Im trying to deploy my application with Traefik v2 and Docker compose and Let'Encrypt. I'm following this tutorial for setting up Traefik v1 with Docker and Let'sEncrypt:
I get the following error when I visit https://:
Warning: Potential Security Risk Ahead
Firefox Developer Edition detected a potential security threat and did not continue to mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
mydomain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
Major version changes mostly bring major breaking changes. You canβt use Traefik v1 config with v2.
Your error means that Traefik creates an own default cert, that is not trusted because it didnβt use LetsEncrypt.
Check simple Traefik example . But note the description, as one line in config is only compatible with v3.
1 Like
Thanks for the pointer. I just ran the example service in the example docker-compose you shared and I'm getting this errorcommand traefik error: failed to decode configuration from flags: field not found, node: asDefault
Here is my docker-compose.yml:
version: '3'
services:
upload:
image: upload:v3-staging
build:
context: .
dockerfile: src/services/upload/Dockerfile.upload
restart: always
ports:
- "8004:8004"
labels:
- "traefik.enable=true"
- "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
- "traefik.http.routers.upload.entrypoints=web"
- "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
- "traefik.http.services.upload.loadbalancer.server.port=8004"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
- "traefik.http.routers.upload.middlewares=upload-cors"
environment:
- MODE=staging
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
command:
- --provider=oidc
- --email-domain=*
- --oidc-issuer-url=https://accounts.google.com
- --cookie-secure=false
- --cookie-secret=COOKIE_SECRET
- --client-id=CLIENT_ID
- --client-secret=CLIENT_SECRET
- --upstream=http://traefik:80
- --pass-access-token=true
- --pass-authorization-header=true
- --set-authorization-header=true
labels:
- "traefik.enable=false"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
ports:
- 4180:4180
nginx:
image: mydomain-nginx:v3-staging
build:
context: .
dockerfile: src/static/Dockerfile.nginx.development
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
- "traefik.http.routers.nginx.entrypoints=web"
traefik:
image: traefik:v2.10
restart: always
depends_on:
- oauth2-proxy
- nginx
ports:
- "80:80"
- "443:443"
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- letsencrypt:/letsencrypt
#- /var/log:/var/log
command:
- --api.dashboard=true
- --log.level=INFO
#- --log.filepath=/var/log/traefik.log
- --accesslog=true
#- --accesslog.filepath=/var/log/traefik-access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`mydomain.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- "traefik.http.middlewares.myauth.basicauth.users=admin:$apr1$uV0m3mrv$b0oqB3SOC4EgdKRoF5k5t/"
networks:
proxy:
name: proxy
volumes:
letsencrypt:
name: letsencrypt
xd003
September 16, 2023, 4:14pm
4
Just so you know, --entrypoints.websecure.asDefault is only supported on traefik v3 while you are using v2. 10
In your docker compose, change image from traefik:v2.10 to traefik:v3.0 and it will work
1 Like
xd003:
raefik:v2.10
What's this warning Im now getting:
traefik_1 | 2023-09-16T16:16:39Z WRN Defaulting to first available network (&{"backend_default" "194.1669.36.12" '\x00' "" "693cec981ac0549be6506f9fa87d32cefec5624cd15f8777261fe24406e4cf66"}) for container "/backend_upload_1". container=upload-backend-b06bc598fe147047e4f337b9369be4560d94a3ab8cf18cfbd04282ab6dfdd544 providerName=docker serviceName=upload
Also now when I got to https://mydomain.com, I'm getting a sign-in form, but my unencrypted password does not work. But also I don't want a sign-in on my domain. I just want the sign-in for a monitor route for my Traefik dashboard e.g. monitor.mydomain.com.
xd003
September 16, 2023, 4:35pm
6
You need to use a encoded password for the dashboard login to work
Run the following command in your terminal, it will ask for the password, enter it, copy paste the resulting encoded password to your traefik configuration for the dashboard login to work
openssl passwd -apr1 | sed -E "s:[\$]:\$\$:g"
1 Like
Awesome that fixed my password issue.
