I have traefik docker running, and I want portainer (http://192.168.50.16:9000) to be accessable via https://portainerhost2.example.org
Other services, using docker labels work really well, but this portainer instance is running on a new host, so I would like to the existing traefik instance on host1.
From what I've seen, this is done with routers and service. Below is my config, what am I doing wrong?
traefik.yaml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: ./config.yaml
certificatesResolvers:
cloudflare:
acme:
email: cloudflare@domain.tld
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
config.yaml
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0
contentTypeNosniff: true
forceSTSHeader: true
frameDeny: false
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 3153600
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
portainer:
entryPoints:
- "http"
rule: "Host(`portainerhost2.example.org`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls: {}
service: portainer
services:
portainer:
loadBalancer:
servers:
- url: "http://192.168.50.16:9000"
passHostHeader: true
compose.yaml
# touch traefik.yml config.yml acme.json
services:
traefik:
ports:
- 8080:8080 # ro web ui
- 80:80 # http
- 443:443 # https
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /data/config_storage/traefik/logs:/var/log/traefik # there are no docker logs, so they will be in this folder
- /data/config_storage/traefik/acme.json:/acme.json
- /data/config_storage/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro
- /data/config_storage/traefik/config.yaml:/etc/traefik/config.yaml:ro
environment:
TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
CF_API_EMAIL: ${CF_API_EMAIL}
image: traefik:v3.3
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
networks:
intranet:
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.org`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.org`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=example.org"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.org"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
intranet: # docker network create intranet
external: true # or comment this line to auto create the network