Greetings all,
Using Traefik 2.1.1
I'm really struggling with Traefik 2.x (or maybe life in general ;-)) and the syntax for TOML, YAML and CLI configurations.
Issues:#1 . I'm uncertain when to use '" when specifying domains in the various configuration. I believe in the YAML file in the labels and CLI section. ' in TOML is that correct?#2 . Output not being written to all log files - traefikaccess.log works but traefik.log does not. Identical configuration yields different results. I have also tried moving traefik.log into the [log] section#3 . LetsEncrypt not generating certificates for the host or other docker containers. Self-generated certificates do get served.
Configuration as below. Any guidance or a complete TOML working example would be greatly appreciated.
traefik-forum.yml file
version: '3.3'
services:
traefik:
image: traefik:v2.1.1
container_name: my_traefik-monitor
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
- TZ=Australia/Brisbane
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/nas/docker/compose/traefik/traefik.toml:/traefik.toml:ro
- /mnt/nas/logs/traefik:/logs
- /mnt/nas/letsencrypt/acme.json:/letsencrypt/acme.json:rw
labels:
# Global settings
- "traefik.enable=true"
#- "traefik.log.filepath=/logs/traefik.log"
#- "traefik.log.level=DEBUG"
#http router
#- "traefik.http.routers.traefik.entrypoints=http"
#- "traefik.http.routers.traefik.rule=Host(`monitor.mydomain.com`)"
# - "traefik.http.middlewares.traefik-auth.basicauth.users=traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi"
# - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
# - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
# - traefik.http.routers.traefik.service=api@internal
# - "traefik.http.routers.traefik-secure.entrypoints=https"
# - "traefik.http.routers.traefik-secure.rule=Host(`monitor.mydomain.com`)"
# - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
# - "traefik.http.routers.traefik-secure.tls=true"
# - "traefik.http.routers.traefik-secure.tls.certresolver=http"
# - "traefik.http.routers.traefik-secure.service=api@internal"
#- "traefik.http.services.loadbalancer.server.port=443"
networks:
proxy:
external: true
Toml File:
[global]
checkNewVersion=true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[api]
dashboard = true
debug = true
insecure=true
#[retry]
[log]
level = "DEBUG"
[traefiklog]
filePath="/logs/traefik.log"
format="json"
[accesslog]
filePath="/logs/traefikaccess.log"
format="json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault=false
network="proxy"
[http.routers]
[http.routers.api]
rule = "Host('monitor.mydomain.com')"
entrypoints = ["dashboard"]
service = "api@internal"
[http.routers.api.tls]
certResolver = "letsencrypt"
[[http.routers.api.tls.domains]]
main = "monitor.mydomain.com"
[http.routers.traefik]
entryPoints = ['http']
rule = "Host('monitor.mydomain.com')"
middlewares = ["traefik-https-redirect"]
service = "traefik"
[http.routers.traefik.tls]
certResolver = "letsencrypt"
[[http.routers.traefik.tls.domains]]
main = "mydomain.com" # have tried also monitor.mydom.com
sans = ["taps.mydomain.com","pipes.mydomain.com", "monitor.mydomain.com", "portainer.mydomain.com", "storm.mydomain.com","cloud.mydomain.com","pump.mydomain.com"]
[http.routers.traefik-secure]
entryPoints = ['https']
rule = "Host('monitor.mydomain.com')"
middlewares = ["traefik-basic-auth"]
service = "traefik"
[http.routers.traefik-secure.tls]
certResolver = "letsencrypt"
[[http.routers.traefik-secure.tls.domains]]
main = "mydomain.com"
sans = ["taps.mydomain.com","pipes.mydomain.com", "monitor.mydomain.com", "portainer.mydomain.com", "storm.mydomain.com","cloud.mydomain.com"]
[http.middlewares]
[http.middlewares.traefik-basic-auth]
users = ["traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi"]
[http.middlewares.traefik-https-redirect.redirectScheme]
scheme = "https"
permanent = "true"
#[certificatesResolvers]
# [certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "mydomain@protonmail.com"
storage = "/letsencrypt/acme.json"
[certificateResolvers.letsencrypt.acme.tlsChallenge]
entryPoint = "http"
ldez
January 18, 2020, 11:46am
2
Hello,
in the v2, the dynamic configuration and the static must define in separated files:
Files:
docker-compose.yml
version: '3.3'
services:
traefik:
image: traefik:v2.1.1
container_name: my_traefik-monitor
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
- TZ=Australia/Brisbane
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/nas/docker/compose/traefik/traefik.toml:/traefik.toml:ro
- /mnt/nas/docker/compose/traefik/config/:/config
- /mnt/nas/logs/traefik:/logs
- /mnt/nas/letsencrypt/acme.json:/letsencrypt/acme.json:rw
labels:
traefik.enable: true
traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http-catchall.entrypoints: http
