Upgraded my old traefik and cannot use reverse proxy anymore

Traefik Traefik v2 (latest)
1

Hi, I apt upgraded docker on my ubuntu server totally messed something up as I cannot access any of my reverse proxys anymore. There was a conflict in docker config files and I chose not to replace my old one. This lead to traefik not being able to connect to the docker deamon and complained about old version etc. I reinstalled docker, upgraded my docker traefik(which was pretty old)

$docker version
Client: Docker Engine - Community
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:17:48 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:17:48 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Traefik Image v2.11.0

//docker-compose.yaml
version: "3.3"

services:
  traefik:
    image: traefik:latest
    restart: always
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - 80:80
      - 443:443
        #    networks:
        #      proxy-net:
        #        ipv4_address: 172.19.1.30

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
        #      - /home/docker/traefik/traefik.toml:/traefik.toml
        #      - /home/docker/traefik/acme.json:/acme.json
    container_name: traefik

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`MYDOMAIN.com`)"
      - "traefik.http.routers.whoami.entrypoints=web"
        #networks:
        #  proxy-net:
        #    external: true

as you can see my docker-compose is in a mess. I dont know which version I had before(could have been 1.17), but it didnt have the command field nor the whoami service. The out commented parts was used previously.

The logs for both traefik and the whoami service are clear, but I cannot access my domain from a browser(not sure if I should be able to as MYDOMAIN.com?). I mostly used reverseproxies for other containers and I guess I need to update them now somehow. Some pointers in how I should change them would be most appreciated, the network parts of docker is still a bit of a mystery for me

##part of random docker service
.
.
.
    labels:
      - "traefik.docker.network=proxy-net"
      - "traefik.enable=true"
      - "traefik.frontend.auth.basic"
      - "traefik.basic.frontend.rule=Host:next.MYDOMAIN.com"
      - "traefik.basic.port=80"

networks:
  proxy-net:
    external: true
2

It seems you used Traefik v1 before, configuration looks different for v2.

Check simple Traefik example for static and dynamic config with TLS.

Minimum labels on a target service:

    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

Note that every service needs their own "name" in labels.

1 Like
3

Thank you, I managed to get traefik and whoami reverse proxies to work. They are both marked as "not secure" though and I need to "proceed anyway" to reach them. However I cant reach homeassistant and plex at all..

024-03-31T18:39:48.082937867Z time="2024-03-31T18:39:48Z" level=debug msg="Serving default certificate for request: \"homeassistant.DOMAIN.se\""
2024-03-31T18:39:48.091621170Z time="2024-03-31T18:39:48Z" level=debug msg="http: TLS handshake error from 192.168.0.1:55980: remote error: tls: unknown certificate"
2024-03-31T18:39:51.402631914Z time="2024-03-31T18:39:51Z" level=debug msg="Serving default certificate for request: \"plex.DOMAIN.se\""
2024-03-31T18:39:51.407721976Z time="2024-03-31T18:39:51Z" level=debug msg="http: TLS handshake error from 192.168.0.1:56035: remote error: tls: unknown certificate"
2024-03-31T18:39:51.433910433Z time="2024-03-31T18:39:51Z" level=debug msg="Serving default certificate for request: \"plex.DOMAIN.se\""
2024-03-31T18:39:51.436827722Z time="2024-03-31T18:39:51Z" level=debug msg="http: TLS handshake error from 192.168.0.1:56036: remote error: tls: unknown certificate"

This is now my docker-compose for traefik. I need to have static traefik ip to satisfy homeassistants "trusted_proxies". Not sure if I managed to achieve that yet,

version: "3.3"

services:
  traefik:
    image: traefik:latest
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"

        #- "--entrypoints.websecure.asDefault=true"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--providers.docker.network=proxy"
      - "--certificatesresolvers.myresolver.acme.email=EMAIL@gmail.com"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.storage=/acme-new.json"
    ports:
      - 80:80
      - 443:443
    networks:
      proxy:
        # ipv4_address: 172.18.0.2

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
        #      - /home/docker/traefik/traefik.toml:/traefik.toml
      - /home/docker/traefik/acme-new.json:/acme-new.json #Migrated from version 1
    container_name: traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.DOMAIN.se`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:$$Cps1$4.4pi5O9$$hrDasWyqZ8nkeCSXPaxIpJ."

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.DOMAIN.se`)"
      - "traefik.http.routers.whoami.entrypoints=web"
      - "traefik.http.routers.whoami.entrypoints=websecure"

      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect

networks:
  proxy:
    name: proxy
    external: true
    ipam:
      config:
        - subnet: 172.18.0.0/16
          gateway: 172.18.0.1

Labels for homeassistant:

    networks:
      - default
      - proxy
    ports:
      - "8226:8226"
    expose:
      - "8226"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.ha.loadbalancer.server.port=8226"
      - "traefik.http.routers.ha.tls=true"
      - "traefik.http.routers.ha.rule=Host(`homeassistant.DOMAIN.se`)"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"

Any suggestions on what im missing?

4

Assume you receive a Traefik custom TLS cert?

Make it clean, set certresolver and TLS only on websecure entrypoint.

Set http-to-https redirect on web entrypoint.

Don’t expose ports: except for Traefik.

Set docker.network when using multiple networks on target and not all overlap with Traefik.

Check Traefik debug log for "acme" and/or "error".