Use Traefik with Lets Encrypt and Docker ?

  • Hi all,


    I'm currently using LE with Docker and reverse proxy.

    I'm interest to try out Traefik, it's seem useful for load balancing and reverse proxy.

    I found a few guides: https://jonnev.se/traefik-with-docker-and-lets-encrypt/ , https://medium.com/@ddymko/tra…t-and-docker-af24d2ed3535 .

    Has anybody in here currently using it and would like to share their knowledge ?

  • It mostly works as expected, but you will have to define static rules that point to the docker gateway (probably 172.168.17.0.1) if you want to proxy services running on the host (like the OMV web interface or cockpit).


    Tips:

    - Use a DNS provider supported out of the box by Traefik/lego

    - Progress gradually: make sure DNS works as expected (internal/external), get Traefik dashboard working, then Let's Encrypt, then add services to Traefik

    - Change other apps (omv web ui) off of port 80 or 443 before trying to start Traefik

    - Traefik/Cockpit example: https://blog.jjhayes.net/wp/2019/11/24/cockpit-and-traefik/

    - Traefik host network "bug": https://github.com/containous/traefik/issues/5559

  • I did some researches today, and it seem a lot of work.

    I already have a domain, and have a lot of services running like Grafana, NC, Prometheus....

    There seem a lack of documentation for Traefik for those software.

  • I got Traefik container running, but can't get Nextcloud container to run.

    Got error from Traefik container:


    Code
    time="2020-03-24T11:48:48-04:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.testabc.com\": unable to generate a certificate for the domains [traefik.testabc.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: traefik.testabc.com: see https://letsencrypt.org/docs/rate-limits/, url: " rule="Host(`traefik.testabc.com`)" providerName=http.acme routerName=traefik-secure@docker
  • Good evening,


    The blocking comes from the generation of the certificate which is limited 50 per week by LE


    https://letsencrypt.org/docs/rate-limits/

    The main limit is Certificates per Registered Domain (50 per week).


    As far as I'm concerned, I set it up more than a month ago.

    I haven't figured it all out yet but it's great.

    No more bothering with certificates for all the applications you publish: D


    For security I even put double authentication with OAuth from google. (2FA) it's safer :)


    Ps:

    if I can advise (even if the word is a bit strong) use version 1.7.21 of Traefik because version 2 seems to lack documentation at the moment and there seems to be a lot of changes compared to V1.7

    I used this tutorial:

    https://www.smarthomebeginner.…auth-with-traefik-docker/


    if your services are containers, it's super simple you just have to add labels in your container :)

    If it is a different service that does not run under docker, like for me my OMV which is physical I use an additional conf file or I define the service:


    [backends]

    [backends.backend-omv]

    [backends.backend-omv.servers]

    [backends.backend-omv.servers.server-omv-ext]

    url = "http: // Your_IP: 80"

    weight = 0

    [frontends]

    [frontends.frontend-omv]

    backend = "backend-omv"

    passHostHeader = true

    [frontends.frontend-omv.routes]

    [frontends.frontend-omv.routes.route-omv-ext]

    rule = "Host: Your_Dom"

    [frontends.frontend-omv.headers]

    SSLRedirect = true

    SSLHost = "omv.Your_Dom"

    SSLForceHost = true

    STSSeconds = 315360000

    STSIncludeSubdomains = true

    STSPreload = true

    forceSTSHeader = true

    frameDeny = true

    contentTypeNosniff = true

    browserXSSFilter = true

    customFrameOptionsValue = "allow-from https: Your_Dom"

    [frontends.frontend-omv.auth]

    headerField = "X-WebAuth-User"

    [frontends.frontend-omv.auth.forward]

    address = "http: // oauth: 4181"

    trustForwardHeader = true

    authResponseHeaders = ["X-Forwarded-User"]

    AMD Ryzen 5 2400G on Asus TUF B450M-PLUS - 8Gb RAM - 3 * 3To RAID5 on LSI Megaraid SAS 9260-8i and 3 SSD in Fractal Design Node 804 Black
    OS: OMV 4.1.26-1

    Edited 3 times, last by Methy ().

  • I can show you my docker-composed of my Portainer and Traefik containers :


    Docker-compose for Traefik :



    And my Traefik.toml


    AMD Ryzen 5 2400G on Asus TUF B450M-PLUS - 8Gb RAM - 3 * 3To RAID5 on LSI Megaraid SAS 9260-8i and 3 SSD in Fractal Design Node 804 Black
    OS: OMV 4.1.26-1

  • My Traefik is running fine, but just can't access to Nextcloud.

    I think it has to do with the certificate.


    error:

    Code
    time="2020-03-24T17:42:18-04:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.abddd.com\": unable to generate a certificate for the domains [traefik.abddd.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: traefik.abddd.com: see https://letsencrypt.org/docs/rate-limits/, url: " routerName=traefik-secure@docker rule="Host(`traefik.abddd.com`)" providerName=http.acme
    time="2020-03-24T17:52:09-04:00" level=error msg="Unable to obtain ACME certificate for domains \"nextcloud\": unable to generate a certificate for the domains [nextcloud]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"nextcloud\": Domain name needs at least one dot, url: " providerName=http.acme rule="Host(`nextcloud`)" routerName=nextcloud-secure@docker
  • traefik.yml



    config.yml





    Traefik labels:


  • Nextcloud network: proxy


    Nextcloud labels:


  • Hello,


    in your traefik.yml you must force https redirection replace


    Code
    entryPoints:
    http:
    address: ":80"
    https:
    address: ":443"
    dashboard:
    address: ":8080"

    By


    Code
    # Force HTTPS
    [entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
    [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]

    Regarding the access problem I am sure it is related to the number of requests you made for nextcloud because each time you access the URL in https it makes a certificate request at LE


    You just have to wait or test for another service :)

    AMD Ryzen 5 2400G on Asus TUF B450M-PLUS - 8Gb RAM - 3 * 3To RAID5 on LSI Megaraid SAS 9260-8i and 3 SSD in Fractal Design Node 804 Black
    OS: OMV 4.1.26-1

  • my registrar is OVH, I just changed the DNS server to indicate that it is Cloudflare which manages the DNS zone

    You create an account with cloudflare and enter the SID identifiers in the conf.

    The DNs zone web interface is simple and intuitive

    You can use a proxy to hide your public IP from your services.


    I do not regret having tried. :)

    AMD Ryzen 5 2400G on Asus TUF B450M-PLUS - 8Gb RAM - 3 * 3To RAID5 on LSI Megaraid SAS 9260-8i and 3 SSD in Fractal Design Node 804 Black
    OS: OMV 4.1.26-1

  • I’m currently using NoIp, and they don’t have DNS challenge. Maybe I can try your method. I’m using http challenge like the tutorial instructed.

    Other issue: I can’t access Traefik with internal ip, only with url.


    Is this right ?

  • it works for me with the internal ip in http on port 8080 but not in https I have not looked at why.

    However on the external url it works in https

    AMD Ryzen 5 2400G on Asus TUF B450M-PLUS - 8Gb RAM - 3 * 3To RAID5 on LSI Megaraid SAS 9260-8i and 3 SSD in Fractal Design Node 804 Black
    OS: OMV 4.1.26-1

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!