I am trying to setup a reverse proxy that takes my home services and routes them to a website I own. However it is not letting me get into the dashboard after I add more ports and configuration. When I run docker logs traefik it gives me no errors. docker-compose.yml - version: '3'
services:
reverse-proxy:
image: traefik:v2.10
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8081:8080"
environment:
- CF_API_EMAIL=my email
- CF_API_KEY=my key
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- /home/dietpi/docker/traefik/data/traefik.yml:/traefik.yml:ro
- /home/dietpi/docker/traefik/data/acme.json:/acme.json
- /home/dietpi/docker/traefik/data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(traefik.silvsam.com)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=dietpi:Cofland#!"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(traefik.silvsam.com)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=silvsam.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.silvsam.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
traefik.yml -
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: my email
storage: acme.json
dnsChallenge:
provider: cloudflare
disablePropagationCheck: true
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
config.yml -
http:
routers:
nginx:
entryPoints:
- "https"
rule: "Host(nginx.silvsam.com)"
middlewares:
- default-headers
- https-redirectscheme
service: nginx
services:
nginx:
loadBalancer:
servers:
- url: "https://10.16.0.26:8080"
passHostHeader: true
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
Please format your code using 3 backticks before and after or using the </> button on selected text. Especially in yaml format every space matters.
docker-compose.yml -
version: '3'
services:
reverse-proxy:
image: traefik:v2.10
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8081:8080"
environment:
- CF_API_EMAIL=my email
- CF_API_KEY=my key
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- /home/dietpi/docker/traefik/data/traefik.yml:/traefik.yml:ro
- /home/dietpi/docker/traefik/data/acme.json:/acme.json
- /home/dietpi/docker/traefik/data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.silvsam.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=dietpi:Cofland#!"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.silvsam.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=silvsam.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.silvsam.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
config.yml -
http:
routers:
nginx:
entryPoints:
- "https"
rule: "Host(`nginx.silvsam.com`)"
middlewares:
- default-headers
- https-redirectscheme
service: nginx
services:
nginx:
loadBalancer:
servers:
- url: "https://10.16.0.26:8080"
passHostHeader: true
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
traefik.yml -
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: my email
storage: acme.json
dnsChallenge:
provider: cloudflare
disablePropagationCheck: true
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
You can't use traefik.yml and command for Traefik static config at the same time.
I fixed the problem, I completely changed my docker compose file traefik: container_name: traefik image: traefik:2.7 command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true - --entryPoints.http.address=:80 - --entryPoints.https.address=:443 # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22 - --api=true - --serversTransport.insecureSkipVerify=true - --log=true - --log.filePath=/logs/traefik.log - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --accessLog=true - --accessLog.filePath=/logs/access.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=204-299,400-499,500-599 - --providers.docker=true - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security # - --providers.docker.endpoint=tcp://socket-proxy:2375 # Use this instead of the previous line if you have socket proxy. - --providers.docker.exposedByDefault=false - --entrypoints.https.http.tls.options=tls-opts@file - --entrypoints.https.http.tls=true # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services - --entrypoints.https.http.tls.certresolver=dns-cloudflare - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain - --providers.docker.network=t2_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file - --providers.file.watch=true # Only works on top level files in the rules folder # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate # networks: # t2_proxy: # ipv4_address: 10.16.0.26 # You can specify a static IP ports: - target: 80 published: 80 protocol: tcp mode: host - target: 443 published: 443 protocol: tcp mode: host environment: - CF_API_EMAIL=$CLOUDFLARE_EMAIL - CF_API_KEY=$CLOUDFLARE_API_KEY - DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules. volumes: - $DOCKERDIR/traefik2/rules/cloudserver:/rules # file provider directory - /var/run/docker.sock:/var/run/docker.sock:ro # If you use Docker Socket Proxy, comment this line out - $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must create this empty file and change permissions to 600 - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec # - $DOCKERDIR/shared:/shared labels: - "traefik.enable=true" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(traefik.$DOMAINNAME_CLOUD_SERVER)" - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this # - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER" - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" - "traefik.http.routers.traggo-laptop-svc=api@internal" - "traefik.http.routers.nginx-rpi-svc=api@internal" - "traefik.http.routers.nginx-laptop-svc=api@internal" ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
sorry formatted it wrong
traefik:
container_name: traefik
image: traefik:2.7
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
- --api=true
- --serversTransport.insecureSkipVerify=true
- --log=true
- --log.filePath=/logs/traefik.log
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
# - --providers.docker.endpoint=tcp://socket-proxy:2375 # Use this instead of the previous line if you have socket proxy.
- --providers.docker.exposedByDefault=false
- --entrypoints.https.http.tls.options=tls-opts@file
- --entrypoints.https.http.tls=true
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
# - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
# - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
# networks:
# t2_proxy:
# ipv4_address: 10.16.0.26 # You can specify a static IP
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
- DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules.
volumes:
- $DOCKERDIR/traefik2/rules/cloudserver:/rules # file provider directory
- /var/run/docker.sock:/var/run/docker.sock:ro # If you use Docker Socket Proxy, comment this line out
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must create this empty file and change permissions to 600
- $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
# - $DOCKERDIR/shared:/shared
labels:
- "traefik.enable=true"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
# - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
- "traefik.http.routers.traggo-laptop-svc=api@internal"
- "traefik.http.routers.nginx-rpi-svc=api@internal"
- "traefik.http.routers.nginx-laptop-svc=api@internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
I assume you still can’t access your dashboard? Do you load a custom TLS cert for it? If you want to use LetsEncrypt, you need to assign the certresolver to the router instead of just tls=true.
Yes, I cannot access my dashboard I got rid of it. I tried to access it before, I ended up getting it working, but then randomly it stopped working and gave me the error too many redirects. However I do not need the dashboard so that is why I got rid of it. When the dashboard was working the certificate shown in my browser showed let's encrypt. Now however when I look at the cert it says google ca certificate. Also I did assign the certresolver to the router.
I think with this you overwrite the defaults from entrypoints, try removing it.
When I remove that it still shows the certificate as -
Common Name (CN) GTS CA 1P5
Organization (O) Google Trust Services LLC
It still says that the certificate is valid and everything works, so is it anything I need to worry about?