Traefik and Nginx + Wordpress

Farmers00 · April 2, 2024, 4:22pm

Hey all. I'm pretty new to Traefik and I'm a little confused on the setup here.

I have an Unraid server running Traefik in Docker with IBRACORP's image.

So far, I have successfully setup a Home Assistant VM through Traefik and it is working beautifully.

I have been running a wordpress site through NGINX (LEMP) in an ubuntu VM for several years with no issues and now it would be cool to route it all through Traefik. The part I am struggling with now is how to get Traefik to provide the SSL cert for my LEMP stack instead of nginx doing it. In my nginx config for sites-available, i turned off the listen block for 443 since i dont want to specify a cert here. I also went into the wordpress config and defined the url as "http://...". Now when I navigate to my site, I get a cert but I also get an error for serving mixed content.

Kinda at the end of my rope on this one. Not sure what ive missed or what I can change. Considering just doing a self signed cert on nginx and setting up 443 listen block again and seeing if Traefix will take over and provide the correct domain cert?

Thanks in advanced!

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true

entryPoints:
  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 108.162.192.0/18
        - 131.0.72.0/22
        - 141.101.64.0/18
        - 162.158.0.0/15
        - 172.64.0.0/13
        - 173.245.48.0/20
        - 188.114.96.0/20
        - 190.93.240.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
        - 192.168.0.0/24
        - 10.0.10.0/24
        - 172.16.0.0/24
#    http:
#      redirections:
#        entryPoint:
#          to: https
#          scheme: https

  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs: *trustedIps
#    http:
#      tls:
#        certResolver: letsencrypt
#      middlewares:
#        - securityHeaders@file

providers:
  providersThrottleDuration: 2s

  # File provider for connecting things that are outside of docker / defining middleware
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true

  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: br0.172    # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.redacted`)"    # Replace with your domain
    swarmModeRefreshSeconds: 15s
    exposedByDefault: false
    endpoint: "tcp://dockersocket:2375"

# Enable traefik ui
api:
  dashboard: true
  insecure: true

# Log level INFO|DEBUG|ERROR
log:
  level: INFO

# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@redacted
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

dynamic.yml

http:
  routers:
    redacted:
      entryPoints:
        - https
      rule: 'Host(`redacted`)'
      tls:
        certResolver: letsencrypt
        domains:
          - main: redacted
            sans:
              - '*.redacted'
      service: nginx
      middlewares:
        - https-redirect
        - securityHeaders

  services:
    nginx:
      loadBalancer:
        servers:
          - url: http://192.168.0.26:80

  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https

    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

bluepuma77 · April 2, 2024, 8:31pm

You need to define Wordpress URL as https, as that is what the browser should use.

For TLS check simple Traefik example.

Farmers00 · April 2, 2024, 10:09pm

Ive actually read through your github several times in my struggles.

So when you say define wordpress URL as HTTPS, do you mean the service in my dynamic config or in my wp-options. I had initially set the wp-options to be https:// but i was getting a million redirects until it failed with too many redirects.

If i comment these out, it goes back to https

This is one of the headers in the redirect spam i get.

bluepuma77 · April 3, 2024, 7:02am

It has to be https in WP options. WP should recognize a http header that the original request was https.

Maybe nginx doesn’t trust the X-Forwarded-Proto: https http header and removes it. Can you remove nginx, do you still need it?

Farmers00 · April 3, 2024, 4:17pm

nginx is just used to serve the wordpress websites. This is my nginx config for the site:

server {
    listen 80;
    listen [::]:80;
    server_name www.redacted.com;
    return 301 http://redacted.com$request_uri;
}
server {
        listen 80;
        listen [::]:80;
        root /var/www/redacted;
        index index.php index.html index.htm;
        server_name redacted.com;
        location / {
                try_files $uri $uri/ /index.php$args;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        }
}

bluepuma77 · April 3, 2024, 6:11pm

I don’t know any nginx config.

All I can tell you is that Wordpress will respond with redirects to the browser client until the WP configured URL is matching the request (with the use of headers).

We simply use the Wordpress image (link) and placed Traefik in front. We do use the image just for the setup (web server, PHP, extensions, etc) and mount our own Wordpress folder into it.

Farmers00 · April 3, 2024, 6:46pm

hrrm makes sense. maybe its time i just move off this Ubuntu VM and put it all in docker. thanks for all the help!

Farmers00 · April 5, 2024, 8:12pm

Figured it out!!!

Set Traefik connection to server (Service) as http
Set nginx site config file to listen only on port 80
Set wordpress site config (wp-config.php) to the following:

    define('WP_SITEURL', 'https://domain.com');
    define('WP_HOME', 'https://domain.com');

    /** Fix for SSL behind Proxy **/
    $parsedUrl = parse_url(WP_HOME);
    $scheme = $parsedUrl['scheme'];
    if ($scheme == 'https') {$_SERVER['HTTPS'] = 'on';}
    else {$_SERVER['HTTPS'] = 'off';}

Alternatively, use the SSL Insecure Content Fixer wordpress plugin

system · April 13, 2024, 8:18pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create a self-signed certificate for wordpress and cloudflare tunnel Traefik v2 docker , dashboard-api	4	1409	May 4, 2023
Issues running Nginx reverse proxy that handles SSL BEHIND Traefik Traefik v2 docker-swarm	1	1669	November 6, 2022
Wordpress site still need appearing with certificate Traefik v2 docker	1	242	June 21, 2023
Need help with traefik 2 and letsencrypt Traefik v2 letsencrypt-acme	4	596	January 20, 2022
Catchall https with letsencrypt still possible? Traefik v2 letsencrypt-acme	9	638	July 27, 2023

Traefik and Nginx + Wordpress

Related Topics