sudoshi
1
Here is the relevant part of my docker-compose.yml
services:
traefik:
image: docker.io/library/traefik:v2.10.5
container_name: traefik
restart: unless-stopped
ipc: none
read_only: true
environment:
BROADSEA_HOST: ${BROADSEA_HOST}
labels:
- "traefik.enable=true"
ports:
- "80:80"
- "443:443"
volumes:
- ./traefik/traefik-${HTTP_TYPE}.yml:/etc/traefik/traefik.yml:ro
- ./traefik/config.yml:/etc/traefik/config.yml:ro
- ${BROADSEA_CERTS_FOLDER}:/etc/certs:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- traefik-proxy
Oddly, this is from an open source scientific project, so I have to obey the convention they have set for the config files:
- config.yml:
api:
dashboard: true
tls:
stores:
default:
defaultCertificate:
certFile: /etc/certs/cert1.pem
keyFile: /etc/certs/privkey1.pem
http:
routers:
dashboard:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "api@internal"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/dashboard`) || PathPrefix(`/api`)'
middlewares: "auth"
traefik:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "traefik"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`)'
broadsea-content:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "broadsea-content"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/`)'
ohdsi-atlas:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "ohdsi-atlas"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/atlas`)'
ohdsi-webapi:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "ohdsi-webapi"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/WebAPI`)'
broadsea-hades:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "broadsea-hades"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/hades`)'
middlewares:
- "broadsea-hades-root-path-header"
- "broadsea-hades-path-strip"
broadsea-solr-vocab:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "broadsea-solr-vocab"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/solr`)'
broadsea-ares:
entryPoints: '{{ env "HTTP_TYPE" }}'
service: "broadsea-ares"
rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/ares`)'
middlewares:
broadsea-hades-path-strip:
stripPrefix:
prefixes:
- "/hades"
forceSlash: false
broadsea-hades-root-path-header:
headers:
customRequestHeaders:
X-RStudio-Root-Path: "/hades"
auth:
basicAuth:
users:
- "admin:$$apr1$$h6uskkk2$$IgXLP6ewTrSuBkTrqE8wj/" # username:admin, password:admin, change this!
services:
dashboard:
loadBalancer:
servers:
- url: http://traefik:8080
traefik:
loadBalancer:
servers:
- url: http://traefik
broadsea-content:
loadBalancer:
servers:
- url: http://broadsea-content
ohdsi-atlas:
loadBalancer:
servers:
- url: http://ohdsi-atlas:8080
ohdsi-webapi:
loadBalancer:
servers:
- url: http://ohdsi-webapi:8080
broadsea-hades:
loadBalancer:
servers:
- url: http://broadsea-hades:8787
broadsea-solr-vocab:
loadBalancer:
servers:
- url: http://broadsea-solr-vocab:8983
broadsea-ares:
loadBalancer:
servers:
- url: http://broadsea-ares
- traefik-http.yml:
######################################
# HTTP Traefik (No SSL)
######################################
global:
sendAnonymousUsage: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
filename: /etc/traefik/config.yml
watch: true
log:
level: INFO
format: common
entryPoints:
http:
address: ":80"
- traefik-https.yml:
######################################
# HTTPS Traefik (with SSL)
######################################
global:
sendAnonymousUsage: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
filename: /etc/traefik/config.yml
watch: true
log:
level: INFO
format: common
entryPoints:
http:
address: ":80"
http:
tls: false
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
http:
tls: true
Yes, it is an ugly way of doing it. I can't seem to get the dashboard to work at all. Please advise?
I just want the dashboard to be available at https://sandbox.acumenus.net/dashboard/
(and any http requests to be redirected to https.)
also... Merry Christmas to all!
Maybe check and compare to simple Traefik example.
sudoshi
3
docker-traefik-dashboard-letsencrypt
Simple docker-compose.yml template to run Traefik and a whoami service with Docker.
