I have a mostly functional traefik setup, but the dashboard just returns a 404.
My static config yaml
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
providers:
docker:
watch: true
endpoint: unix:///var/run/docker.sock
network: proxy
file:
watch: true
directory: /etc/traefik.conf.d/
api:
dashboard: true
log:
level: DEBUG
filePath: "/data/traefik.log"
accessLog: {}
certificatesResolvers:
le:
acme:
email: "my@email.com"
storage: "/data/acme.json"
dnsChallenge:
provider: cloudflare
The following dynamic config file (these certs were generated before using traefik)
tls:
certificates:
- certFile: /etc/certs/domain1.com.cer
keyFile: /etc/certs/domain1.com.key
Relevant portion of my docker-compose file
services:
traefik:
image: traefik:v2.10
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /media/services/core/traefik/traefik.yaml:/traefik.yaml:ro
- /media/services/core/traefik/traefik.conf.d:/etc/traefik.conf.d:ro
- /media/services/core/traefik/data:/data
- /media/services/core/traefik/certs:/etc/certs
secrets:
- cf_email
- cf_dns_api_token
- cf_zone_api_token
environment:
- CF_EMAIL_FILE=/run/secrets/cf_email
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
- CF_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_api_token
labels:
- traefik.enable=true
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.rule=Host(`traefik.lan-domain.home`)
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.tls[0].main=domain1.com
- traefik.http.routers.api.tls[0].sans=*.domain1.com
- traefik.http.routers.api.tls[1].main=domain2.com
- traefik.http.routers.api.tls[1].sans=*.domain2.com
- traefik.http.routers.api.tls.certResolver=le
- traefik.http.routers.api.service=api@internal
If I add api.insecure=true and expose :8080 I can access the dashboard that way, but I never see that a traefik.lan-domain.home route is created.
Also worth noting I have pihole successfully accessible at pihole.lan-domain.home, and I see a 404 in the access log when trying to hit traefik.lan-domain.home.
I'm sure I'm missing something silly here, but I'm not sure where to go next. Any guidance would be appreciated.
Do you use the full URL traefik.lan-domain.home/dashboard/?
How do you create your Docker network proxy?
Maybe compare with simple Traefik example.
Thanks for the reply
- Yes I used the full url (including trailing slash).
- The network was created with
docker network create proxy and defined in the docker-compose file with
networks:
proxy:
external: true
I did a full system prune before the following so no lingering containers/images/networks etc
I compared with your simple example (and stripping out the letsencrypt) I see the same result. Here is the exact sample traefik file I ran
version: '3.9'
services:
traefik:
image: traefik:v3.0
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
command:
- --api.dashboard=true
- --log.level=INFO
- --accesslog=true
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.foobar.home`)
- traefik.http.routers.mydashboard.service=api@internal
networks:
proxy:
name: proxy
Navigating to https://traefik.foobar.home/dashboard/ returns a 404 and I see the following in the log
docker-testing-traefik-1 | 172.23.0.1 - - [02/Dec/2023:16:12:46 +0000] "GET /dashboard/ HTTP/2.0" 404 19 "-" "-" 1 "-" "-" 0ms
Is traefik.foobar.home pointing to the Traefik host IP?
Is traefik.foobar.home pointing to the Traefik host IP?
It is. I don't think I'd see the 404 in the traefik log otherwise.
ok, this setup works
version: '3.9'
networks:
proxy:
external: true
services:
traefik:
image: traefik:v2.10.6
container_name: traefik
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.yaml:/traefik.yaml
- ./traefik/data:/data
labels:
- traefik.http.routers.api.rule=Host(`traefik.foobar.home`)
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.tls=true
- traefik.enable=true
restart: unless-stopped
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
providers:
docker:
watch: true
endpoint: unix:///var/run/docker.sock
network: proxy
api:
dashboard: true
log:
level: DEBUG
accessLog: {}
poking at my real config, these seem to be the offending lines.
- traefik.http.routers.api.tls[0].main=domain1.com
- traefik.http.routers.api.tls[0].sans=*.domain1.com
- traefik.http.routers.api.tls[1].main=domain2.com
- traefik.http.routers.api.tls[1].sans=*.domain2.com
I dropped them and everything still seems to be working exactly as expected. I'm sure something will bite me when one of those certs expires, but at this point i'm not sure what to do besides take the win and wait for the potential fallout.
this is a homelab kinda deal. I promise I'm not this laissez faire about real production stuff
Traefik and LE will manage certs for all domains in Hosts(). You only need main/sans when you want wildcard certs. LE has some limits, but up to 50 (sub-)domains is no problem.
Compare to simple Traefik example.