Traefik runs but don't uses toml-file

I set up a traefik reverse proxy in a docker enviroment. The goal is to redirect traffic to different servers (not containers) based on URL/Host.

After fiddling around, I got traefik to work. I can now see the backend. But if I try to access a server, I get "404 page not found" from traefik.

Also the tcp.routers and tcp.services don't show up in traefik-backend.

Are there limitations when mixing docker-compose and traefik.toml as configuration? If I start traefik it says, that it uses traefik.toml.

Another problem is, that user authentication for traefik-backend isn't used - there is no question for username/password.

Or does traefik ignore the whole configuration, because it can't get certificates (it's just dev and not in production right now).

docker-compose.yml:

version: "3.3"

services:

  traefik:
    restart: always
    image: "traefik:latest"
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    networks:
      - traefik_proxy
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./17/traefik.toml:/etc/traefik/traefik.toml
      - ./shared:/shared
    command:
      - "--api=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik_proxy"

networks:
  traefik_proxy:
    external: true

17/traefik.toml:

[global]
  sendAnonymousUsage = false

[log]
  level = "DEBUG"

[api]
  dashboard = true
  insecure = true

[entryPoints]
  [entryPoints.traefik]
    address = ":8080"
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"
  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http.tls]
      certResolver = "myresolver"

[http]
  [http.routers]

    [http.routers.mymiddleware]
      entryPoints = ["websecure"]
      rule = "Host(`cmw.domain.de`) || Host(`sync.domain.de`)"
      certResolver = "myresolver"
      service = "mymiddleware"
    [http.routers.owncloud]
      entryPoints = ["websecure"]
      rule = "Host(`cloud.domain.de`)"
      certResolver = "myresolver"
      service = "owncloud"
    [http.routers.dashboard]
      entryPoints = ["traefik"]
      rule = "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
      service = "api@internal"
      middlewares = ["auth"]

  [http.middlewares.auth.basicAuth]
    usersFile="shared/.htpasswd"

[tcp.services]
  [tcp.services.mymiddleware]
    [[tcp.services.mymiddleware.loadBalancer.servers]]
      address = "192.168.92.14"
  [tcp.service.owncloud]
    [[tcp.services.owncloud.loadBalancer.servers]]
      address = "192.168.92.10"

[certificatesResolvers.myresolver.acme]
  email = "webmaster@domain.de"
  storage = "acme.json"
  [certificatesResolvers.myresolver.acme.httpChallenge]
    entryPoint = "web"

Part of the problem will be that you are mixing http routers with tcp services.

A http router needs to use a http router, likewise a tcp router a tcp service.
Make these http.services and update address to url.

I recommend you comment out your certresolver if it is not accessible, as you will hit LetsEncrypt rate limits very quickly.

As you are running the api in insecure mode your defined router http.routers.dashboard will be ignored, so therefore no auth. When running with api insecure traefik will setup the entrypoint, router and service. Simply removing the insecure option or making it false will get your auth on this router.

Hello cakiwi and thank you for your reply.
I changed my traefik toml-services-part into

[http.services]
  [http.services.mymiddleware]
    [[http.services.mymiddleware.loadBalancer.server]]
      url = "http://192.168.92.14"
  [http.services.owncloud]
    [[http.services.owncloud.loadBalancer.server]]
      url = "http://192.168.92.10"

But I got still no entries in backend for these services and their routers.
Of curse I still get "404".

And also there is no asking for username/password when accessing backend.

Sorry I forgot one of the most common errors.

You are mixing dynamic config into your static config.

So, what to do?
Just removing "providers"-entries from docker-compose.yml? This changed nothing.

You take your dynamic config and put it in another file.

In your traefik.toml you create a file provider and use the directory or filename options.

Hello @cakiwi
Thank you for your help.
I don't know where it is written as a MUST to divide static and dynamic configuration - I read it like a "should divide". But as I did it, all startet fine and seems to work.

