Hello and a good evening...
I'm not quite sure whether this is really a Traefik problem or whether the problem lies elsewhere.
My scenario:
I have a firewall (OpnSense) and Adguard Home as DNS server. Both are running on one computer. A Docker environment on which the Traefik container is also running (Raspbery PI4) with a macvlan network, as some containers should be externally accessible. These services are to be provided with a Letsencrypt certificate via the Cloudflare DNS challenge.
Letsencrypt and Cloudflare are already set up and working. A DNS rewrite takes place on the Adguard.
'opnsense . example . com' -> 192.168.37.250 (Port 8443)
'adguard . example . com' -> 192.168.37.250 (Port 7443)
'piroute . example . com' -> 192.168.37.239 (Docker host)
'traefik . example . com' -> 192.168.37.230
'dns . example . com' -> no DNS rewrite (for testing)
'portainer . example . com' -> 192.168.37.228
OpnSense and Adguard are set up as external services under Traefik. They have a valid Letsencrypt certificate from OpnSense.
My work computer has the IP 192.168.37.150
When I call up the Traefik dashboard, it is displayed and it also has a valid Letzencrypt certificate. However, Portainer and the other services (Dozzle, Nginx, etc.) don't.
my Network...
my Docker Compose
####################################################################################################################
##### Traefik, Reverse ip-net Configuration ##### 1.04 ##### 26.01.2024 ############################################
####################################################################################################################
services:
traefik:
image: traefik:${Version}
container_name: ${Name}
restart: unless-stopped
hostname: ${HostName}
stdin_open: true
tty: true
networks:
ip-net:
ipv4_address: ${IP_Address}
env_file:
- ../.config/cloudflare.env
- ./.env
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/etc/traefik/
- ./data/traefik.yml:/etc/traefik/traefik.yml:ro
- ./data/acme.json:/etc/traefik/acme.json
- ./data/dynamic:/etc/traefik/dynamic
ports:
- 80:80
- 443:443
- 8080:8080
labels:
traefik.enable: true
traefik.http.routers.api.rule: (Host(`${Domain}`) && PathPrefix(`/${Name}`)) || Host(`${Name}.${Domain}`)
traefik.http.routers.api.entryPoints: https
traefik.http.routers.api.service: api@internal
traefik.http.services.api.loadbalancer.server.port: 80
networks:
ip-net:
driver: macvlan
external: true
traefik.yml
# ####################################################################################################################
# ##### Traefik, Proxy Configuration ##### 1.01 ##### 26.01.2024 #####################################################
# ####################################################################################################################
global:
checkNewVersion: true
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
accessLog:
filePath: "/var/log/traefik/access.log"
format: json
bufferingSize: 100
log:
# filePath: "/var/log/traefik/traefik.log"
format: json
### DEBUG, PANIC, FATAL, ERROR, WARN, INFO
level: DEBUG
api:
dashboard: true
# insecure: true
debug: true
entrypoints:
http:
### Not used in Apps, but redirect everything from HTTP to HTTPS
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
https:
### HTTPS Endpoint, with Domain Wildcard
address: :443
forwardedHeaders:
# Reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
http:
tls:
### Generate Domain Certificates incl. Wildcard Certificates
certResolver: letsencrypt
domains:
- main: 'example.com'
sans:
- '*.example.com'
middlewares:
- securityHeaders@file
providers:
providersThrottleDuration: 2s
### Docker provider for connecting all apps that are inside of the docker network
docker:
# endpoint: "tcp://dockersocket:2375" ### Uncomment if you are using docker socket proxy
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
### Default Host Rule to containername.domain.example
# defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
swarmModeRefreshSeconds: 15s
### Add your Docker Network Name here
network: ip-net
watch: true
file:
### File Provider for Connecting Things that are outside of Docker / defining Middleware
directory: /etc/traefik/dynamic
filename: dynamic.yml
watch: true
certificatesResolvers:
# ### Use letsEncrypt to generate SSL Certificates
letsencrypt:
acme:
email: email@example.com
storage: /etc/traefik/acme.json
dnsChallenge:
provider: cloudflare
delaybeforecheck: 0
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
# ### !IMPORTANT - COMMENT OUT THE FOLLOWING LINE IN PRODUCTION!
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
# keyType: 4096 ### EC384, 4096
dynamic.yml
# ####################################################################################################################
# ##### Traefik, Dynamic Configuration ##### 1.02 ##### 26.01.2024 ###################################################
# ####################################################################################################################
http:
### EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ###
routers:
### Adguard Home, routing to external Service ###
adguard:
entryPoints:
- https
rule: (Host(`{{env "Domain"}}`) && PathPrefix(`/adguard`)) || Host(`adguard.{{env "Domain"}}`) || Host(`dns.{{env "Domain"}}`)
service: adguard
middlewares:
### OpnSense Firewall, routing to external Service ###
opnsense:
entryPoints:
- https
rule: 'Host(`opnsense.{{env "Domain"}}`) || Host(`firewall.{{env "Domain"}}`)'
service: opnsense
middlewares:
# ### SERVICES EXAMPLE ###
services:
### Adguard Home, routing to external Service ###
adguard:
loadBalancer:
servers:
- url: http://192.168.37.250:8443/
### OpnSense Firewall, routing to external Service ###
opnsense:
loadBalancer:
servers:
- url: http://192.168.37.250:7443/
### MIDDLEWARES ##
middlewares:
### Only Allow Local networks
local-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32 ### localhost ###
- 192.168.37.1/24 ### LAN Subnet ###
### Security Headers ###
securityHeaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
X-Forwarded-Proto: "https"
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: "strict-origin-when-cross-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
### Only use Secure Ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6 ###
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
curvePreferences:
- CurveP521
- CurveP384
mintls13:
minVersion: VersionTLS13
Portainer Compose
####################################################################################################################
##### Portainer, Docker Container Manager ##### 1.04 ##### 11.01.2024 ##############################################
####################################################################################################################
services:
portainer:
image: portainer/portainer-ce:${Version}
container_name: ${Name}
restart: unless-stopped
hostname: ${HostName}
networks:
ip-net:
ipv4_address: ${IP_Address}
env_file:
- ./.env
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
- ./data:/data
# ports:
# - 80:9000
labels:
# traefik.enable: true
# traefik.http.routers.portainer.rule: (Host(`${Domain}`) && PathPrefix(`/${Name}`)) || Host(`${Name}.${Domain}`)
# traefik.http.routers.portainer.entrypoints: https
# traefik.http.routers.portainer.service: portainer
# traefik.http.services.portainer.loadbalancer.server.port: 9000
traefik.enable: true
traefik.http.routers.portainer.entrypoints: http
traefik.http.routers.portainer.rule: (Host(`${Domain}`) && PathPrefix(`/${Name}`)) || Host(`${Name}.${Domain}`)
traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme: https
traefik.http.routers.portainer.middlewares: portainer-https-redirect
traefik.http.routers.portainer-secure.entrypoints: https
traefik.http.routers.portainer-secure.rule: (Host(`${Domain}`) && PathPrefix(`/${Name}`)) || Host(`${Name}.${Domain}`)
traefik.http.routers.portainer-secure.tls: true
traefik.http.routers.portainer-secure.tls.certresolver: letsencrypt
traefik.http.routers.portainer-secure.service: portainer
traefik.http.services.portainer.loadbalancer.server.port: 9000
traefik.docker.network: ip-net
networks:
ip-net:
driver: macvlan
external: true
I hope I'm in the right category here.
And some one can help me.
