Traefik (kinda) working with only one container

phallushead · April 8, 2022, 9:49am

Hi,

So I followed the infamous Smart Home Beginner tutorial. I have the traefik dashboard working properly in https. But that's the only thing I managed to make work properly.
I spent dozens of hours trying to make this work but I'm kinda desperate now. Hence my post here.

I have a jellyfin container that is routing but only on its own port, that I have to specify in the url to access it. It doesn't work if I don't specify the port.
All my other containers just show nothing... With or without port in the url

I really hope someone can help me...
docker-compose-t2.yml :

version: "3.7"

########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entryPoints.secure.address=:9999
        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
#      - --api.insecure=true
#      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
#      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare

#    networks:
#      t2_proxy:
#        ipv4_address: 192.168.1.17 # You can specify a static IP
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
      - target: 9999
        published: 9999
        protocol: tcp
        mode: host
    volumes:
      - $DOCKERDIR/traefik2/rules:/rules 
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json 
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log 
      - $DOCKERDIR/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
#      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      #- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file" #backup for next line
      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
      #- "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" 
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-basic-auth@file" 
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-secure-headers@file,middlewares-rate-limit@file,middlewares-basic-auth@file" 
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolalloworiginlist=https://$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.traefik-headers.headers.addvaryheader=true" 
      - "traefik.http.middlewares.traefik-headers.headers.allowedhosts=traefik.$DOMAINNAME" 
      - "traefik.http.middlewares.traefik-headers.headers.hostsproxyheaders=X-Forwarded-Host"
      - "traefik.http.middlewares.traefik-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslhost=traefik.$DOMAINNAME" 
      - "traefik.http.middlewares.traefik-headers.headers.sslforcehost=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.traefik-headers.headers.stsseconds=63072000"
      - "traefik.http.middlewares.traefik-headers.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.traefik-headers.headers.stspreload=true"
      - "traefik.http.middlewares.traefik-headers.headers.forcestsheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.framedeny=true"
#      - "traefik.http.middlewares.traefik-headers.headers.customframeoptionsvalue=SAMEORIGIN" # This option overrides FrameDeny
      - "traefik.http.middlewares.traefik-headers.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.traefik-headers.headers.browserxssfilter=true"
#      - "traefik.http.middlewares.traefik-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; base-uri 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.referrerpolicy=same-origin"
      - "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,"


# Google OAuth - Single Sign On using OAuth 2.0
  oauth:
    container_name: oauth
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    environment:
      - CLIENT_ID=$GOOGLE_CLIENT_ID
      - CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      - WHITELIST=$MY_EMAIL
      - LOG_LEVEL=warn
      - LOG_FORMAT=text
      - LIFETIME=2592000 # 30 days
      - DEFAULT_ACTION=auth
      - DEFAULT_PROVIDER=google
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth-rtr.entrypoints=https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth-rtr.tls=true"
      ## HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
      ## Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"

middlewares.toml :

[http.middlewares]
  [http.middlewares.middlewares-basic-auth]
    [http.middlewares.middlewares-basic-auth.basicAuth]
#      username=user, password=mystrongpassword (listed below after hashing)
#      users = [
#        "user:$***",
#      ]
      realm = "Traefik2 Basic Auth"
      usersFile = "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml
  [http.middlewares.middlewares-rate-limit]
    [http.middlewares.middlewares-rate-limit.rateLimit]
      average = 100
      burst = 50
  [http.middlewares.middlewares-secure-headers]
    [http.middlewares.middlewares-secure-headers.headers]
      accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
      accessControlMaxAge = 100
      hostsProxyHeaders = ["X-Forwarded-Host"]
      sslRedirect = true
      stsSeconds = 63072000
      stsIncludeSubdomains = true
      stsPreload = true
      forceSTSHeader = true
#      frameDeny = true #overwritten by customFrameOptionsValue
      customFrameOptionsValue = "allow-from https:notmydomain.com" #CSP takes care of this but may be needed for organizr. 
      contentTypeNosniff = true 
      browserXssFilter = true 
#      sslForceHost = true # add sslHost to all of the services
#      sslHost = "notmydomain.com"
      referrerPolicy = "same-origin" 
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.notmydomain.com:*';object-src 'none';script-src 'none';"
      featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 
      [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
        X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
        server = ""
  [http.middlewares.middlewares-oauth]
    [http.middlewares.middlewares-oauth.forwardAuth]
      address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
      trustForwardHeader = true
      authResponseHeaders = ["X-Forwarded-User"]

middleware-chains.toml

[http.middlewares]
  [http.middlewares.chain-no-auth]
    [http.middlewares.chain-no-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers"]

  [http.middlewares.chain-basic-auth]
    [http.middlewares.chain-basic-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth"]
  [http.middlewares.chain-oauth]
    [http.middlewares.chain-oauth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-oauth"]

jellyfin container :

