Traefik 2.2 + cloudflare

Traefik Traefik v2
,
1

Following this post :

I tried to configure by same dynamic approach ,
where :
Need the dashboard be accessible internally on :8888
and from outside https://traefik.mydomain.com
same for HA - internally on :8123
and outside https://ha.mydomain.com
at current :
not able to reach the traefik dashboard /HA from internally or from outside network.

I configure my domain in CF as following:

image
image1515×422 30.1 KB

docker-compose

version: "3.3"
networks:
  rev_traefik_proxy:
    external: true

services:

  traefik:
    image: traefik:v2.2.0
    container_name: traefik
    networks:
      - rev_traefik_proxy
    command:
      - --log.level=INFO
      - --log.filePath=etc/traefik/log/traefik.log
      - --accessLog.filePath=etc/traefik/log/access.log
      - --accessLog.bufferingSize=100
    
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
   
      - --api
      - --api.insecure=true
      - --entrypoints.dashboard.address=:8888
          
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
      ##test
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.myresolver.acme.storage=acme.json   
    ports:
      - 80:80
      - 443:443
      - 8888:8888
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/acme.json:/acme.json    
      - ./traefik/:/etc/traefik/log/
    labels:
      traefik.enable: true
      
      # middleware redirect
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
      
      # global redirect to https
      traefik.http.routers.redirs.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.redirs.entrypoints: web
      traefik.http.routers.redirs.middlewares: redirect-to-https
      
      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.mydomain.com`)
      traefik.http.routers.traefik.entrypoints: dashboard
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: user:$$apr1$$gnc3F4mv$$VNr.mLwolbwUF6vYVzPVs0
      
      
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:latest
    volumes:
      - "./HA/:/config"
      - /etc/localtime:/etc/localtime:ro
#    ports:
#      - 8123:8123
    restart: always
    network_mode: host
    labels:
      traefik.enable: true

      traefik.http.routers.hasss.rule: Host(`ha.mydomain.com`)
      traefik.http.routers.hasss.entrypoints: websecure
      traefik.http.routers.hasss.tls.certresolver: myresolver
      traefik.http.services.hasss.loadbalancer.server.port: 8123

log:

time="2020-04-11T12:51:50Z" level=info msg="Traefik version 2.2.0 built on 2020-03-25T17:32:57Z"
time="2020-04-11T12:51:50Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"dashboard\":{\"address\":\":8888\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"etc/traefik/log/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"etc/traefik/log/access.log\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100},\"certificatesResolvers\":{\"myresolver\":{\"acme\":{\"email\":\"xxxxxx23@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"}}}}}"
time="2020-04-11T12:51:50Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
time="2020-04-11T12:51:50Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=dashboard
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=web
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=websecure
time="2020-04-11T12:51:50Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2020-04-11T12:51:50Z" level=info msg="Starting provider *acme.Provider {\"email\":\"xxxxxx23@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"myresolver\",\"store\":{},\"ChallengeStore\":{}}"
time="2020-04-11T12:51:50Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
time="2020-04-11T12:51:50Z" level=info msg="Starting provider *traefik.Provider {}"
time="2020-04-11T12:51:50Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2020-04-11T12:51:50Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2020-04-11T12:51:50Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/[^:\\\\/]+(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}}},\"tcp\":{},\"tls\":{}}" providerName=internal
time="2020-04-11T12:51:50Z" level=debug msg="Adding certificate for domain(s) ha.xxxxxx23.com"
time="2020-04-11T12:51:50Z" level=debug msg="No default certificate, generating one"
time="2020-04-11T12:51:50Z" level=debug msg="Provider connection established with docker 17.09.1-ce (API 1.32)" providerName=docker
time="2020-04-11T12:51:50Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"hasss\":{\"entryPoints\":[\"websecure\"],\"service\":\"hasss\",\"rule\":\"Host(`ha.xxxxxx23.com`)\",\"tls\":{\"certResolver\":\"myresolver\"}}},\"services\":{\"hasss\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://127.0.0.1:8123\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-04-11T12:51:52Z" level=debug msg="Adding certificate for domain(s) ha.xxxxxx23.com"
time="2020-04-11T12:51:52Z" level=debug msg="No default certificate, generating one"
time="2020-04-11T12:51:54Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-04-11T12:51:54Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2020-04-11T12:51:54Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2020-04-11T12:51:54Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
time="2020-04-11T12:51:54Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareType=RedirectRegex middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:54Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" routerName=dashboard@internal middlewareType=RedirectRegex middlewareName=dashboard_redirect@internal entryPointName=traefik
time="2020-04-11T12:51:54Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:54Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-04-11T12:51:54Z" level=debug msg="Adding certificate for domain(s) ha.xxxxxx23.com"
time="2020-04-11T12:51:54Z" level=debug msg="No default certificate, generating one"
time="2020-04-11T12:51:57Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-04-11T12:51:57Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
time="2020-04-11T12:51:57Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:57Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:57Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" serviceName=hasss entryPointName=websecure routerName=hasss@docker middlewareName=pipelining middlewareType=Pipelining
time="2020-04-11T12:51:57Z" level=debug msg="Creating load-balancer" routerName=hasss@docker serviceName=hasss entryPointName=websecure
time="2020-04-11T12:51:57Z" level=debug msg="Creating server 0 http://127.0.0.1:8123" serviceName=hasss entryPointName=websecure routerName=hasss@docker serverName=0
time="2020-04-11T12:51:57Z" level=debug msg="Added outgoing tracing middleware hasss" middlewareType=TracingForwarder entryPointName=websecure routerName=hasss@docker middlewareName=tracing
time="2020-04-11T12:51:57Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-04-11T12:51:57Z" level=debug msg="Try to challenge certificate for domain [ha.xxxxxx23.com] found in HostSNI rule" rule="Host(`ha.xxxxxx23.com`)" providerName=myresolver.acme routerName=hasss@docker
time="2020-04-11T12:51:57Z" level=debug msg="Looking for provided certificate(s) to validate [\"ha.xxxxxx23.com\"]..." providerName=myresolver.acme routerName=hasss@docker rule="Host(`ha.xxxxxx23.com`)"
time="2020-04-11T12:51:57Z" level=debug msg="No ACME certificate generation required for domains [\"ha.xxxxxx23.com\"]." rule="Host(`ha.xxxxxx23.com`)" providerName=myresolver.acme routerName=hasss@docker
time="2020-04-11T13:00:42Z" level=debug msg="Error while Peeking first byte: read tcp 172.29.24.2:8888->192.168.1.213:44470: read: connection reset by peer"


