So I wanted to move from npm to traefik for security reasons. I found a good online blog for an initial setup of traefik. It works, but not really. and for the love of god, i cant figure out why.
Here is my docker-compose.yml:
services:
traefik:
image: traefik:v2.10
container_name: traefik
restart: always
networks:
- proxy
ports:
- 80:80
- 8080:8080
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/configs:/configs:ro
- ./data/acme.json:/acme.json:rw
- ./data/logs:/logs:rw
environment:
- CF_DNS_API_TOKEN=${CFAPI}
read_only: true
security_opt:
- no-new-privileges=true
labels:
- traefik.enable=true
- traefik.http.routers.traefik-https.entrypoints=websecure
- traefik.http.routers.traefik-https.rule=Host(`traefik.example.com`)
- traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIKADMIN}
- traefik.http.routers.traefik-https.middlewares=traefik-auth
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
- traefik.http.routers.traefik-https.tls.domains[0].main=example.com
- traefik.http.routers.traefik-https.tls.domains[0].sans=*.example.com
whoami:
image: containous/whoami:latest
container_name: whoami
hostname: whoami
restart: unless-stopped
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.whoami-https.entrypoints=websecure
- traefik.http.routers.whoami-https.rule=Host(`whoami.example.com`)
#- traefik.http.routers.whoami-https.service=whoami
- traefik.http.services.whoami-https.loadbalancer.server.port=80
- traefik.http.routers.whoami-https.tls=true
- traefik.http.routers.whoami-https.tls.certresolver=letsencrypt
networks:
proxy:
external: {}
and the static configuration file (traefik.yml) looks like:
api:
dashboard: true
insecure: true
debug: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls: {}
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
network: proxy
file:
directory: "/configs"
watch: true
certificatesResolvers:
http:
acme:
email: cert@example.com
storage: acme.json
httpChallenge:
entryPoint: web
letsencrypt:
acme:
email: cert@example.com
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
#serversTransport:
# insecureSkipVerify: false
accessLog:
filePath: "/logs/access.log"
fields:
headers:
names:
User-Agent: keep
log:
filePath: "/logs/traefik.log"
level: INFO
Now when I get the stack up and running, I can never access the following:
- traefik example com --> 404
- serverip:443 --> 404
- serverip:80 --> 404
- whoami example com --> 404
But i can access the traefik dashboard only insecurely at http://serverip:8080 because i have set insecure=true. Is there no way to reach the dashboard securely?! what am i doing wrong? I dont see any error in the log files or in the dashboard.
Now to the services themselves, when i remove the line
traefik.http.routers.whoami-https.entrypoints=websecure
, I can access both:
I simply want to reach both traefik dashboard and my services only with websecure. But it just doesnt seem to work. I am pulling my hairout as to what is traefik doing and what am i doing wrong?
Any help is very much appreciated! Thanks!