What's wrong with my configuration

Traefik Traefik v2
1

Disclaimer: Traefik noob here :skull:

If I use my domain name, such as: portainer.domain.tld, I got a 526 SSL invalid certificate error or connection timed out, depending of what useless things I'm configuring.

So I tried with local domain name, but I got a ERR_CONNECTION_REFUSED error.

I tried several configurations, none of them worked. Here's my last attempt.

portainer.yml, running without problem:

version: "3.9"

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    ports:
      - "50000:9443"
    volumes:
      - /volume1/docker/portainer/:/data/
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.mydomain.tld`)"
      - "traefik.http.routers.portainer.tls=true"
      - "traefik.docker.network=portainer-network"
    networks:
      - portainer-network

networks:
  portainer-network:
    name: portainer-network
    driver: bridge

My traefik.yml (not the configuration file), no apparent error in logs:

version: "3.9"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    read_only: true
    security_opt:
      - no-new-privileges:true
    ports:
      - "44300:443"
      - "25100:8080"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik/traefik.yml:/traefik.yml:ro
      - /volume1/docker/_certs/:/certs/:ro
    networks:
      - traefik-network

networks:
  traefik-network:
    name: traefik-network
    driver: bridge

Finally, my treafik.yml (config file)

api:
  dashboard: true
  insecure: true

entryPoints:
  http:
    address: ":443"

tls:
  certificates:
    - certFile: /certs/cert.pem
      keyFile: /certs/key.pem

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

If you need anything else, please, let me know.

Thanks to those who could help me :smiley:

2

Okay, as It's very complicated for me, I made a more simple example, that still does not work :pensive:

I set up a whoami container:

version: "3.9"

services:
  whoami:
    image: traefik/whoami
    name: whoami
    network_mode: bridge
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=http"
      - "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"

I simplified the Traefik too.

version: "3.9"

services:
  portainer:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    read_only: true
    ports:
      - "49870:80"
      - "25100:8080"
    network_mode: bridge
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik/traefik.yml:/traefik.yml:ro
      - /volume1/docker/_certs/:/certs/:ro

The YAML config file:

api:
  dashboard: true
  insecure: true

entryPoints:
  http:
    address: ":80"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    useBindPortIP: true

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /certs/domain.tld.cert.pem
        keyFile: /certs/domain.tld.key.pem

My router port forward from 80 to 49870 internal to try to reach Traefik.
I can make: curl -H Host:whoami.domain.tld http://192.168.1.200:49870 (192.168.1.200 is the server where Traefik is)

Hostname: c963bf79bea3
IP: 127.0.0.1
IP: 172.17.0.2
RemoteAddr: 172.17.0.3:39448
GET / HTTP/1.1
Host: whoami.domain.tld
User-Agent: curl/7.83.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.17.0.1
X-Forwarded-Host: whoami.domain.tld
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 94e90790ccba
X-Real-Ip: 172.17.0.1

But I can't, write whoami.domain.tld in a browser and not having an error :frowning_face:

3

Whatever container Traefik should forward requests to, both should be placed within the same Docker network.

If the target service has multiple networks, set docker.network in static provider or dynamic router config.

4

Thanks for your reply.

The final version of my Traefik configuration will need to be able to cope with different Docker networks. For security first, and because I don't want to edit all my services to put them in a single network. No way.

For now, I just try to make Traefik work outside of my network (from a web browser typically).
I don't know what's wrong from this side. I use the same method as for Nginx, when my IP gets a request on port 443, It redirects it to my server, and then, the container takes care of the rest.

Here, Traefik doesn't seem to make anything.

5

You can have a different Docker network for every service, but Traefik needs to be part of it. Then use labels on your service to set according traefik.docker.network.

Make sure your domain whoami.domain.tld is set in DNS to resolve to the IP, either in Internet with a paid provider, in your Internet router or in your local hosts file.

It’s very confusing that you name your Traefik service „portainer“.

6

Shouldn't name my Traefik service "portainer"? In Traefik, It is showed as portainer@docker.

I don't understand why Traefik is capable of routing a request to a container while Nginx does (to a local IP + port) without problem.

I don't know what blocks Traefik.

7

Just stated that this was confusing to me, when I scanned over the config.

8

Help? :`|

Even on trying on another machine, It does not work. I don't understand. Requests come because if I switch to 443, I have SSL invalid certificate error but on 80, It just loads. I tried with curl and I got a 301 error.

I think I'm ready to pay 5$ on PayPal to solve this shit, It's enough.

11

Looking again at your original post: not sure how portainer should work via Traefik, because they don’t share the same Docker network. Did you access it directly via the exposed port?

Traefik TLS files need to be configured in a “dynamic configuration”, so you need something like traefik-dynamic.yml which you load in traefik.yml with a provider.file (next to provider.docker). TLS docs, file docs.

And if you try accessing your app with curl and http and https, you should expose the default ports 80 and 443 or add the ports to you curl request.

12

Okay, I found the answer ...
DNS record had a wrong address... because my ISP has dynamic IP...

13

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.