``
2 
version: '3.7'

services:

  traefik:
    image: traefik:v2.2.0
    container_name: traefik
    command:
      - --log.level=INFO
      - --log.filePath=etc/traefik/log/traefik.log
      - --accessLog.filePath=etc/traefik/log/access.log
      - --accessLog.bufferingSize=100
    
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
   
      - --api
      - --api.insecure=true
      
      - --entrypoints.traefik.address=:8888

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver

      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.storage=acme.json   
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
    ports:
      - 80:80
      - 443:443
      - 8888:8888
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/acme.json:/acme.json    
      - ./traefik/:/etc/traefik/log/
    labels:
      traefik.enable: true

      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.mydomain.com`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.middlewares: auth

      traefik.http.middlewares.auth.basicauth.users: user:$$apr1$$gnc3F4mv$$VNr.mLwolbwUF6vYVzPVs0
      
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:latest
    volumes:
      - './HA/:/config'
      - /etc/localtime:/etc/localtime:ro
    restart: always
    labels:
      traefik.enable: true

      traefik.http.routers.hasss.rule: Host(`ha.mydomain.com`)
      traefik.http.routers.hasss.entrypoints: websecure

      traefik.http.services.hasss.loadbalancer.server.port: 8123
3

Thanks @ldez

Traefik dashboard open on
http://192.168.1.112:8888/dashboard/#/

HA usually open with http://192.168.1.112:8123
but currently it is not.

Also check from same network ,
None of below connecting:
https://traefik.mydomain.com

http://traefik.mydomain.com

http://ha.mydomain.com

https://ha.mydomain.com

getting ERR_TOO_MANY_REDIRECTS

On access.log i do see many attempts (although i hit it once):

#this is my cellphone (outside the lan)
1.101.22.142 - - [11/Apr/2020:14:08:39 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 957 "web-to-websecure@internal" "-" 0ms
192.168.1.130 - - [11/Apr/2020:14:08:39 +0000] "GET /api/overview HTTP/1.1" 200 435 "-" "-" 958 "api@internal" "-" 0ms
141.101.22.142 - - [11/Apr/2020:14:08:39 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 959 "web-to-websecure@internal" "-" 0ms
141.101.22.142 - - [11/Apr/2020:14:08:39 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 960 "web-to-websecure@internal" "-" 0ms
141.101.22.142 - - [11/Apr/2020:14:08:40 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 961 "web-to-websecure@inter

log:

time="2020-04-11T13:46:44Z" level=info msg="Traefik version 2.2.0 built on 2020-03-25T17:32:57Z"
time="2020-04-11T13:46:44Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
time="2020-04-11T13:46:44Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2020-04-11T13:46:44Z" level=info msg="Starting provider *acme.Provider {\"email\":\"mydomain@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"myresolver\",\"store\":{},\"ChallengeStore\":{}}"
time="2020-04-11T13:46:44Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
time="2020-04-11T13:46:44Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2020-04-11T13:46:44Z" level=info msg="Starting provider *traefik.Provider {}"

acme.json was generated with certificates for
ha.mydomain.com and traefik.mydomain.com

4

@ldez ,

wooo hooo .... Got progress:)

so if anyone face situation with "ERR_TOO_MANY_REDIRECTS" --> it
coming actually from CF and not traefik.
it required to change the SSL/TLS setting from "Flexible"
which coming as default setting and encrypts traffic between the browser and CF,
to --> "Full" which encrypts end-to-end, using a self signed certificate on the server.

Now i'm to longing with :
https://traefik.mydomain.com

http://traefik.mydomain.com

http://ha.mydomain.com

https://ha.mydomain.com

Can i also configure traefik so i be able to login to HA
with host-ip:8123 ?

I map a non-docker application which access from http://192.168.1.112:8089,
I tried adding the traefik labels but didn't work:

      #qnap
#      traefik.http.routers.qnap.rule: Host(`qnap.mydoamin.com`)
#      traefik.http.routers.qnap.entrypoints: websecure
#      traefik.http.services.qnap.loadbalancer.server.port: 8089

The only option i manage to get it work is by adding dynamic.yaml which as I understand from u - less recommend as it breaks the dynamic approach ,

http:
  routers:
    service-router:
      entryPoints:
        - websecure
      service: service-qnap
      rule: Host(`qnap.mydomain.com`)
      tls:
        certResolver: myresolver
  services:
    service-qnap:
      loadBalancer:
        servers:
          - url: "http://192.168.1.112:8089"

is there a way adding/mapping a non-docker application to traefik without a separate file?

Thanks a lot @ldez - u are a saver!

5

Have some issue with this configuration ,
now when im connecting to HA (internally from some network)
I can't use any of host-ip but the dns names ,
it means that i go out the internet and go back my server.

Is it possible to keep this configuration but allow some internal IP to access the HA?

6

Anybody can assist with it please?

Is there an option to access HA also with localhost:8123
(when I connect from same network)?