Traefik + Portainer

liszca · October 5, 2023, 1:29pm

I am trying to get portainer with trafik running.

Using docker-compose files, one for traefik with the addition routing the traefik Dashboard without https.

version: '3'

services:
  reverse-proxy:
    image: traefik:v2.10
    container_name: Traefik
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.Traefik.loadbalancer.server.port=8080"
      - "traefik.docker.network=traefik_default"
      - "traefik.http.routers.Traefik.rule=Host(`traefik.mufi`)"
    command:
      - "--api.insecure=true"
      - "--providers.docker"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Docker-compose for Portainer:

version: '3'

services:
  portainer:
    image: portainer/portainer-ce
    container_name: Portainer
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.Portainer.entrypoints=websecure"
      - "traefik.http.services.Portainer.loadbalancer.server.port=9443"
      - "traefik.docker.network=traefik_default"
      - "traefik.http.routers.Portainer.rule=Host(`portainer.mufi`)"
#      - "traefik.tcp.routers.Portainer.rule=HostSNI(`portainer.mufi`)"
#      - "traefik.tcp.routers.Portainer.tls.passthrough=true"
    ports:
      - "9443:9443"
      - "8000:8000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

As portainer provides its own certificate I want traefik to use it. I tried with the tcp router, but it didn't work.

Accessing portainer directly does work.

bluepuma77 · October 5, 2023, 4:20pm

Usually Traefik is managing the TLS certs towards the external clients, see simple Traefik example. And you probably want this to be centrally managed, as you probably have more services (in the future) than just Portainer.

Connect Traefik and internal target services to a shared Docker network, don't expose ports of your internal services, use http internally.

  labels:
    - traefik.enable=true
    - traefik.docker.network=proxy
    - traefik.http.routers.portainer.entrypoints=websecure
    - traefik.http.routers.portainer.rule=Host(`portainer.example.com`)
    - traefik.http.services.portainer.loadbalancer.server.port=9000

You can use TLS also internally. With Traefik in front, Portainer might not get a LE validated cert, then you might need to use insecureskipverify (doc).

liszca · October 5, 2023, 4:52pm

where is this to be put?

providers:
  http:
    tls:
      insecureSkipVerify: true

Is it to be used as a Label on traefik or on Portainer? Or is it just a command?

bluepuma77 · October 5, 2023, 5:24pm

Using it globally, it goes into Traefik command.

Topic		Replies	Views
Traefik v2.5 no redirecting to portainer portal Traefik v2 (latest) docker , middleware	7	4396	June 30, 2022
Info and installation improvement Traefik v2 (latest) docker , tcp	7	468	November 5, 2023
FTP in traefik v2.10 Traefik v2 (latest) docker , tcp	3	667	December 14, 2023
TCP and HTTP/s docker example Traefik v2 (latest) docker	0	3579	December 17, 2020
Traefik with TCP Routing for Postgres Docker Container Traefik v2 (latest) docker , file , tcp	0	415	May 2, 2022

Traefik + Portainer

Related Topics