Hi,
I've recently deployed traefik v3 on one of my docker machines and currently having an issue with external services. I am able to route other containers running from the same docker instance perfectly fine but when im trying to configure my config.yaml and set up, for example, my unifi controller from my UDM Pro Max, I can't get it to recognise the certificate created by Traefik. Additionally, even the traefik dashboard is currently using its own self-signed certificate.
Do let me know if you need more info as I've been scratching my head on what's making it not work haha.
Setup:
UDM Pro Max (DNS Server: AdGuard Home for DNS Sink Hole as well)
Compose.yaml
secrets:
cf-token:
file: ./cf-token
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
secrets:
- cf-token
env_file:
- .env
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik.yaml:/traefik.yaml:ro
- ./config/acme.json:/acme.json
- ./config/config.yaml:/config.yaml:ro
- ./logs:/var/log/traefik
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.rule=Host(`traefik.local.example.tech`)
- traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host(`traefik.local.example.tech`)
- traefik.http.routers.traefik-secure.middlewares=traefik-auth
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.tls.certresolver=cloudflare
- traefik.http.routers.traefik-secure.tls.domains[0].main=local.example.tech
- traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.example.tech
- traefik.http.routers.traefik-secure.service=api@internal
networks:
proxy:
external: true
config.yaml
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0
contentTypeNosniff: true
forceSTSHeader: true
frameDeny: false
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 3153600
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
unifi:
entryPoints:
- "https"
rule: "Host(`unifi.local.example.tech`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls: {}
service: unifi
services:
unifi:
loadBalancer:
servers:
- url: "http://10.10.0.1"
passHostHeader: true
traefik.yaml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yaml
certificatesResolvers:
cloudflare:
acme:
caServer: https://acme-v02.api.letsencrypt.org/directory # production
email: example@gmail.com
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"