Use Traefik with Lets Encrypt and Docker ?

tinh_x7 · 23. März 2020

Hi all,

I'm currently using LE with Docker and reverse proxy.

I'm interest to try out Traefik, it's seem useful for load balancing and reverse proxy.

I found a few guides: https://jonnev.se/traefik-with-docker-and-lets-encrypt/ , https://medium.com/@ddymko/tra…t-and-docker-af24d2ed3535 .

Has anybody in here currently using it and would like to share their knowledge ?

prplhaz4 · 23. März 2020

It mostly works as expected, but you will have to define static rules that point to the docker gateway (probably 172.168.17.0.1) if you want to proxy services running on the host (like the OMV web interface or cockpit).

Tips:

- Use a DNS provider supported out of the box by Traefik/lego

- Progress gradually: make sure DNS works as expected (internal/external), get Traefik dashboard working, then Let's Encrypt, then add services to Traefik

- Change other apps (omv web ui) off of port 80 or 443 before trying to start Traefik

- Traefik/Cockpit example: https://blog.jjhayes.net/wp/2019/11/24/cockpit-and-traefik/

- Traefik host network "bug": https://github.com/containous/traefik/issues/5559

tinh_x7 · 23. März 2020

I did some researches today, and it seem a lot of work.

I already have a domain, and have a lot of services running like Grafana, NC, Prometheus....

There seem a lack of documentation for Traefik for those software.

Frepke · 24. März 2020

It's a bit of work but easy to do following this link: https://medium.com/@containero…y-step-guide-e0be0c17cfa5

tinh_x7 · 24. März 2020

I got Traefik container running, but can't get Nextcloud container to run.

Got error from Traefik container:

Code

time="2020-03-24T11:48:48-04:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.testabc.com\": unable to generate a certificate for the domains [traefik.testabc.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: traefik.testabc.com: see https://letsencrypt.org/docs/rate-limits/, url: " rule="Host(`traefik.testabc.com`)" providerName=http.acme routerName=traefik-secure@docker

Frepke · 24. März 2020

Maybe you can look here: https://github.com/containeroo/traefik-examples

tinh_x7 · 24. März 2020

Still can't access Nextcloud, same error.

Methy · 24. März 2020

Good evening,

The blocking comes from the generation of the certificate which is limited 50 per week by LE

https://letsencrypt.org/docs/rate-limits/

The main limit is Certificates per Registered Domain (50 per week).

As far as I'm concerned, I set it up more than a month ago.

I haven't figured it all out yet but it's great.

No more bothering with certificates for all the applications you publish: D

For security I even put double authentication with OAuth from google. (2FA) it's safer

Ps:

if I can advise (even if the word is a bit strong) use version 1.7.21 of Traefik because version 2 seems to lack documentation at the moment and there seems to be a lot of changes compared to V1.7

I used this tutorial:

https://www.smarthomebeginner.…auth-with-traefik-docker/

if your services are containers, it's super simple you just have to add labels in your container

If it is a different service that does not run under docker, like for me my OMV which is physical I use an additional conf file or I define the service:

[backends]

[backends.backend-omv]

[backends.backend-omv.servers]

[backends.backend-omv.servers.server-omv-ext]

url = "http: // Your_IP: 80"

weight = 0

[frontends]

[frontends.frontend-omv]

backend = "backend-omv"

passHostHeader = true

[frontends.frontend-omv.routes]

[frontends.frontend-omv.routes.route-omv-ext]

rule = "Host: Your_Dom"

[frontends.frontend-omv.headers]

SSLRedirect = true

SSLHost = "omv.Your_Dom"

SSLForceHost = true

STSSeconds = 315360000

STSIncludeSubdomains = true

STSPreload = true

forceSTSHeader = true

frameDeny = true

contentTypeNosniff = true

browserXSSFilter = true

customFrameOptionsValue = "allow-from https: Your_Dom"

[frontends.frontend-omv.auth]

headerField = "X-WebAuth-User"

[frontends.frontend-omv.auth.forward]

address = "http: // oauth: 4181"

trustForwardHeader = true

authResponseHeaders = ["X-Forwarded-User"]

tinh_x7 · 24. März 2020

Hello Methy,

Thanks for the quick reply.

I'm just try to access my containers like Nextcloud, Grafana.

So far, I can't access Nextcloud.

Error: 404

Methy · 24. März 2020

I can show you my docker-composed of my Portainer and Traefik containers :

Code

version: '3.7'

services:
  Portainer:
        restart: unless-stopped
        container_name: Portainer
        image: portainer/portainer:latest
        ports:
        - "9000:9000"
                
        environment:
        - PUID=1000
        - PGID=100
        - TZ=Europe/Paris
        
        volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - ./:/data
                        
        networks:
            - traefik_proxy
        labels:
                        
            ##To allow access via Traefik from outside##
            - "traefik.enable=true"
            #- "traefik.docker.network=traefik_proxy"
            #- "traefik.frontend.port=9000"
            #- "traefik.backend=Portainer"
            - "traefik.entryPoint=https"
            - "traefik.frontend.rule=Host:portainer.You_Dom"
            #########################################################

            ##2FA authentication with google OAuth2 ###############################
            - "traefik.frontend.auth.forward.address=http://oauth:4181"
            - "traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User"
            - "traefik.frontend.auth.forward.trustForwardHeader=true"
            #########################################################################

            ###Allow auto update via watchtower###
            - "com.centurylinklabs.watchtower.enable=true"
            
networks:
    traefik_proxy:
        external: true

Alles anzeigen

Docker-compose for Traefik :

Code

version: '3.7'

