Use Traefik with Lets Encrypt and Docker ?

Methy · 26. März 2020

no particular reason I just followed the tutorial because I spent a lot of time before it worked and I ended up following the tutorial to the letter (before I tested with version 2.1 of traefik and I could not achieve what I wanted.)

But by changing in the traefik.toml you can probably reset the HttpChallenge I have not tested.

coffinbearer · 26. März 2020

tinh_x7 during the setup/testing stage you should change the letsencrypt caserver to increase the rate limit:

settings for traefik v1.7 and traefik v2.1 and the letsencrypt info site

Zitat von tinh_x7

I’m currently using NoIp...

If you mean noip.com then you are out of luck.. according to there website you cant get a ssl certificate for a no-ip hostname

tinh_x7 · 26. März 2020

Hello,

I'm try to transfer the DNS from NoIP to Cloudflare to see if it works.

Thanks

tinh_x7 · 27. März 2020

I finally able to connected to Nextcloud with LE cert !!

Somehow the traefik cert showing it's fake.

I manage to access Grafana, but the dashboard data isn't loading.

It worked before Traefik got setup.

coffinbearer · 27. März 2020

If you did change the letsencrypt caServer than this is expected behaviour. The Staging Environment is meant for setup and testing, please see the documantation

Methy · 27. März 2020

considering the signing of the certificate I think you switched to using the LE test environment which explains your certificate

tinh_x7 · 27. März 2020

Yes, I did.

I'm currently using Traefik 2.2.

Any of you use Grafana with Traefik ?

Methy · 27. März 2020

I use grafana but not through Traefik

tinh_x7 · 27. März 2020

If you access Grafana through WAN, how do you get the LE cert for Grafana without using Traefik ?

Methy · 27. März 2020

I misspoke, i use grafana only with my local network or through the VPN

tinh_x7 · 27. März 2020

I got the LE cert valid for Traefik site, but the dashboard only load if it's in private mode Chrome.

I have my external services (Plex, Emby) green status in Traefik dashboard, but they can't be access externally.

Code

Your connection isn't private
Attackers might be trying to steal your information from media.abctest.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_REVOKED

coffinbearer · 28. März 2020

tinh_x7 i have no idea what you are doing... please show your traefik configs static and dynamic.

Edit: and your traefik log file during startup i would like to see how you got your certificate issued.

tinh_x7 · 28. März 2020

Traefik.yml

Code

log:
  level: INFO

entryPoints:
  dashboard:
    address: :8080
  http:
    address: :80
  https:
    address: :443

api:
  dashboard: true
  insecure: false

serversTransport:
  insecureSkipVerify: true

certificatesResolvers:
  le:
    acme:
      httpChallenge:
        # used during the challenge
        entryPoint: http
      email: abcd.xyz@outlook.com
      storage: acme.json
      # Use Let's Encrypt Staging CA when testing!
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory

providers:
  docker:
    exposedByDefault: false
  file:
    filename: config.yml
    watch: true

accessLog: {}

# metrics

metrics:
  prometheus:
    manualRouting: true
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0
    addEntryPointsLabels: true
    addServicesLabels: true

  influxdb:
    pushInterval:
     - "10s"
    addEntryPointsLabels: true
    addServicesLabels: true
    protocol: http
    database: influxdb
    username: admin
    password: $2y$......

Alles anzeigen

Config.yml

Code

# external services
http:
  routers:
    plex:
      entryPoints:
        - https
      rule: "Host(`media.abcxyz.com`)"
      middlewares:
        - https-redirect@file
      service: plex
      tls:
        certResolver: "le"
  services:
    plex:
      loadBalancer:
        servers:
          - url: "http://192.168.1.97:32400/web/"
        passHostHeader: true


http:
  routers:
    emby:
      entryPoints:
        - https
      rule: "Host(`media.abcxyz.com`)"
      middlewares:
        - https-redirect@file
      service: emby
      tls:
        certResolver: "le"
  services:
    emby:
      loadBalancer:
        servers:
          - url: "http://192.168.1.97:8096"
        passHostHeader: true




# default settings

https-redirect:
  redirectScheme:
    scheme: https

default-headers:
  headers:
    frameDeny: true
    sslRedirect: true
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000

default-whitelist:
  ipWhiteList:
    sourceRange:
    - "10.0.0.0/24"
    - "192.168.0.0/16"
    - "172.0.0.0/8"

secured:
  chain:
    middlewares:
    - default-whitelist
    - default-headers

Alles anzeigen

coffinbearer · 28. März 2020

both your servies point to "media.abcxyz.com" how should traefik know which one you want?

why did you activate the docker provider if your setup is provided from the file provider? ... or did you setup yout traefik via docker labels?

tinh_x7 · 28. März 2020

hello,

I guess you right on the 'media.abczyz.com', I probably have to create two separate domains.

The docker provider exposed by default is set to false.

Is that wrong ?