Features:
- Traefik is listening on ports 80 (http) and 443 (https)
- All http requests will be redirected to secure https requests
- Docker services with label
traefik.enable=true will automatically be discovered by Traefik
- Letsencrypt will automatically generate TLS/SSL certificates for all domains in
Host()
- Traefik log (
level=INFO) and access log are enabled to container stdout/stderr
- Traefik dashboard is enabled at
https://traefik.example.com/dashboard/ with user/pass test/test
- Example whoami router will automatically redirect from "www.whoami.example.com" to "whoami.example.com"
My modified docker-compose.yml per your guidance:
traefik:
image: docker.io/library/traefik:v2.10.5
container_name: traefik
restart: unless-stopped
ipc: none
read_only: true
environment:
BROADSEA_HOST: ${BROADSEA_HOST}
ports:
- "80:80"
- "443:443"
volumes:
- ./traefik/traefik-${HTTP_TYPE}.yml:/etc/traefik/traefik.yml:ro
- ./traefik/config.yml:/etc/traefik/config.yml:ro
- ${BROADSEA_CERTS_FOLDER}:/etc/certs:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
command:
- --api.dashboard=true
- --log.level=INFO
#- --log.filepath=/var/log/traefik.log
- --accesslog=true
#- --accesslog.filepath=/var/log/traefik-access.log
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
#- --entrypoints.websecure.asDefault=true
#- --entrypoints.websecure.http.tls.certresolver=myresolver
#- --certificatesresolvers.myresolver.acme.email=mail@example.com
#- --certificatesresolvers.myresolver.acme.tlschallenge=true
#- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`sandbox.acumenus.net`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
networks:
- traefik-proxy
=no joy @ https://sandbox.acumenus.net/dashboard/
Without enabling providers.docker in static config (traefik.yml or command), the labels from Docker services/containers will not be processed (doc).
sudoshi
5
AH.
So...
command:
- "--api.dashboard=true"
- "--log.level=INFO"
- "--providers.docker=true"
- "--providers.docker.network=traefik-proxy"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entryPoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.websecure.address=:443"
#- --entrypoints.websecure.http.tls.certresolver=myresolver
#- --certificatesresolvers.myresolver.acme.email=sudoshi@acumenus.io
#- --certificatesresolvers.myresolver.acme.tlschallenge=true
#- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.mydashboard.rule=Host(`sandbox.acumenus.net`)"
- "traefik.http.routers.mydashboard.service=api@internal"
- "traefik.http.routers.mydashboard.middlewares=myauth"
- "traefik.http.middlewares.myauth.basicauth.users=acumenus:$$apr1$$aw2RYnxA$$RXTcLZ8KipPUcyeoLGziu0"
networks:
- traefik-proxy
Results in this log:
time="2023-12-24T15:55:45Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
time="2023-12-24T15:55:45Z" level=info msg="Traefik version 2.10.5 built on 2023-10-11T13:54:02Z"
time="2023-12-24T15:55:45Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2023-12-24T15:55:45Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2023-12-24T15:55:45Z" level=info msg="Starting provider *file.Provider"
time="2023-12-24T15:55:45Z" level=info msg="Starting provider *traefik.Provider"
time="2023-12-24T15:55:45Z" level=info msg="Starting provider *docker.Provider"
time="2023-12-24T15:55:45Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-12-24T15:55:45Z" level=error msg="api is not enabled" entryPointName=http routerName=mydashboard@docker
time="2023-12-24T15:55:45Z" level=error msg="api is not enabled" entryPointName=https routerName=https-mydashboard@docker
Which is weird!?!
sudoshi
6
Bang! This works:
######################################
# HTTP Traefik (No SSL)
######################################
global:
sendAnonymousUsage: false
api:
dashboard: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
filename: /etc/traefik/config.yml
watch: true
log:
level: INFO
format: common
entryPoints:
http:
address: ":80"
######################################
# HTTPS Traefik (with SSL)
######################################
global:
sendAnonymousUsage: false
api:
dashboard: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
filename: /etc/traefik/config.yml
watch: true
log:
level: INFO
format: common
entryPoints:
http:
address: ":80"
http:
tls: false
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
http:
tls: true
command:
- "--api.dashboard=true"
- "--api.insecure=false"
- "--log.level=INFO"
- "--providers.docker=true"
- "--providers.docker.network=traefik-proxy"
- "--providers.docker.exposedByDefault=false"
#- "--entrypoints.web.address=:80"
#- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
#- "--entryPoints.web.http.redirections.entrypoint.scheme=https"
#- "--entrypoints.websecure.address=:443"
labels:
- "traefik.enable=true"
- "traefik.http.routers.mydashboard.rule=Host(`sandbox.acumenus.net`) && PathPrefix(`/api`, `/dashboard`)"
- "traefik.http.routers.mydashboard.service=api@internal"
- "traefik.http.routers.mydashboard.middlewares=myauth"
- "traefik.http.middlewares.myauth.basicauth.users=acumenus:$$apr1$$aw2RYnxA$$RXTcLZ8KipPUcyeoLGziu0"
networks:
- traefik-proxy
@bluepuma77 - you have the patience of a Saint. Thanks for all your guidance!!!!!
system
Closed
7
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
