9

I'm trying to set up Upsource to work behind Traefik: https://www.jetbrains.com/help/upsource/proxy-configuration.html

traefik is listening to port 8008 and 8443 (since 80/443 will be used for another):

--entryPoints='Name:http Address::8008 Redirect.EntryPoint:https' --entryPoints='Name:https Address::8443 TLS'

docker labels:

labels:
  traefik.backend: upsource
  traefik.enable: "true"
  traefik.port: "8080"
  traefik.frontend.rule: "Host:review.domain.com"

In conf/internal/bundle.properties, base-url is configured as follow:

base-url=https\://review.domain.com\:8443/

problem:

time="2017-09-20T03:23:59Z" level=error msg="Error getting ACME certificates [review.domain.com] : Cannot obtain certificates map[review.domain.com:acme: Error 400 - urn:acme:error:connection - Connection refused
Error Detail:
        Validation for review.domain.com:443

Why it validate for port 443 instead of 8443?

Moreover, to proxy WebSockets in Nginx:

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://upsourcemachine.domain.local:1111;
        proxy_pass_header Sec-Websocket-Extensions;

Can you confirm that Traefik support WebSockets? And if so, how to configure?

quanta
  • 3,960
  • 4
  • 40
  • 75
  • Are you using traefik's letsencrypt for getting your certs? If so, it might be a problem with the endpoint setup and which the acme is coupled to. Could you post your toml file? – p.streef Sep 20 '17 at 06:37
  • Missing WS and WSS Entrypoint?! https://github.com/containous/traefik/issues/1327 – Berndinox Oct 11 '17 at 10:54

3 Answers3

10

Traefik handle websocket, and you don't need any specific configuration for this.

Your problem seems to be more about the challenge in Let's Encrypt. Let's Encrypt doesn't handle TLS Challenge on other port than the default one and the default challenging in Traefik is TLS :(

So you need to configure Traefik to use DNS Challenge https://docs.traefik.io/configuration/acme/

Julien SALLEYRON
  • 196
  • 1
  • 3
4

Worked example for confluence

version: '3.3'

networks:
  traefik:
    external: true

volumes:
  portainer_data:
  confluence:

services:
  traefik:
    image: traefik:1.7.9-alpine
    command: >
      --docker
      --docker.swarmmode
      --docker.watch
      --docker.exposedbydefault=true
      --docker.domain=example.com
      --defaultentrypoints=http,https,ws,wss
      --entrypoints='Name:http Address::80'
      --entrypoints='Name:https Address::443 TLS'
      --acme
      --acme.email='example@gmail.com'
      --acme.storage='/certs/acme.json'
      --acme.entryPoint=https
      --acme.httpChallenge.entryPoint=http
      --acme.onhostrule=true
      --acme.acmelogging=true
      --logLevel=INFO
      --accessLog
      --api
    ports:
      - 80:80
      - 443:443
    networks:
      - manager
      - traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /certs:/certs
    deploy:
      mode: global
      labels:
        - traefik.enable=true
        - traefik.port=8080
        - traefik.frontend.rule=Host:traefik.example.com
        - traefik.docker.network=traefik
        #- traefik.redirectorservice.frontend.entryPoints=http
        #- traefik.redirectorservice.frontend.redirect.entryPoint=https
        - traefik.webservice.frontend.entryPoints=http,https
  portainer:
    image: portainer/portainer:1.20.1
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    networks:
      - manager
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        - traefik.port=9000
        - traefik.frontend.rule=Host:portainer.example.com
        - traefik.docker.network=traefik
        #- traefik.redirectorservice.frontend.entryPoints=http
        #- traefik.redirectorservice.frontend.redirect.entryPoint=https
        - traefik.webservice.frontend.entryPoints=http,https
  agent:
    image: portainer/agent:1.2.1
    environment:
      AGENT_CLUSTER_ADDR: tasks.agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - manager
    deploy:
      mode: global
  confluence:
    image: cptactionhank/atlassian-confluence:6.3.4
    networks:
      - traefik
    volumes:
      - confluence:/var/atlassian/confluence
    deploy:
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.port=8090
        - traefik.frontend.rule=Host:confluence.example.com
        - traefik.docker.network=traefik
        # - traefik.redirectorservice.frontend.entryPoints=http
        # - traefik.redirectorservice.frontend.redirect.entryPoint=https
        - traefik.webservice.frontend.entryPoints=http,https,ws,wss
vitams
  • 585
  • 6
  • 7
0

An example for Kubernetes:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: server-route
spec:
  entryPoints:
    # Defined in the traefik configuration, e.g.
    # --entrypoints.websecure.address=:8888
    - websecure
  routes:
    - match: PathPrefix(`/`)
      middlewares:
        - name: server-headers
      kind: Rule
      services:
        - name: server
          port: portname
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: server-headers
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"

You must use Traefik's custom IngressRoute object instead of a normal Ingress.

Hugo O. Rivera
  • 651
  • 4
  • 11