---
version: "2.1"
services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin
    container_name: jellyfin
    environment:
      - PUID=998
      - PGID=1000
      - TZ=Europe/Paris
#      - JELLYFIN_PublishedServerUrl=192.168.0.5 #optional
    volumes:
      - /srv/dev-disk-by-uuid-3e18ca84-1122-42fc-be3a-9bdde8465495/Config:/config
      - /srv/dev-disk-by-uuid-3e18ca84-1122-42fc-be3a-9bdde8465495/Series:/data/tvshows
      - /srv/dev-disk-by-uuid-3e18ca84-1122-42fc-be3a-9bdde8465495/Movies:/data/movies
      - /home/matt/docker/traefik2/acme:/acme
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=t2_proxy"
      ## HTTP Routers
      - "traefik.http.routers.jellyfin-rtr.entrypoints=https"
      - "traefik.http.routers.jellyfin-rtr.rule=Host(`jellyfin.notmydomain.com`)"
      - "traefik.http.routers.jellyfin-rtr.tls=true"
#      - "traefik.http.routers.jellyfin-rtr.tls.certresolver=dns-cloudflare"      
      ## Middlewares 
      - "traefik.http.routers.jellyfin-rtr.middlewares=chain-basic-auth@file"
      ## HTTP Services
      - "traefik.http.routers.jellyfin-rtr.service=jellyfin-svc"
      - "traefik.http.services.jellyfin-svc.loadbalancer.server.port=8096"

    ports:
#      - 8920:8920
      - 8096:8096
    restart: unless-stopped

transmission (not showing up on my domain) :

        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=t2_proxy"
      ## HTTP Routers
          - "traefik.http.routers.transmission-rtr.entrypoints=https"
          - "traefik.http.routers.transmission-rtr.rule=Host(`transmission.notmydomain.com`)"
          - "traefik.http.routers.transmission-rtr.tls=true"
#          - "traefik.http.routers.transmission-rtr.tls.certresolver=dns-cloudflare"      
      ## Middlewares 
          - "traefik.http.routers.transmission-rtr.middlewares=chain-basic-auth@file"
      ## HTTP Services
          - "traefik.http.routers.transmission-rtr.service=transmission-svc"
          - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091"

traefik log when starting :

time="2022-04-08T09:24:46Z" level=info msg="Configuration loaded from flags."
time="2022-04-08T09:24:46Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
time="2022-04-08T09:24:46Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2022-04-08T09:24:46Z" level=info msg="Starting provider *file.Provider {\"directory\":\"/rules\",\"watch\":true}"
time="2022-04-08T09:24:46Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.notmydomain.com`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000}"
time="2022-04-08T09:24:46Z" level=info msg="Starting provider *traefik.Provider {}"
time="2022-04-08T09:24:46Z" level=info msg="Starting provider *acme.Provider {\"email\":\"mattou@live.fr\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"ResolverName\":\"dns-cloudflare\",\"store\":{},\"ChallengeStore\":{}}"
time="2022-04-08T09:24:46Z" level=info msg="Testing certificate renew..." providerName=dns-cloudflare.acme
time="2022-04-08T09:24:46Z" level=warning msg="Could not find network named 't2_proxy' for container '/transmission_transmission-openvpn_1'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." providerName=docker container=transmission-openvpn-transmission-6d0a31aef4bf0a1ecc160abb76738b651d8df78dc39766f4db85666c6d3b87f9 serviceName=transmission-svc
time="2022-04-08T09:24:46Z" level=warning msg="Could not find network named 't2_proxy' for container '/jellyfin'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." providerName=docker container=jellyfin-jellyfin-0f56fb147d8404ce93c210e78f9a4e961c288c44d2bae467f112ba7631a1dc54 serviceName=jellyfin-svc
time="2022-04-08T09:24:46Z" level=info msg="Error renewing certificate from LE : {notmydomain.com SANs:[*.notmydomain.com]}, ACME challenge not specified, please select TLS or HTTP or DNS Challenge" providerName=dns-cloudflare.acme

Thank you for your help

tommoulard · April 8, 2022, 1:17pm

Hello @phallushead,

phallushead:

time="2022-04-08T09:24:46Z" level=warning msg="Could not find network named 't2_proxy' for container '/transmission_transmission-openvpn_1'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." providerName=docker container=transmission-openvpn-transmission-6d0a31aef4bf0a1ecc160abb76738b651d8df78dc39766f4db85666c6d3b87f9 serviceName=transmission-svc

It seems that Traefik does not have access to your t2_proxy network. It might be named something different in docker compared to docker compose. You can find the name of the network created by docker compose by doing docker network ls.
And both Jellyfin and transmission are not connected to this network.

Traefik v2.2.1 is an old version of Traefik. Please check out the latest one.

If you want a working example of Traefik with transmission and jellyfin, here's my home setup :

Traefik : https://github.com/tomMoulard/make-my-server/tree/master/traefik
Jellyfin: https://github.com/tomMoulard/make-my-server/tree/master/jellyfin
transmission: https://github.com/tomMoulard/make-my-server/tree/master/transmission

Hope it helps

phallushead · April 8, 2022, 1:23pm

Hi,
Thank you for your answer.
The network actually shows up :
f6459b39ea47 t2_proxy bridge local

Alright I'll try and update it right now

tommoulard · April 8, 2022, 1:36pm

You should add that to both Jellyfin and transmission

phallushead · April 8, 2022, 1:38pm

When I do, I get this error :

failed to deploy a stack: Service "jellyfin" uses an undefined network "t2_proxy" : exit status 1

EDIT : I fixed this by adding another rule at the end of their docker compose :

networks:
  t2_proxy:
   external: true

phallushead · April 8, 2022, 2:16pm

Well that seems to have solved all my issues!
Everything works flawlessly
Thank you!!

Topic		Replies	Views
Traefik 2 only publishes port 80 and ignores 443 and dashboard port on docker swarm Traefik v2 docker-swarm	2	2204	April 8, 2020
I can't access the traefik dashboard using a route Traefik v2 cli	1	1307	July 31, 2023
Docker dashboard + routes help Traefik v2 docker	5	629	December 16, 2019
Local Dashboard Access Traefik v2 docker	6	1669	March 3, 2021
Port forwarding with docker and ssl apps Traefik v2 docker	5	3264	November 17, 2021

Traefik (kinda) working with only one container

Related topics