So now I changed Host(mydomain.com ) to monitor.mydomain.com to view my dashboard. But when I got to https://mydomain.com, I get this error:
Warning: Potential Security Risk Ahead
Firefox Developer Edition detected a potential security threat and did not continue to mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
Learn moreβ¦
mydomain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
View Certificate
Also I really appreciate your help so far and your quick replies.
xd003
September 16, 2023, 6:11pm
8
The ssl certificate is not valid for the domain, full log would reveal more info
What log file should I be looking at? I don't see any activity in my docker logs when I try to visit https://mydomain.com .
soubriquet:
Warning: Potential Security Risk Ahead
Firefox Developer Edition detected a potential security threat and did not continue to mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
Learn moreβ¦
mydomain.com uses an invalid security certificate.
@bluepuma77 would you know why I'm getting this error with my current configuration?
Itβs probably using a Traefik custom cert, not LetsEncrypt. Enable Traefik debug log .
Here is my traefik.log:
2023-09-16T18:34:03Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:08Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:13Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:18Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:23Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:28Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:33Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:38Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:48Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:34:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:03Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:08Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:13Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:18Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:23Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:28Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:31Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "thesolvex.com"
2023-09-16T18:35:33Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:38Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:48Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:57Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:35:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-16T18:36:01Z DBG log/log.go:194 > http: TLS handshake error from 12.34.567.89:10122: remote error: tls: bad certificate
2023-09-16T18:36:03Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:08Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:13Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:18Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:23Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:28Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:33Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:38Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:48Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:36:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:03Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:08Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:13Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:18Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:23Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:28Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:33Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:38Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:39Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-16T18:37:39Z DBG log/log.go:194 > http: TLS handshake error from 12.34.567.89:10122: remote error: tls: bad certificate
2023-09-16T18:37:41Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:41Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:48Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:37:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:38:03Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:38:08Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:38:11Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:38:13Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:38:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-16T18:38:24Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
Whatβs your current config? My simple Traefik example should work.
For Traefik v2 you only need to remove asDefault=true.
Here's my current config:
version: '3'
services:
upload:
image: upload:v3-staging
build:
context: .
dockerfile: src/services/upload/Dockerfile.upload
restart: always
ports:
- "8004:8004"
labels:
- "traefik.enable=true"
- "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
- "traefik.http.routers.upload.entrypoints=web"
- "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
- "traefik.http.services.upload.loadbalancer.server.port=8004"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
- "traefik.http.routers.upload.middlewares=upload-cors"
environment:
- MODE=staging
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
command:
- --provider=oidc
- --email-domain=*
- --oidc-issuer-url=https://accounts.google.com
- --cookie-secure=false
- --cookie-secret=COOKIE_SECRET
- --client-id=CLIENT_ID
- --client-secret=CLIENT_SECRET
- --upstream=http://traefik:80
- --pass-access-token=true
- --pass-authorization-header=true
- --set-authorization-header=true
labels:
- "traefik.enable=false"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
ports:
- 4180:4180
nginx:
image: mydomain-nginx:v3-staging
build:
context: .
dockerfile: src/static/Dockerfile.nginx.development
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
- "traefik.http.routers.nginx.entrypoints=web"
traefik:
image: traefik:v3.0
restart: always
depends_on:
- oauth2-proxy
- nginx
ports:
- "80:80"
- "443:443"
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- letsencrypt:/letsencrypt
- /var/log:/var/log
command:
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/var/log/traefik.log
- --accesslog=true
- --accesslog.filepath=/var/log/traefik-access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.nginx.rule=Host(`mydomain.com`)
- traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$QWHGoM/N$$me9nau/f2g6O4W9Y2MqRH0"
networks:
proxy:
name: proxy
volumes:
letsencrypt:
What should this do on Traefik container? It belongs on the container that should be reachable at that domain.
This will never work because you have a redirect on web on entrypoint.
This will not work because it will not be picked up by Traefik. And it probably belongs on another container, the one you want to protect with oauth.
Finally, all containers, that Traefik should forward requests to, need to be attached to the proxy network. Even oauth, when it should be used with ForwardAuth.
soubriquet:
ports:
- 4180:4180
But connections are within the Docker Network, oauth does not need to expose ports.
