I have a working traefik proxy for authentik and all my services and want to access the dashboard in a subdomain traefik.domain.dev. Below are the files I created for the service. The authentik server uses the middleware.yml
. The problem I have now is that traefik obtains certificates on lets encrypt for all services with these labels
in the docker-compose.yml
:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.service1-rtr.rule=Host(`service1.domain.dev`)"
- "traefik.http.routers.service1-rtr.entrypoints=websecure"
- "traefik.http.routers.service1-rtr.tls=true"
- "traefik.http.routers.service1-rtr.tls.certresolver=le"
But the same codeblock for the traefik container does nothing. I would use the dashboard without TLS if possible, but on .dev
domains HSTS is enforced by google.
In the log file traefik adds certificates for all subdomains except the one for the traefik dashboard, e. g.
time="2022-09-22T20:00:00Z" level=debug msg="Adding certificate for domain(s) service1.domain.dev"
But the route is added: time="2022-09-22T20:00:01Z" level=debug msg="Adding route for traefik.domain.dev with TLS options default" entryPointName=websecure
docker-compose.yml
traefik:
image: traefik:v2.8
container_name: traefik
command:
- '--configFile=/config/traefik.yml'
ports:
- 80:80
- 443:443
volumes:
- $DOCKERDIR/apps/traefik:/config
- $DOCKERDIR/apps/traefik/letsencrypt:/letsencrypt:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- traefik
labels:
- "traefik.enable=true"
# Dashboard
- "traefik.http.routers.dashboard.rule=Host(`traefik.domain.dev`)"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls"
traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
api:
dashboard: true
insecure: false
http:
routers:
dashboard:
rule: Host(`traefik.domain.dev`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
service: api@internal
middlewares:
- dashboard@file
log:
level: DEBUG
filepath: /config/traefik.log
providers:
docker:
exposedByDefault: false
file:
filename: /config/rules/middleware.yml
certificatesResolvers:
le:
acme:
email: mymail@domain.dev
storage: /letsencrypt/acme.json
httpChallenge:
entryPoint: web
rules/middleware.yml
http:
middlewares:
dashboard:
basicAuth:
users:
- "test:pass1"
- "test2:pass2"
middlewares-authentik:
forwardAuth:
address: http://authentik_server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
I do not understand why the obtainment of the certificate for traefik.domain.dev
for the dashboard does not work.