Traefik config.yml problems

Traefik Traefik v3 (latest)
1

Hi there
This is my first time setting up traefik. After following TechnoTim's tutorial on how to set it up (https://www.youtube.com/watch?v=n1vOfdz5Nm8) I got it mostly working. All of my local docker services work perfectly with valid SSL certs but anything not hosted in docker on the machine doesn't work. These services show up in the traefik dashboard but when I try to go to the domain address I have set up for them it doesn't work.

2

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Check simple Traefik example.

3

Here is my docker compose file.

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443/tcp
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

secrets:
  cf_api_token:
    file: ./cf_api_token.txt

networks:
  proxy:
    external: true
4

My config.yml file



http:
 #region routers 
  routers:
    proxmox:
      entryPoints:
        - "https"
      rule: "Host(`proxmox.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: proxmox
    jellyfin:
      entryPoints:
        - "http"
      rule: "Host(`jellyfin.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: jellyfin
    router:
      entryPoints:
        - "http"
      rule: "Host(`router.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: router
    mybook:
      entryPoints:
        - "http"
      rule: "Host(`mybook.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: mybook
    switch:
      entryPoints:
        - "https"
      rule: "Host(`switch.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: switch
  
#endregion
#region services
  services:
    proxmox:
      loadBalancer:
        servers:
          - url: "https://192.168.10.15:8006"
        passHostHeader: true
    jellyfin:
      loadBalancer:
        servers:
          - url: "http://192.168.10.18:8096"
        passHostHeader: true
    router:
      loadBalancer:
        servers:
          - url: "http://192.168.10.1"
        passHostHeader: true
    mybook:
      loadBalancer:
        servers:
          - url: "http://192.168.10.16"
        passHostHeader: true
    switch:
      loadBalancer:
        servers:
          - url: "http://192.168.10.2"
        passHostHeader: true
#endregion
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    default-whitelist:
      ipAllowList:
        sourceRange:
        - "192.168.10.0/24"

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers
5

and traefik.yml file

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: example@gmail.com
      storage: acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
6

I assume you want to use Traefik LE certresolver, then you need to assign it globally on entrypoint (see my example above) or assign in to every router. Simple tls=true only activates manually loaded TLS certs, not certs via certresolver.

7

Sorry I'm a little confused. Do I need to change the tls=true line in my docker compose file or am I being a little stupid.

8

You need to assign a certresolver:

like you did with labels.

9

Do I have to add it to the entry points in the traefik.yml file, the config.yml file, or both. Sorry if I'm being frustrating I just don't fully understand all of this and the documentation makes my head spin.

10

When you add it to the entrypoint, then you only need to do it once. Check simple Traefik example.

Traefik uses static config (entrypoints, certresolvers, etc.) via traefik.yml or command. And dynamic config (router, middleware, service, tls) via dynamic config file or labels, loaded by providers in static config.

11

Thank you so much. I think I finally understand what was wrong (the path to my dynamic config [config.yml] was wrong) and I understand traefik more.

12

I tried adding

tls: 
  certResolver: "leresolver"

to my dynamic config in place of

tls: {}

but that didn't fix the problem.

13

It seems your certresolver is named cloudflare, not leresolver.