traefik.http.routers.http-catchall.middlewares: redirect-to-https@file
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
networks:
proxy:
external: true
traefik.toml
[global]
checkNewVersion = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[api]
dashboard = true
insecure = false
[log]
level = "INFO"
filePath = "/logs/traefik.log"
format = "json"
[accessLog]
filePath="/logs/traefikaccess.log"
format="json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
network = "proxy"
[providers.file]
directory = "/config"
wathc = true
[certificatesResolvers.letsencrypt.acme]
email = "mydomain@protonmail.com"
storage = "/letsencrypt/acme.json"
[certificatesResolvers.letsencrypt.acme.tlsChallenge]
/config/dyn.toml
[http.routers]
[http.routers.api]
rule = "Host(`monitor.mydomain.com`)"
entrypoints = ["https"]
service = "api@internal"
middlewares = ["traefik-basic-auth"]
[http.routers.api.tls]
certResolver = "letsencrypt"
[[http.routers.api.tls.domains]]
main = "monitor.mydomain.com"
sans = ["taps.mydomain.com","pipes.mydomain.com", "monitor.mydomain.com", "portainer.mydomain.com", "storm.mydomain.com","cloud.mydomain.com","pump.mydomain.com"]
[http.middlewares]
[http.middlewares.traefik-basic-auth]
users = ["traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi"]
[http.middlewares.redirect-to-https.redirectScheme]
scheme = "https"
permanent = "true"
Take a look to "Backticks or Quotes?" https://docs.traefik.io/v2.1/routing/routers/#rule
Recommend reads:
Thanks for the effort in time in responding and providing the reading list. It's much appreciated.
After trying your suggestion, there are no log files generated nor are any of the containers appearing on the dashboard.
Within the traefik.toml file I switched DEBUG back on
[log]
level = "DEBUG"
filePath = "/logs/traefik.log"
format = "json"
and fixed up a typo and explicitly named the dynamic configurations file.
[providers.file]
directory = "/config"
filename = "dyn.toml"
watch = true
In the docker-compose YAML file no changes were made
I would have expected to see some type of output from
docker logs container_name
Though see nothing.
Happy to take any suggestions.
ldez
January 19, 2020, 10:48am
4
You cannot use filename and directory at the same time. I recommend to use directory.
In your first post, there were some errors and typos, I did not list them all, so I advise you to take my files.
The following example works for me (cert + logs + ...):
docker-compose.yml
version: '3.3'
services:
traefik:
image: traefik:v2.1.2
container_name: my_traefik-monitor
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
- TZ=Australia/Brisbane
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/nas/docker/compose/traefik/traefik.toml:/traefik.toml:ro
- /mnt/nas/docker/compose/traefik/config/:/config
- /mnt/nas/logs/traefik/:/logs
- /mnt/nas/letsencrypt/:/letsencrypt/
labels:
traefik.enable: true
traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http-catchall.entrypoints: http
traefik.http.routers.http-catchall.middlewares: redirect-to-https
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
traefik.http.middlewares.redirect-to-https.redirectscheme.permanent: true
networks:
proxy:
external: true
/mnt/nas/docker/compose/traefik/traefik.toml
[global]
checkNewVersion = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[api]
dashboard = true
insecure = false
[log]
level = "DEBUG"
filePath = "/logs/traefik.log"
format = "json"
[accessLog]
filePath="/logs/traefikaccess.log"
format="json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
[providers.docker]
exposedByDefault = false
network = "proxy"
[providers.file]
directory = "/config"
watch = true
[certificatesResolvers.letsencrypt.acme]
email = "mydomain@protonmail.com"
storage = "/letsencrypt/acme.json"
[certificatesResolvers.letsencrypt.acme.tlsChallenge]
/mnt/nas/docker/compose/traefik/config/dyn.toml
[http.routers]
[http.routers.api]
rule = "Host(`monitor.mydomain.com`)"
entryPoints = ["https"]
service = "api@internal"
middlewares = ["traefik-basic-auth"]
[http.routers.api.tls]
certResolver = "letsencrypt"
[[http.routers.api.tls.domains]]
main = "monitor.mydomain.com"
sans = ["taps.mydomain.com","pipes.mydomain.com", "monitor.mydomain.com", "portainer.mydomain.com", "storm.mydomain.com","cloud.mydomain.com","pump.mydomain.com"]
[http.middlewares]
[http.middlewares.traefik-basic-auth]
users = ["traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi"]
Could you verify that the following paths are directories (not files):
/mnt/nas/docker/compose/traefik//mnt/nas/docker/compose/traefik/config//mnt/nas/logs/traefik//mnt/nas/letsencrypt/
Thanks for the continued support.
In relation to your question, the paths are directories.
I tried your files verbatim and unfortunately could not get the desired result.
