Hi,

I have "the service "wazuh-dashboard@docker" does not exist" error message, but the container actually exists.

Could you give me some tips to troubleshoot please?

Thanks in advance.

Regards

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

"Service does not exist" does not mean a Docker "service", but the missing definition of a Traefik dynamic "service" configuration.

Compare with simple Traefik example (link).

Hi @bluepuma77,

Thanks for your comment.
Below my docker-compose.yml for Traefik and my Wazuh service.

Traefik

[...]
command:
  - --entrypoints.wm1514.address=:1514
  - --entrypoints.wm1515.address=:1515
  - --entrypoints.wm514.address=:514/udp
  - --entrypoints.wm55000.address=:55000
  - --entrypoints.wi9200.address=:9200
  - --entrypoints.wd5601.address=:5601
ports:
  - "1514:1514"
  - "1515:1515"
  - "514:514/udp"
  - "55000:55000"
  - "9200:9200"
  - "5601:5601"
[...]

Wazuh

version: '3.7'
services:
  wazuh-manager:
    image: wazuh/wazuh-manager:4.6.0
    hostname: wazuh.manager
    [...]
    deploy:
      mode: replicated
      replicas: 1
      labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.wm1514.rule=Host(`wazuh.xxxx.tld`)"
      - "traefik.tcp.routers.wm1514.entrypoints=wm1514"
      - "traefik.tcp.services.wm1514.loadbalancer.server.port=1514"
      - "traefik.tcp.routers.wm1514.service=wazuh-manager"
      - "traefik.tcp.routers.wm1515.rule=Host(`wazuh.xxxx.tld`)"
      - "traefik.tcp.routers.wm1515.entrypoints=wm1515"
      - "traefik.tcp.services.wm1515.loadbalancer.server.port=1515"
      - "traefik.tcp.routers.wm1515.service=wazuh-manager"
      - "traefik.udp.routers.wm514.rule=Host(`wazuh.xxxx.tld`)"
      - "traefik.udp.routers.wm514.entrypoints=wm514"
      - "traefik.udp.services.wm514.loadbalancer.server.port=514"
      - "traefik.udp.routers.wm514.service=wazuh-manager"
      - "traefik.http.routers.wm55000.rule=Host(`wazuh.xxxx.tld`)"
      - "traefik.http.routers.wm55000.entrypoints=wm55000"
      - "traefik.http.services.wm55000.loadbalancer.server.port=55000"
      - "traefik.http.routers.wm55000.service=wazuh-manager"
    networks:
      - traefik
      - wazuh

  wazuh-indexer:
    image: wazuh/wazuh-indexer:4.6.0
    hostname: wazuh.indexer
    [...]
    deploy:
      mode: replicated
      replicas: 1
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wi9200.rule=Host(`wazuh.xxxx.tld`)"
      - "traefik.http.routers.wi9200.entrypoints=wi9200"
      - "traefik.http.services.wi9200.loadbalancer.server.port=9200"
      - "traefik.http.routers.wi9200.service=wazuh-indexer"
    networks:
      - traefik
      - wazuh

  wazuh-dashboard:
    image: wazuh/wazuh-dashboard:4.6.0
    hostname: wazuh.dashboard
    [...]
    deploy:
      mode: replicated
      replicas: 1
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wd5601.rule=Host(`wazuh.xxxx.tld`)"
      - "traefik.http.routers.wd5601.entrypoints=wd5601"
      - "traefik.http.services.wd5601.loadbalancer.server.port=5601"
      - "traefik.http.routers.wd5601.service=wazuh-dashboard"
    depends_on:
      - wazuh-indexer
      - wazuh-manager
    networks:
      - traefik
      - wazuh
[...]

Hi,

Actually I have no more the error message from Traefik by changing the Traefik service name with the same container name.
From - "traefik.http.routers.wd5601.service=wazuh-dashboard" to - "traefik.http.routers.wazuh-dashboard.service=wazuh-dashboard"

Is this the normal behavior ? I though that I could use any Traefik service name (e.g. wd5601) and then specify the container name for redirection (e.g. wazuh-dashboard).
In this case, how configure multiple ports for the same container, e.g. for wazuh-manager above, by using the same Traefik service name because it doesn't matter?

Thanks

should be

      - "traefik.tcp.services.wm1514.loadbalancer.server.port=1514"
      - "traefik.tcp.routers.wm1514.service=wm1514"

as you define the service in the upper line, assign that to the router in the lower line

I undestand, thanks @bluepuma77, the Traefik error message came from that.

However now, when I try to reach https://wazuh.xxxx.tld:5601, I have "404 page not found". If I directy expose a port at the same time Im' able to reach that URL bypassing Traefik.

Enable and check Traefik debug log and dashboard. Specifically check for errors.

Nothing seems wrong, the only think that I see strange is the URL pointed by Traefik that is in HTTP (http://10.0.14.73:5601) instead of HTTPS. How could I force redirection to HTTPS?

By default, Traefik will internally forward requests with HTTP to the target service.

Enable Traefik access log in JSON format to see the http status code from target service (OriginStatus), if it even exists.

Indeed, I would force Traefik to internally forward requests with HTTPS to the target service, insted of HTTP. Do know you how do this?

Set the Traefik services scheme to https (reference):

  - "traefik.http.services.service01.loadbalancer.server.port=foobar"
  - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"

Thanks, it's better. Traefik Dashboard now shows "https://10.0.14.130:5601" which is good, but I have always "404 page not found".

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.wd5601.rule=Host(`waz.brox.cloudns.eu`)"
  - "traefik.http.routers.wd5601.entrypoints=wd5601"
  - "traefik.http.routers.wd5601.service=wd5601"
  - "traefik.http.services.wd5601.loadbalancer.server.port=5601"
  - "traefik.http.services.wd5601.loadbalancer.server.scheme=https"

You are sure your Elasticsearch Kibana Dashboard supports HTTPS on port 5601?

The sub-domain points to your Traefik IP?

Sure Dashboard supports HTTPS on port 5601 also because when I expose port bypassing Traefik everything works properly with my sub-domain too.

ports:
  - "5602:5601"

Hi,

An important information to specify that may help. My target service handles certificates by itself, so I tried the following, but without success.

- "traefik.enable=true"
- "traefik.tcp.routers.wd5601.rule=HostSNI(`wazuh.xxxx.tld`)"
- "traefik.tcp.routers.wd5601.entrypoints=wd5601"
- "traefik.tcp.routers.wd5601.service=wd5601"
- "traefik.tcp.services.wd5601.loadbalancer.server.port=5601"
- "traefik.tcp.routers.wd5601.tls.passthrough=true"

Traefik needs a cert to use HostSNI() with domain name. Without a cert only HostSNI(`*`) works, a real domain will trigger creation of a custom Traefik cert.

Fantastic, it works

Thank you very much for all your help.

Hi @bluepuma77,

Last questions, if I have no-TLS or a certificate handled by the container itself I have to use HostSNI(*) for both TCP and UDP, right? In case of certificate handled by itself I also add passthrough, right?

Thanks in advance

passthrough sounds good for TCP.

Check UDP docs:

Therefore, there is no criterion that could be used as a rule to match incoming packets in order to route them. So UDP "routers" at this time are pretty much only load-balancers in one form or another.

Thank you very much.