Unable to configure dashboard in secure mode

Traefik Traefik v2
,
1

Hello,

I'm pretty new to Traefik so apologies if this issue has an obvious solution, however, I'm at my wits end trying to fix this minor issue. Basically, I'm trying to configure Traefik so that it uses HTTPS, including on the dashboard. In the documentation, It's shown as being as simple as just enabling the dashboard. Alas, this has not worked, and online guides and help topics on here have proven no dice either.

For the most part, everything works as expected, and a valid SSL cert is issued and can be seen when viewing traefik.mydomain.com. However, when trying to do so for the dashboard, it comes back as a connection refused. As a bonus, the dashboard is somewhat viewable, albeit in a broken state, when accessing traefik.mydomain.com:8080 as shown here: https://i.imgur.com/CoYatTq.png

Interestingly, when disabling secure mode (--api.insecure=true), the dashboard works just as expected, minus auth capabilities which I'd assume only kick in when it's in secure mode. Everything else is still accessible via HTTPS as well.

Another interesting thing is the fact that the labels I set for forcing HTTPS via a redirect don't work whatsoever, but I assume they don't exist and/or are incorrect as the dashboard when viewed via insecure mode kicks up a fuss about them.

Here is my docker-compose.yml file. Apologies for the mess, furious googling and forum-searching have left it looking a bit like a warzone

version: "3.8"

services:
  traefik:
    image: traefik:v2.5
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=REMOVED@EXAMPLE.COM" #1
      - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--log.level=DEBUG"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./acme.json:/acme.json"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.MYDOMAIN.uk`)"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect,basic-auth-global"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.MYDOMAIN.uk`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik_https.middlewares=basic-auth-global"
      - "traefik.http.middlewares.basic-auth-global.basicauth.users=REMOVED:REMOVED"
      - "traefik.http.middlewares.no-http.redirectscheme.scheme=https"
      - "traefik.http.routers.redirect-to-https.rule=HostRegexp({host:.+})"
      - "traefik.http.routers.redirect-to-https.entrypoints=http"
      - "traefik.http.routers.redirect-to-https.middlewares=no-http"
networks:
  default:
    external:
      name: web

Some help with explanations so I can learn and know for next time would be appreciated!

Thanks.

2

Check simple Traefik example.

When not using insecure and wanting to use port 8080, then you need your own entrypoint and router for the dashboard.

Please update to Traefik latest, which is v2.10.

3

Thanks for the reply.

I have checked out the example configuration you posted and adapted it to my setup. I have also changed the configs to use Traefik 2.10. However, this has left me with a new issue: Traefik completely refuses to start now.

Upon running docker-compose up -d as per usual, it returns with the expected success message. However, it's not visible when running docker ps, and throwing it down with docker-compose down shows that there's nothing for it to shut down. This also has the side-effect of me being unable to check the logs even when using the --log.filepath= command.

Here is my config file as of the changes:

version: "3.8"

services:
  traefik:
    image: traefik:v2.10
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./acme.json:/acme.json"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    command:
      - "--api.dashboard=true"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--providers.docker.network=web"
      - "--providers.docker.exposedByDefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.asDefault=true"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--certificatesresolvers.myresolver.acme.email=NAME@DOMAIN.com"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
      - "--log.filepath=/var/log/traefik.log" # Can't access log, temp fix
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mydashboard.rule=Host(`traefik.MYDOMAIN.uk`)"
      - "traefik.http.routers.mydashboard.service=api@internal"
      - "traefik.http.routers.mydashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=USERNAME:PASSWORD"

networks:
  default:
    external:
      name: web

Also, as a side question: If the dashboard is not normally meant to be accessed on 8080 when in secure mode, how would it be accessed?

Thanks.

4

Use

--log.level=DEBUG

and check container output with docker logs.

When using insecure, Traefik will automatically create an entrypoint on 8080 and a router. Without, you can setup your own router on any entrypoint/port. See example and doc.

5

Hello,

I've spent the past few days troubleshooting it and what eventually worked was removing some entries in the config file that were causing an issue.

This is my now-working configuration file. Leaving it here in case anyone stumbles upon this with the same issue:

version: "3.8"

services:
  traefik:
    image: traefik:v2.10
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./acme.json:/acme.json"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    command:
      - "--api.dashboard=true"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--providers.docker.network=web"
      - "--providers.docker.exposedByDefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      #- "--entrypoints.websecure.asDefault=true"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--certificatesresolvers.myresolver.acme.email=NAME@DOMAIN.com"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mydashboard.rule=Host(`traefik.DOMAIN.uk`)"
      - "traefik.http.routers.mydashboard.service=api@internal"
      - "traefik.http.routers.mydashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=USERNAME:SHA1_PASSWORD"
    networks:
  default:
    external:
      name: web
1 Like
6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.