I used this guide: https://medium.com/@containero…ough-traefik-7bf2d56b1057

Traefik log:

Code

172.20.0.1 - - [28/Mar/2020:16:25:16 +0000] "GET /metrics HTTP/1.1" 404 19 "-" "-" 45 "-" "-" 0ms,
172.20.0.1 - - [28/Mar/2020:16:25:56 +0000] "GET /metrics HTTP/1.1" 404 19 "-" "-" 53 "-" "-" 0ms,
time="2020-03-28T12:26:05-04:00" level=error msg="Error while writing to InfluxDB: Post \"http://localhost:8089/write?consistency=&db=influxdb&precision=ns&rp=\": dial tcp 127.0.0.1:8089: connect: connection refused" metricsProviderName=influxdb,
time="2020-03-28T12:22:45-04:00" level=error msg="Error while writing to InfluxDB: Post \"http://localhost:8089/write?consistency=&db=influxdb&precision=ns&rp=\": dial tcp 127.0.0.1:8089: connect: connection refused" metricsProviderName=influxdb,
172.20.0.1 - - [28/Mar/2020:16:26:06 +0000] "GET /metrics HTTP/1.1" 404 19 "-" "-" 55 "-" "-" 0ms,
time="2020-03-28T12:24:45-04:00" level=info msg="[during WriteTo err Post \"http://localhost:8089/write?consistency=&db=influxdb&precision=ns&rp=\": dial tcp 127.0.0.1:8089: connect: connection refused]" metricsProviderName=influxdb,
172.20.0.1 - - [28/Mar/2020:16:26:51 +0000] "GET /metrics HTTP/1.1" 404 19 "-" "-" 64 "-" "-" 0ms

coffinbearer · 28. März 2020

no it is not wrong but maybe unnecessary:

with the following yml block you activated the docker provider:

Code

  docker:

an with

Code

exposedByDefault: false

you told traefik to not automatically add all active docker containers.

if your emby and or plex services are docker containers you could add them via traefik labels like so (assuming you use a compose file):

(personally i would use labels if possible)

Code

    labels:
        - "traefik.enable=true"
       # - "traefik.docker.network=proxy_web"
        - "traefik.http.routers.plex.rule=Host(`plex.abczyz.com`)"
        - "traefik.http.routers.plex.tls=true"
        - "traefik.http.routers.plex.tls.certresolver=le"
        - "traefik.http.routers.plex.entrypoints=https"
       # - "traefik.http.routers.plex.middlewares=logins@file"
        - "traefik.http.services.plex.loadbalancer.server.port=32400"

since you are using traefik v2.2 i would also add the newly added default redirectionfor http => https:

this goes in your static configuration

Code

entryPoints:
  http:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: :443

Alles anzeigen

you should also set you log level to DEBUG i may reveal some insight and remove the whole metrics block until your services work.

EDIT:

my bad to active the docker provider via static file config you need: docs.traefik.io

Code

  docker:
  endpoint: "unix:///var/run/docker.sock"

Methy · 28. März 2020

Zitat von tinh_x7
I got the LE cert valid for Traefik site, but the dashboard only load if it's in private mode Chrome.
I have my external services (Plex, Emby) green status in Traefik dashboard, but they can't be access externally.
Code
Your connection isn't private
Attackers might be trying to steal your information from media.abctest.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_REVOKED

Just in case you have opened ports 80 and 443 to your traefik container ?

Methy · 28. März 2020

Zitat von coffinbearer
if your emby and or plex services are docker containers you could add them via traefik labels like so (assuming you use a compose file):
(personally i would use labels if possible)
Code
    labels:
        - "traefik.enable=true"
       # - "traefik.docker.network=proxy_web"
        - "traefik.http.routers.plex.rule=Host(`plex.abczyz.com`)"
        - "traefik.http.routers.plex.tls=true"
        - "traefik.http.routers.plex.tls.certresolver=le"
        - "traefik.http.routers.plex.entrypoints=https"
       # - "traefik.http.routers.plex.middlewares=logins@file"
        - "traefik.http.services.plex.loadbalancer.server.port=32400"
since you are using traefik v2.2 i would also add the newly added default redirectionfor http => https:
this goes in your static configuration
Code
entryPoints:
  http:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: :443
Alles anzeigen
you should also set you log level to DEBUG i may reveal some insight and remove the whole metrics block until your services work.
Alles anzeigen

in traefik version 2.x redirection http to https works easily ?

you no longer have to go through middleware as indicated here https://github.com/containous/traefik/issues/4863

tinh_x7 · 28. März 2020

Https redirection is already in my config.yml.

Both Plex and Emby services are external services, non-Docker containerization.

Code

http:
  routers:
    plex:
      entryPoints:
        - "https"
      rule: "Host(`plex.abcdxyz.com`)"
      middlewares:
        - default-headers
        - addprefix-plex
      tls:
        certResolver: "le"
      service: plex

  services:
    plex:
      loadBalancer:
        servers:
          - url: "http://192.168.1.97:32400"
        passHostHeader: true

   middlewares:
    addprefix-plex:
      addPrefix:
        prefix: "/web"


http:
  routers:
    emby:
      entryPoints:
        - "https"
      rule: "Host(`emby.abcdxyz.com`)"
      middlewares:
        - default-headers
        - addprefix-emby
      tls:
        certResolver: "le"
      service: emby

  services:
    emby:
      loadBalancer:
        servers:
          - url: "http://192.168.1.97:8920"
        passHostHeader: true

  middlewares:
    addprefix-emby:
      addPrefix:
        prefix: "/web"

Alles anzeigen

coffinbearer · 28. März 2020

Methy yes with traefik v2.2 a default entrypoint got added for it. traefik.docs and github commit

tinh_x7 as far as i can see you only changes schemes i'm talking about "HTTPS redirection (80 to 443)"

Jetzt mitmachen!