Traefik - webdevops/php-nginx:7.4-alpine - http & https mixed

Traefik Traefik v2
1

Hi,

I am not an expert on Traefik and I am still learning.

My goal is to host multiple domain/laravel app using Traefik as the proxy. I am struggling with HTTP and HTTPS mixed issues.

My goal is all traffic should flow as HTTPS traffic. Otherwise, I am getting mixed traffic errors. Anyone can point me in the right direction please.

Traefik
Traefik959×646 40.1 KB

Here is my docker-compose file.

version: '3'
services:
  traefik:
    container_name: traefik
    image: traefik:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
      - backend
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=TTTTTT@TTTTT.com
      - CF_DNS_API_TOKEN="ghfhfhgfhfhfhfh"
      - CF_ZONE_API_TOKEN="dfgdgfdgdffgfdhfghfgh"
    command:
      - '--providers.docker=true'
      - '--entryPoints.web.address=:80'
      - '--entryPoints.metrics.address=:8082'
      - '--providers.providersThrottleDuration=2s'
      - '--providers.docker.watch=true'
      - '--providers.docker.exposedbydefault=false'
      - '--accessLog.bufferingSize=0'
      - '--api=true'
      - '--api.dashboard=true'
      - '--api.insecure=true'
      - '--ping.entryPoint=web'
      - '--metrics.prometheus=true'
      - '--metrics.prometheus.addEntryPointsLabels=true'
      - '--metrics.prometheus.addServicesLabels=true'
      - '--metrics.prometheus.manualrouting=true'      
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
    labels:
     - log.level=DEBUG
     - traefik.enable=true
     - "traefik.http.routers.traefik.entrypoints=http"
     - "traefik.http.routers.traefik.rule=Host(`webdash.dwishaventures.com`)"
     - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1dfgdg423464567hxadfdzni6KcayaerY/"
     - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
     - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
     - "traefik.http.routers.traefik-secure.entrypoints=https"
     - "traefik.http.routers.traefik-secure.rule=Host(`webdash.dwishaventures.com`)"
     - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
     - "traefik.http.routers.traefik-secure.tls=true"
     - "traefik.http.routers.traefik-secure.tls.certresolver=letsEncrypt"
     - "traefik.http.routers.traefik-secure.service=api@internal"         
       
  starapp:
    image: webdevops/php-nginx:7.4-alpine       
    container_name: starapp
    depends_on:
      - mysql    
    restart: always
    environment:
      - PHP_DISPLAY_ERRORS=1
      - PHP_MEMORY_LIMIT=2048M
      - PHP_MAX_EXECUTION_TIME=300
      - PHP_POST_MAX_SIZE=500M
      - PHP_UPLOAD_MAX_FILESIZE=256M
    volumes:
      - ./starhardware.com.my/app/:/app
    expose:
      - 80
      - 443
    labels:
      - traefik.enable=true
      - traefik.http.routers.starapp.entrypoints=http     
      - traefik.http.routers.starapp.rule=Host(`app.starhardware.com.my`)
      - traefik.http.middlewares.starapp-https-redirect.redirectscheme.scheme=https
      - traefik.http.routers.starapp.middlewares=starapp-https-redirect
      - traefik.http.routers.starapp-secure.entrypoints=https
      - traefik.http.routers.starapp-secure.rule=Host(`app.starhardware.com.my`)
      - traefik.http.routers.starapp-secure.tls=true
      - traefik.http.routers.starapp-secure.tls.certresolver=letsEncrypt
      - traefik.http.routers.starapp-secure.service=starapp
      - traefik.http.services.starapp.loadbalancer.server.port=80
      
    networks:
      - proxy      
      - backend

Next is my traefik.yml file

api:
  dashboard: true
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
    
accessLog:
  filePath: "/opt/containers/traefik/data/access.log"
  
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  letsEncrypt:
    acme:
      email: TTTTTTT@gmail.com
      storage: acme.json
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare        
        delayBeforeCheck: 300

When I am trying to install WordPress on
https://app.starhardware.com.my/wp-admin/setup-config.php

Traffic is mixed of HTTP and HTTPS.

wordpress
wordpress1811×951 114 KB

I want both request and response traffic should use HTTPS Any clue will be really helpful.

Thank you.
Dwija

2

You're looking for:

- "traefik.http.services.myservice.loadbalancer.server.scheme=https"

You may need to configure some servers transport if that does not work straight away.

traefik.http.services.<service_name>.loadbalancer.serverstransport
https://doc.traefik.io/traefik/routing/overview/#transport-configuration

3

I haven't managed to solve it yet. Any sample config? you are an expert, may take few mins. I have spent countless hours and no clue yet :sob:

I will continue to look around though. :muscle:

4

Specifically for wordpress I think you just need to help it along to know it is behind a reverse proxy and using https.

Traefik already sets the headers so the wordpress part should be all that is required.

5

Specifically for full https here is an example.

Using insecureSkipVerify is not a good thing to do. If you're using TLS between traefik and its services you may as well do it properly. This may need some configuration of a serversTransport and adding CA certificates to the configuration.

docker-compose.yaml 
version: "3.8"

services:
  traefik:
    image: "traefik:v2.4"
    command:
    - --accesslog
    - --accesslog.format=json
    - --api
    - --certificatesresolvers.myresolver.acme.email=your-email@example.com
    - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
    - --entrypoints.websecure.address=:443
    - --entrypoints.websecure.http.tls=true
    - --entrypoints.websecure.http.tls.certResolver=myresolver
    - --log.format=json
    - --log.level=INFO
    - --providers.docker.exposedbydefault=false
    - --providers.docker=true
    - --serversTransport.insecureSkipVerify=true
    labels:
      traefik.enable: "true"
      traefik.http.routers.api.rule: Host(`traefik.localhost`)
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.entrypoints: websecure

    ports:
      - published: 443
        target: 443
    volumes:
      - acme:/acme/
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    image: traefik/whoami
    command:
      - -name=one
      - -cert=/certs/cert.pem
      - -key=/certs/cert.key
    labels:
      traefik.enable: "true"
      traefik.http.routers.w.rule: Host(`one.localhost`)
      traefik.http.services.w.loadbalancer.server.scheme: https
    volumes:
      - ./certs:/certs
  whoami2:
    image: traefik/whoami
    command:
      - -name=two
      - -cert=/certs/cert.pem
      - -key=/certs/cert.key
    labels:
      traefik.enable: "true"
      traefik.http.routers.w2.rule: Host(`two.localhost`)
      traefik.http.services.w2.loadbalancer.server.scheme: https
    volumes:
      - ./certs:/certs
volumes:
  acme:
6

Hi Thanks. I have come back after a long time. I will test your suggestion and update here.