If I use labels as below, traefik loads, and correctly grabs LetsEncrypt certificates. The conflict seems to be in the TOML file (again I defer to you around the syntax and correctness of the labels). My entire journey started when I was trying to obtain debug output into a log file to troubleshoot a container issue. To date, I'm yet to see output to a traefik log file from label, YAML or TOML
Is there any issue if there are multiple yml, toml files in the folder where docker-compose is instantiated from ?
version: '3'
services:
traefik:
image: traefik:v2.1.1
container_name: my_traefik-monitor
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
- TZ=Australia/Brisbane
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/nas/config/traefik/traefik.yml:/traefik.yml:ro
#- /mnt/nas/config/traefik/traefik.toml:/traefik.toml
- /mnt/nas/config/traefik/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`monitor.mydomain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- traefik.http.routers.traefik.service=api@internal
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`monitor.mydomain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
# - "traefik.http.services.loadbalancer.server.port=443"
networks:
proxy:
external: true
traefik.yml configuration file
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: myemail@protonmail.com
storage: acme.json
httpChallenge:
entryPoint: http
Working dashboard from labels
ldez
January 19, 2020, 2:12pm
6
The static configuration (traefik.yml or traefik.toml) can only be define in one file
The dynamic configuration (routers, middlewares, services) must be define in a separate file and I recommend to use a separate folder (like in my example)
ldez
January 19, 2020, 2:23pm
7
My previous example works as expected but I can provide to you some versions without any files:
Example 1
version: '3'
services:
traefik:
image: traefik:v2.1.1
container_name: my_traefik-monitor
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
- TZ=Australia/Brisbane
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/nas/config/traefik/acme.json:/acme.json
command:
- --api
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --certificatesResolvers.http.acme.email=myemail@protonmail.com
- --certificatesResolvers.http.acme.storage=/acme.json
- --certificatesResolvers.http.acme.httpChallenge.entryPoint=http
labels:
traefik.enable: true
# HTTP to HTTPS redirection
traefik.http.routers.http_catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http_catchall.entrypoints: web
traefik.http.routers.http_catchall.middlewares: https_redirect
# Dashboard
traefik.http.routers.traefik-secure.rule: Host(`monitor.mydomain.com`)
traefik.http.routers.traefik-secure.entrypoints: https
traefik.http.routers.traefik-secure.middlewares: traefik-auth
traefik.http.routers.traefik-secure.tls: true
traefik.http.routers.traefik-secure.tls.certresolver: http
traefik.http.routers.traefik-secure.service: api@internal
# Middlewares
traefik.http.middlewares.traefik-auth.basicauth.users: traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi
traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
networks:
proxy:
external: true
Example 2
version: '3'
services:
traefik:
image: traefik:v2.1.1
container_name: my_traefik-monitor
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
- TZ=Australia/Brisbane
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/nas/config/traefik/acme.json:/acme.json
- /mnt/nas/logs/traefik/:/logs/
command:
- --global.checkNewVersion
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --api
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --log.level=INFO
- --log.filePath=/logs/traefik.log
- --log.format=json
- --accessLog.filePath=/logs/traefikaccess.log
- --accessLog.format=json
- --accessLog.filters.statusCodes=200,300-302
- --accessLog.filters.retryAttempts=true
- --accessLog.filters.minDuration=10ms
- --accessLog.fields.defaultMode=keep
- --accessLog.fields.names.ClientUsername=drop
- --accessLog.headers.defaultMode=keep
- --accessLog.headers.names.User-Agent=redact
- --accessLog.headers.names.Authorization=drop
- --accessLog.headers.names.Content-Type=keep
- --certificatesResolvers.letsencrypt.acme.email=mydomain@protonmail.com
- --certificatesResolvers.letsencrypt.acme.storage=/acme.json
- --certificatesResolvers.letsencrypt.acme.tlsChallenge=true
labels:
traefik.enable: true
# HTTP to HTTPS redirection
traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http-catchall.entrypoints: web
traefik.http.routers.http-catchall.middlewares: https_redirect
# Dashboard
traefik.http.routers.traefik-secure.rule: Host(`monitor.mydomain.com`)
traefik.http.routers.traefik-secure.entrypoints: https
traefik.http.routers.traefik-secure.middlewares: traefik-auth
traefik.http.routers.traefik-secure.tls: true
traefik.http.routers.traefik-secure.tls.certresolver: http
traefik.http.routers.traefik-secure.service: api@internal
# Middlewares
traefik.http.middlewares.traefik-auth.basicauth.users: traefikadmin:$$2y$$05$$AAHlxk8PZExh/FilidNtF.YLpLYrJYZutxhDs8s30lCIClhOJINYi
traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
networks:
proxy:
external: true
Recommend read:
system
February 17, 2021, 12:50pm
9
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
