18

I cannot figure out how to get a simple service to be accessible by both http and https on localhost. This is my setup so far and I'm using traefik V2.xxx.

I want to be able to hit this site using both https/http protocols (for reasons on dev machines only). The https works just fine but http does NOT. What labels do I need to add/remove/change?

http://whoami.localhost:8000/
https://whoami.localhost:8443/

docker-compose.yml

version: "3.7"

services:

  whoami:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.localhost`)
      - traefik.http.routers.whoami.entrypoints=web,web-secure
      - traefik.http.routers.whoami.tls=true
      - traefik.protocol=http,https

  reverse-proxy:
    depends_on:
      - whoami
    image: traefik:v2.1.1
    ports:
      - 8000:80
      - 8443:443
      - 8001:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik:/etc/traefik:ro

traefik/traefik.toml

[log]
  level = "DEBUG"

[accessLog]
  filePath = "/logs/access.log"
  bufferingSize = 20

[docker]
  exposedbydefault = false

[api]
  dashboard = true
  insecure = true

[providers]
  [providers.file]
    filename = "/etc/traefik/traefik.toml"
    watch = true

  [providers.docker]
    exposedbydefault = false

[[tls.certificates]]
  certFile = "/etc/traefik/certs/localhost-cert.pem"
  keyFile = "/etc/traefik/certs/localhost-key.pem"

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address = ":443"

C:\Windows\System32\drivers\etc\hosts

127.0.0.1 whoami.localhost
TugboatCaptain
  • 4,150
  • 3
  • 47
  • 79

3 Answers3

31

Finally got this working. The traefik docs are squarely in the esoteric region on certain topics and given the recent major 2.0 release there isn't a lot of examples out there yet.

Here is my working docker-compose.yml file where the application is now being exposed using the same host "whomai.localhost" and on both port 8000 (http) and 8443 (https).

version: "3.7"

services:
  whoami:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami-http.rule=Host(`whoami.localhost`)
      - traefik.http.routers.whoami-http.entrypoints=web
      - traefik.http.routers.whoami-http.service=whoami-http-service
      - traefik.http.services.whoami-http-service.loadbalancer.server.port=80

      - traefik.http.routers.whoami-https.rule=Host(`whoami.localhost`)
      - traefik.http.routers.whoami-https.entrypoints=web-secure
      - traefik.http.routers.whoami-https.service=whoami-https-service
      - traefik.http.services.whoami-https-service.loadbalancer.server.port=80
      - traefik.http.routers.whoami-https.tls=true

  reverse-proxy:
    depends_on:
      - whoami
    image: traefik:v2.1.1
    ports:
      - 8000:80
      - 8443:443
      - 8001:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik:/etc/traefik:ro

Routers and services in trafik 2.x can be dynamically created using whatever naming convention you want using docker labels. In this setup I just called them whoami-http and whoami-https for the routers and whoami-http-service and whoami-https-service for the services. Since I am dynamically creating my own routers/services instead of using the defaults the load-balancer for each service must be explicitly told the server port for the targeted application. Since the whoami app only exposes port 80 itself and TLS is terminated at traefik this is defined as port 80 for both http and https services.

All of the labels shown above are required and cannot be omitted for this type of custom router/service setup.

traefik dashboard

I'm using mkcert on Windows 10 for valid local certificates in case you were wondering.

mkcert -install

mkcert -key-file traefik\certs\localhost-key.pem -cert-file traefik\certs\localhost-cert.pem whoami.localhost localhost 127.0.0.1 ::1
MasterAM
  • 16,283
  • 6
  • 45
  • 66
TugboatCaptain
  • 4,150
  • 3
  • 47
  • 79
  • 1
    This example is particularly useful if one is trying to configure Traefik for a Docker Compose service that (internally) exposes two ports at the same network address and one wants to properly wire two entryPoints on the public network address to those two ports operated by one Docker service. The two ports offer two distinct apps. Here, this is not about mapping HTTP to HTTPS. No other example configuration found properly informs Traefik about the many ports into one service at separate ports situation. So... thank you. – Lonnie Mar 21 '21 at 20:55
4

This is how I do it, starting with my Docker Compose file:

# docker-compose.yml

version: '3.7'

services:
  whoami:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entryPoints=web
      - traefik.http.routers.whoami.rule=Host(`localhost`)
      - traefik.http.routers.whoami-secured.entryPoints=web-secure
      - traefik.http.routers.whoami-secured.rule=Host(`localhost`)
      - traefik.http.routers.whoami-secured.tls=true

  proxy:
    image: traefik:2.4
    ports:
      - '80:80'
      - '443:443'
      - '8080:8080'
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker/proxy/traefik.yml:/etc/traefik/traefik.yml
      - ./docker/proxy/dynamic_config.yml:/etc/traefik/dynamic_config.yml
      - ./docker/proxy/certs/server.crt:/etc/ssl/server.crt
      - ./docker/proxy/certs/server.key:/etc/ssl/server.key

Next is my static config file where I define my entrypoints (among other things):

# ./docker/proxy/traefik.yml

api:
  insecure: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https

  web-secure:
    address: :443

log:
  level: INFO

providers:
  docker:
    exposedByDefault: false

  file:
    filename: /etc/traefik/dynamic_config.yml

The dynamic config file is where I configure the SSL certificates. (They're self-signed certificates.):

# ./docker/proxy/dynamic_config.yml

tls:
  certificates:
    - certFile: /etc/ssl/server.crt
      keyFile: /etc/ssl/server.key

I used to use middleware to handle the secure redirect—which I also had in this file—until I stumbled across the configuration above that sets it up as part of the entrypoint.

partydrone
  • 507
  • 4
  • 15
2

Actually, all you need are 3 labels, as long as you default to tls for the websecure entrypoint.

docker-compose.yml

version: "3.7"

services:

  whoami:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.localhost`)
      - traefik.http.services.whoami.loadbalancer.port=80

  reverse-proxy:
    image: traefik:v2.1.1
    ports:
      - 8000:80
      - 8443:443
      - 8001:8080
    command: --entrypoints.web-secure.http.tls=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik:/etc/traefik:ro
Chris Becke
  • 34,244
  • 12
  • 79
  • 148