Traefik dashboard didn't show up at my domain. (CGNAT internet ISP)

Nood · November 25, 2024, 9:36pm

I'm following Techno Tim (https://www.youtube.com/watch?v=n1vOfdz5Nm8&t=263s) to create Traefik 3 and letsencrypt.
I have Proxmox and create Debian VM. I have T-mobile home internet, so it is CGNAT.

I have dock up and running but it didn't show dashboard at my domain name "traefik-dashboard.example.fyi"

But I can access my dashboard at "http://192.168.12.7:8080/dashboard#/"

Do I need Cloudflare Tunnel? I like to use Traefik.
Thank you

This is my cloudflare DNS records:

Containers:

This is my docker-compose.yaml

#version: "3.8"

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - "8080:8080"
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.example.fyi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.example.fyi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.fyi"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.fyi"
      - "traefik.http.routers.traefik-secure.service=api@internal"


secrets:
  cf_api_token:
    file: ./cf_api_token.txt

networks:
  proxy:
    external: true

Traefik.yml

api:
  dashboard: true
  debug: true
  insecure: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: example@gmail.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
         disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
         delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

SSL:

{
  "cloudflare": {
    "Account": {
      "Email": "example@gmail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:example@gmail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/2075413497"
      },
      "PrivateKey": "example",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "example.fyi",
          "sans": [
            "*.example.fyi"
          ]
        },
        "certificate": "example",
        "key": "example",
        "Store": "default"
      }
    ]
  }
}

curl -v https://traefik-dashboard.example.fyi

Could not resolve host: traefik-dashboard.example.fyi
Closing connection 0
curl: (6) Could not resolve host: traefik-dashboard.example.fyi

docker logs traefik - None

nslookup traefik-dashboard.example.fyi
Server: 192.168.12.1
Address: 192.168.12.1#53

Non-authoritative answer:
Name: traefik-dashboard.example.fyi
Address: 104.21.75.54
Name: traefik-dashboard.example.fyi
Address: 172.67.214.210
Name: traefik-dashboard.example.fyi
Address: 2606:4700:3033::ac43:d6d2
Name: traefik-dashboard.example.fyi
Address: 2606:4700:3034::6815:4b36

bluepuma77 · November 25, 2024, 9:59pm

You can run any service on a local port (like traefik/whoami) and see if you can connect from the Internet.

I recently tried that on a mobile connection, but the local service was not reachable on the given IP from the Internet.

If the Cloudflare tunnel solution can establish a connection from local host to the external provider, then it might work.

AFAIK the Cloudflare solutions have a limited number of (sub-)domains for free.

Alternatively you could try to setup a VPN connection from your local host to a small VM on the Internet and tunnel traffic yourself.

Nood · November 25, 2024, 10:41pm

Thank you, bluepuma77

I will try run any service on a local port (like [traefik/whoami])

Cloudflare Tunnel is limited to 5 subdomain. I think it is low.
How do you think about tailscale with exit node on my VM (limited 100 devices) or twingate with 5 user? or WireGuard VPN?
so far i selfhost for Immchi, Ente, and cloud storage.

If my VM only run on local do I need firewall (like opnsense) or any other security?

Thank you for your help.

bluepuma77 · November 26, 2024, 6:47am

We use WireGuard as standard VPN, via wg-easy.

Firewall by default only protects ports and can set IP rules, this can be done with standard Linux.

If you need more depends on your threat scenario.

Nood · November 27, 2024, 7:40am

thank you. I will go with wg-easy and standard firewall Linux

Topic		Replies	Views
Issues with Traefik, Cloudflare and PiHole Traefik v3 (latest) docker	14	264	October 15, 2024
Traefic dashboard 404 error Traefik v3 (latest) docker	1	175	July 5, 2024
Lost access, missing services Traefik v3 (latest) docker , dashboard-api	1	116	July 31, 2024
Dashboard Access Can't Connect to Server Traefik v2 docker	16	3101	February 9, 2021
Local Dashboard Access Traefik v2 docker	6	1690	March 3, 2021

Traefik dashboard didn't show up at my domain. (CGNAT internet ISP)

Related topics