0

The minimal example from https://doc.traefik.io/traefik/user-guides/docker-compose/basic-example/ works on my local machine. However, when I try to adapt this to use TLS I run into an issue. I'm a Traefik newbie, so I might be doing a stupid mistake.

This is my attempt:

version: "3.3"

services:

  traefik:
    image: "traefik:v2.8"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`127.0.0.1`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"

So the major modification is to use "traefik.http.routers.whoami.entrypoints=websecure" instead of "traefik.http.routers.whoami.entrypoints=web"

Running

$ curl -k https://127.0.0.1

I get

404 page not found

The traefik log shows no routing related issues and the internal traefik setup for routing etc shown using curl https://127.0.0.1:8080/api/rawdata | jq . looks the same as the one of the working example, except the changed port.

rocksportrocker
  • 7,251
  • 2
  • 31
  • 48

2 Answers2

1

Add the following entry to your Traefik: "--entrypoints.websecure.address=:8080"

Normally it would be 8080 for http and 8443 for https alternative ports, but since your example specifically states https://~:8080, I have adapted it accordingly.

Brian
  • 198
  • 1
  • 1
  • 8
  • Did not work, the port `8080` is already used since this is the service port enabled by `--api.insecure=true`. My example using ` https://~:8080` is working, it dumps the internal setup of traefik which can be used for debugging. – rocksportrocker Aug 06 '22 at 14:51
1

So I opted for new answer instead of just editing the old answer. (Reason being even incorrect answers teach something).

My reference is this great post by Marc Mogdanz (link: https://marcmogdanz.de/posts/infrastructure-with-traefik-and-cloudflare/).

The direct answer to your query is:

  1. Expose port 8080 but do not publish it
  2. Add a host name rule. This will allow Traefik to route a URL request to its own port 8080.

The affected part of the compose file would be as follows (assuming that the URL https://dashboard.example.com is the desired URL to reach the dashboard):

expose:
  - 8080
...
labels: 
  - "traefik.enable=true"
  - "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
  - "traefik.http.routers.traefik.tls=true"
  - "traefik.http.services.traefik.loadbalancer.server.port=8080"

Finally, I noticed you are testing on localhost. If you are testing on a local machine, use localhost for the dashboard and keep 127.0.0.1 for whoami.

Or, alternately, add a static entry for a subdomain (see https://stackoverflow.com/a/19016600).

Either way, Traefik is looking at the SNI requested - not necessarily the IP address - when matching the Host rule.


Request ----> Docker:443 ---> {Traefik}-"SNI?"---"127.0.0.1"---> {whoami}
                                 |         \
                                 |          \
                               8080<---"dashboard.localhost"
Brian
  • 198
  • 1
  • 1
  • 8