I'm getting this error after I made the changes you suggested:
ERROR: for backend_upload_1 Cannot start service upload: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "--providers.docker.network=proxy": executable file not found in $PATH: unknown
Here is my updated docker-compose:
version: '3'
services:
upload:
image: mydomain-upload:v3-staging
build:
context: .
dockerfile: src/services/upload/Dockerfile.upload
restart: always
ports:
- "8004:8004"
command:
- "--providers.docker.network=proxy"
labels:
- "traefik.enable=true"
- "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
- "traefik.http.routers.upload.entrypoints=web"
- "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
- "traefik.http.services.upload.loadbalancer.server.port=8004"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
- "traefik.http.routers.upload.middlewares=upload-cors"
environment:
- MODE=staging
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
command:
- --provider=oidc
- --email-domain=*
- --oidc-issuer-url=https://accounts.google.com
- --cookie-secure=false
- --cookie-secret=COOKIE_SECRET
- --client-id=CLIENT_ID
- --client-secret=CLIENT_SECRET
- --upstream=http://traefik:80
- --pass-access-token=true
- --pass-authorization-header=true
- --set-authorization-header=true
labels:
- "traefik.enable=true"
nginx:
image: mydomain-nginx:v3-staging
build:
context: .
dockerfile: src/static/Dockerfile.nginx.development
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
- "traefik.http.routers.nginx.entrypoints=web"
traefik:
image: traefik:v3.0
restart: always
depends_on:
- oauth2-proxy
- nginx
ports:
- "80:80"
- "443:443"
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- letsencrypt:/letsencrypt
- /var/log:/var/log
command:
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/var/log/traefik.log
- --accesslog=true
- --accesslog.filepath=/var/log/traefik-access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$QWHGoM/N$$me9nau/f2g6O4W9Y2MqRH0"
networks:
proxy:
name: proxy
volumes:
letsencrypt:
name: letsencrypt
Sorry to be unclear, that goes into Traefik command to set the default Docker Network.
Ok, I just made that change and I'm getting:
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
And when I Accept the Risk and Continue, I get a 404 page not found.
Here is my traefik.log:
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:49 > Setting up customHeaders/Cors from {map[] map[] true [*] [GET POST OPTIONS] [*] [] [] 0 false [] [] map[] 0 false false false false false false false} entryPointName=web middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=web middlewareName=upload-cors@docker routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=mydashboard@docker serviceName=api@internal
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for monitor.mydomain.com with TLS options default entryPointName=websecure
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [monitor.mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["monitor.mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:37062: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:23486: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:12Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:4290: remote error: tls: unknown certificate
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:51854: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:42874: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:28030: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
And this is my updated config:
version: '3'
services:
upload:
image: mydomain-upload:v3-staging
build:
context: .
dockerfile: src/services/upload/Dockerfile.upload
restart: always
ports:
- "8004:8004"
labels:
- "traefik.enable=true"
- "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
- "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
- "traefik.http.routers.upload.entrypoints=web"
- "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
- "traefik.http.services.upload.loadbalancer.server.port=8004"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
- "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
- "traefik.http.routers.upload.middlewares=upload-cors"
environment:
- MODE=staging
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
command:
- --provider=oidc
- --email-domain=*
- --oidc-issuer-url=https://accounts.google.com
- --cookie-secure=false
- --cookie-secret=COOKIE_SECRET
- --client-id=CLIENT_ID
- --client-secret=CLIENT_SECRET
- --upstream=http://traefik:80
- --pass-access-token=true
- --pass-authorization-header=true
- --set-authorization-header=true
labels:
- "traefik.enable=true"
nginx:
image: mydomain-nginx:v3-staging
build:
context: .
dockerfile: src/static/Dockerfile.nginx.development
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
- "traefik.http.routers.nginx.entrypoints=web"
traefik:
image: traefik:v3.0
restart: always
depends_on:
- oauth2-proxy
- nginx
ports:
- "80:80"
- "443:443"
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- letsencrypt:/letsencrypt
- /var/log:/var/log
command:
- --providers.docker.network=proxy
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/var/log/traefik.log
- --accesslog=true
- --accesslog.filepath=/var/log/traefik-access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$QWHGoM/N$$me9nau/f2g6O4W9Y2MqRH0"
networks:
proxy:
name: proxy
volumes:
letsencrypt:
name: letsencrypt
Also I don't know if this is what's causing the issue, but prior to posting on here, I had already run certbot to install Let'Encrypt. I thought I would be able to run my application from Nginx, but then realized I needed go this current route.
Here is my /etc/letsencrypt directory:
tree -L 4
.
βββ accounts [error opening dir]
βββ archive [error opening dir]
βββ live [error opening dir]
βββ options-ssl-nginx.conf
βββ renewal
β βββ mydomain.com.conf
βββ renewal-hooks
β βββ deploy
β βββ post
β βββ pre
βββ ssl-dhparams.pem
Should I delete this directory?