Sadly - if I test with

curl -H "https://owncloud.domain.de" 192.168.92.41 --insecure

I get "400 bad request: malformed Host header%" as answer insted of getting the owncloud-html. Any ideas to this?

curl -k -H "Host: owncloud.domain.de" https://192.168.92.41
1 Like

Hello @Idez
with

curl -k -iL -H "Host: owncloud.domain.de" https://192.168.92.41

it works!
Yeah!

From documentation

There are three different, mutually exclusive (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:

  1. In a configuration file
  2. In the command-line arguments
  3. As environment variables

And:

Traefik gets its dynamic configuration from providers: whether an orchestrator, a service registry, or a plain old configuration file.

So look where your configuration comes from. If it comes from a configuration file as described at that link, then it's static. If it come from File Provider (or any other provider) it's dynamic.

To me it's plenty obvious that it cannot come from two different sources at once, it's just plain common sense, like you cannot be in two different places at once type of thing.

So the fact that they must be separate, is just logically follows from what you read in the documentation, if you follow it correctly. You put static one to the traefik.toml or another option listed in the doco, and you put dynamic to the file pointed to by you File Provider and you are good.

Documentation gives is no reason to think, IMO, that if you stick some configuration for File Provider into your static config file that it should work.

We do see often that people mix those up, that's true, but my guess would be that they simply did not take time to read and understand the documentation, because once you did that, the model is really quite simple.

In terms of documentation improvements, the doco says:

Configuration in Traefik can refer to two different things:

  • The fully dynamic routing configuration (referred to as the dynamic configuration)
  • The startup configuration (referred to as the static configuration)

I guess we could add something like this

As you will see in the next sections, dynamic and static configurations come from entirely different sources, see below for the details. As a result they cannot come from the same source or file.

But it sounds kind of dumb to me as it's stating the obvious. If they come from different sources of course they cannot come from the same source. What do you think?

Hello

Maybe it's a good idea to give this information a bit more improved.
Like you wrote, many beginners fail with setting up two different config-sources - so I think your docu has to be improved on this - or you create a new category like "beginner fails" or something like that. It's easy to say, that all these failed beginners did not read the docu exactly - but maybe you have to think about the docu - maybe not the beginners are guilty - maybe the docu has to be better in this way.
At the end you have less trouble with beginners about this problem - a win-win!

For me, it wasn't clear to set up two config sources, neither after reading the docs and not after reading howtos on the net. Of curse mostly there is a docker-file and a traefik.toml, but no one explicitly describes why.

Also - on the other hand - beginners will maybe often start with a configuration in one file - because of survey and simplicity - it's easier to test and you do not need to jump between different file to test changes.

And keep in mind, sometimes is a foreign language a barrier of understanding things. So it can be useful to write it in a simple way.

Best regards. Thanks to you all. Have a nice sunday.

Thank you for this. I've heard the sentiment that the documentation could be improved many times, but no one seems to be be able to point out exactly how to improve it.

In your last message the only "actionable" line is to create a "beginner fails" section. Please let me know if missed anything.

There is a docker-file and a traefik.toml, but no one explicitly describes why.

I'm not sure what you mean by Dockerfile but if it's the usual meaning the documentation for that belongs on the docker site. For traefik.toml I gave the link above, which in my opinion fully describes why. Again, let me know of there is anything missing.

As far as "beginner fails" goes, as far as I understand traefik documentation tries to avoid the "trivia" type of entries, it tries to be specific and comprehensive, instead of trying to cater for each specific use case, which is, of course, impossible. "Trivia" fits better for various blogs and tutorials.

Having said that, if I, for example decided to create such a section and for "beginner fails" it will not look very good if the only item it has is "make sure to read the docs and understand the difference between static and dynamic configuration", so even with that idea, I'm really not sure how to implement it so it is useful.

I think your docu has to be improved on this

Finally, it's not "my" doc, I'm just a traefik user, same as yourself. But traefik is an open source project and users contributions are welcome. So if you have a good idea how to improve the documentation, please bring it forward, and if it makes sense to all parties, create a PR to get that integrated.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.