\"services\":{\"hasss\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://127.0.0.1:8123\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-04-11T12:51:52Z" level=debug msg="Adding certificate for domain(s) ha.xxxxxx23.com"
time="2020-04-11T12:51:52Z" level=debug msg="No default certificate, generating one"
time="2020-04-11T12:51:54Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-04-11T12:51:54Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2020-04-11T12:51:54Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2020-04-11T12:51:54Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
time="2020-04-11T12:51:54Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareType=RedirectRegex middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:54Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" routerName=dashboard@internal middlewareType=RedirectRegex middlewareName=dashboard_redirect@internal entryPointName=traefik
time="2020-04-11T12:51:54Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:54Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-04-11T12:51:54Z" level=debug msg="Adding certificate for domain(s) ha.xxxxxx23.com"
time="2020-04-11T12:51:54Z" level=debug msg="No default certificate, generating one"
time="2020-04-11T12:51:57Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-04-11T12:51:57Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
time="2020-04-11T12:51:57Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:57Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:57Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" serviceName=hasss entryPointName=websecure routerName=hasss@docker middlewareName=pipelining middlewareType=Pipelining
time="2020-04-11T12:51:57Z" level=debug msg="Creating load-balancer" routerName=hasss@docker serviceName=hasss entryPointName=websecure
time="2020-04-11T12:51:57Z" level=debug msg="Creating server 0 http://127.0.0.1:8123" serviceName=hasss entryPointName=websecure routerName=hasss@docker serverName=0
time="2020-04-11T12:51:57Z" level=debug msg="Added outgoing tracing middleware hasss" middlewareType=TracingForwarder entryPointName=websecure routerName=hasss@docker middlewareName=tracing
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-04-11T12:51:57Z" level=debug msg="Try to challenge certificate for domain [ha.xxxxxx23.com] found in HostSNI rule" rule="Host(`ha.xxxxxx23.com`)" providerName=myresolver.acme routerName=hasss@docker
time="2020-04-11T12:51:57Z" level=debug msg="Looking for provided certificate(s) to validate [\"ha.xxxxxx23.com\"]..." providerName=myresolver.acme routerName=hasss@docker rule="Host(`ha.xxxxxx23.com`)"
time="2020-04-11T12:51:57Z" level=debug msg="No ACME certificate generation required for domains [\"ha.xxxxxx23.com\"]." rule="Host(`ha.xxxxxx23.com`)" providerName=myresolver.acme routerName=hasss@docker
time="2020-04-11T13:00:42Z" level=debug msg="Error while Peeking first byte: read tcp 172.29.24.2:8888->192.168.1.213:44470: read: connection reset by peer"


``
version: '3.7'

services:

  traefik:
    image: traefik:v2.2.0
    container_name: traefik
    command:
      - --log.level=INFO
      - --log.filePath=etc/traefik/log/traefik.log
      - --accessLog.filePath=etc/traefik/log/access.log
      - --accessLog.bufferingSize=100
    
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
   
      - --api
      - --api.insecure=true
      
      - --entrypoints.traefik.address=:8888

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver

      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.storage=acme.json   
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
    ports:
      - 80:80
      - 443:443
      - 8888:8888
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/acme.json:/acme.json    
      - ./traefik/:/etc/traefik/log/
    labels:
      traefik.enable: true

      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.mydomain.com`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.middlewares: auth

      traefik.http.middlewares.auth.basicauth.users: user:$$apr1$$gnc3F4mv$$VNr.mLwolbwUF6vYVzPVs0
      
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:latest
    volumes:
      - './HA/:/config'
      - /etc/localtime:/etc/localtime:ro
    restart: always
    labels:
      traefik.enable: true

      traefik.http.routers.hasss.rule: Host(`ha.mydomain.com`)
      traefik.http.routers.hasss.entrypoints: websecure

      traefik.http.services.hasss.loadbalancer.server.port: 8123

Thanks @ldez

Traefik dashboard open on
http://192.168.1.112:8888/dashboard/#/

HA usually open with http://192.168.1.112:8123
but currently it is not.

Also check from same network ,
None of below connecting:
https://traefik.mydomain.com

http://traefik.mydomain.com

http://ha.mydomain.com

https://ha.mydomain.com

getting ERR_TOO_MANY_REDIRECTS

On access.log i do see many attempts (although i hit it once):

#this is my cellphone (outside the lan)
1.101.22.142 - - [11/Apr/2020:14:08:39 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 957 "web-to-websecure@internal" "-" 0ms
192.168.1.130 - - [11/Apr/2020:14:08:39 +0000] "GET /api/overview HTTP/1.1" 200 435 "-" "-" 958 "api@internal" "-" 0ms
141.101.22.142 - - [11/Apr/2020:14:08:39 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 959 "web-to-websecure@internal" "-" 0ms
141.101.22.142 - - [11/Apr/2020:14:08:39 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 960 "web-to-websecure@internal" "-" 0ms
141.101.22.142 - - [11/Apr/2020:14:08:40 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 961 "web-to-websecure@inter

log:

time="2020-04-11T13:46:44Z" level=info msg="Traefik version 2.2.0 built on 2020-03-25T17:32:57Z"
time="2020-04-11T13:46:44Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
time="2020-04-11T13:46:44Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2020-04-11T13:46:44Z" level=info msg="Starting provider *acme.Provider {\"email\":\"mydomain@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"myresolver\",\"store\":{},\"ChallengeStore\":{}}"
time="2020-04-11T13:46:44Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
time="2020-04-11T13:46:44Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2020-04-11T13:46:44Z" level=info msg="Starting provider *traefik.Provider {}"

acme.json was generated with certificates for
ha.mydomain.com and traefik.mydomain.com

@ldez ,

wooo hooo .... Got progress:)

so if anyone face situation with "ERR_TOO_MANY_REDIRECTS" --> it
coming actually from CF and not traefik.
it required to change the SSL/TLS setting from "Flexible"
which coming as default setting and encrypts traffic between the browser and CF,
to --> "Full" which encrypts end-to-end, using a self signed certificate on the server.

Now i'm to longing with :
https://traefik.mydomain.com

http://traefik.mydomain.com

http://ha.mydomain.com

https://ha.mydomain.com

Can i also configure traefik so i be able to login to HA
with host-ip:8123 ?

I map a non-docker application which access from http://192.168.1.112:8089,
I tried adding the traefik labels but didn't work:

      #qnap
#      traefik.http.routers.qnap.rule: Host(`qnap.mydoamin.com`)
#      traefik.http.routers.qnap.entrypoints: websecure
#      traefik.http.services.qnap.loadbalancer.server.port: 8089

The only option i manage to get it work is by adding dynamic.yaml which as I understand from u - less recommend as it breaks the dynamic approach ,

http:
  routers:
    service-router:
      entryPoints:
        - websecure
      service: service-qnap
      rule: Host(`qnap.mydomain.com`)
      tls:
        certResolver: myresolver
  services:
    service-qnap:
      loadBalancer:
        servers:
          - url: "http://192.168.1.112:8089"

is there a way adding/mapping a non-docker application to traefik without a separate file?

Thanks a lot @ldez - u are a saver!

Have some issue with this configuration ,
now when im connecting to HA (internally from some network)
I can't use any of host-ip but the dns names ,
it means that i go out the internet and go back my server.

Is it possible to keep this configuration but allow some internal IP to access the HA?

Anybody can assist with it please?

Is there an option to access HA also with localhost:8123
(when I connect from same network)?