## Traefik - Reverse Proxy
services:
   traefik:
    hostname: Traefik
    image: traefik:v1.7.21
    container_name: Traefik
    restart: unless-stopped
    domainname: Your_Dom
    networks:
      - traefik_proxy
    ports:
      - "88:80"
      - "8443:443"
      - "8888:8080"
    environment:
      - CF_API_EMAIL=Your_Mail
      - CF_API_KEY=API_Cloudflare
      - TZ=Europe/Paris
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.frontend.rule=Host:traefik.Your_Dom"
      - "traefik.port=8080"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=Your_Dom"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.customFrameOptionsValue: allow-from https:Your_Dom"
      #- "traefik.frontend.auth.basic.users=user:You_Password" #enable if you dont use 2FA
      
      #### Authentification via le container oauth et Google OAuth2 ( 2FA )  ###
      - "traefik.frontend.auth.forward.address=http://oauth:4181"
      - "traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User"
      - "traefik.frontend.auth.forward.trustForwardHeader=true"
      #####################################################################################
      
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.toml:/etc/traefik/traefik.toml
      - ./services.toml:/etc/traefik/services.toml
      - ./acme.json:/etc/traefik/acme.json
networks:
    traefik_proxy:
        external: true

Alles anzeigen

And my Traefik.toml

Code

debug = true

logLevel = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
#InsecureSkipVerify = true 
defaultEntryPoints = ["https", "http"]

# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations 
[api]
  entryPoint = "dashboard"
  dashboard = true
  address = ":8080"

# Force HTTPS
[entryPoints]
  [entryPoints.dashboard]
   address = ":8080"
   [entryPoints.dashboard.auth]
     [entryPoints.dashboard.auth.basic]
       users = ["user:encrypted_password"]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[file]
  watch = true
  filename = "/etc/traefik/services.toml"

# Let's encrypt configuration
[acme]
email = "Your_Mail@example.com" #any email id will work
storage="/etc/traefik/acme.json"
entryPoint = "https"
acmeLogging=true 
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
  provider = "cloudflare" # i use cloudflare for DNS provider
  delayBeforeCheck = 300
[[acme.domains]]
   main = "Your_Dom"
[[acme.domains]]
   main = "*.Your_Dom"
   
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "Your_Dom"
watch = true
# This will hide all docker containers that don't have explicitly  
# set label to "enable"
exposedbydefault = false

Alles anzeigen

Methy · 24. März 2020

look at this link this one is very practical for setting up traefik :

https://www.smarthomebeginner.…roxy-tutorial-for-docker/

Then for 2FA:

https://www.smarthomebeginner.…auth-with-traefik-docker/

tinh_x7 · 24. März 2020

My Traefik is running fine, but just can't access to Nextcloud.

I think it has to do with the certificate.

error:

Code

time="2020-03-24T17:42:18-04:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.abddd.com\": unable to generate a certificate for the domains [traefik.abddd.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: traefik.abddd.com: see https://letsencrypt.org/docs/rate-limits/, url: " routerName=traefik-secure@docker rule="Host(`traefik.abddd.com`)" providerName=http.acme






time="2020-03-24T17:52:09-04:00" level=error msg="Unable to obtain ACME certificate for domains \"nextcloud\": unable to generate a certificate for the domains [nextcloud]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"nextcloud\": Domain name needs at least one dot, url: " providerName=http.acme rule="Host(`nextcloud`)" routerName=nextcloud-secure@docker

tinh_x7 · 24. März 2020

traefik.yml

Code

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
  dashboard:
    address: ":8080"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml

certificatesResolvers:
  http:
    acme:
      email: abc@outlook.com
      storage: acme.json
      httpChallenge:
        entryPoint: http

Alles anzeigen

config.yml

Code

http:
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https

    default-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/24"
        - "192.168.1.0/24"
        - "172.0.0.0/8"

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers

Alles anzeigen

Traefik labels:

Code

org.opencontainers.image.description    A modern reverse-proxy
org.opencontainers.image.documentation    https://docs.traefik.io
org.opencontainers.image.title    Traefik
org.opencontainers.image.url    https://traefik.io
org.opencontainers.image.vendor    Containous
org.opencontainers.image.version    v2.1.9
traefik.enable    true
traefik.http.middlewares.traefik-auth.basicauth.users    tinhx7:$redacted$$$$$
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme    https
traefik.http.routers.traefik-secure.entrypoints    https
traefik.http.routers.traefik-secure.middlewares    traefik-auth
traefik.http.routers.traefik-secure.rule    Host(`traefik.abcd.com`)
traefik.http.routers.traefik-secure.service    api@internal
traefik.http.routers.traefik-secure.tls    true
traefik.http.routers.traefik-secure.tls.certresolver    http
traefik.http.routers.traefik.entrypoints    http
traefik.http.routers.traefik.middlewares    traefik-https-redirect
traefik.http.routers.traefik.rule    Host(`traefik.abcdxx.com`)
traefik.http.services.traefik.loadbalancer.server.port    8080

Alles anzeigen

tinh_x7 · 24. März 2020

Nextcloud network: proxy

Nextcloud labels:

Code

traefik.docker.network    proxy
traefik.enable    true
traefik.http.middlewares.nc-header.headers.customFrameOptionsValue    SAMEORIGIN
traefik.http.middlewares.nc-rep.redirectregex.permanent    true
traefik.http.middlewares.nc-rep.redirectregex.regex    https://(.*)/.well-known/(card|cal)dav
traefik.http.middlewares.nc-rep.redirectregex.replacement    https://$${1}/remote.php/dav/"
traefik.http.middlewares.nextcloud-https.redirectscheme.scheme    https
traefik.http.routers.nextcloud-http.rule    Host(`cloud.abcd.com`)
traefik.http.routers.nextcloud-secure.entrypoints    https
traefik.http.routers.nextcloud-secure.middlewares    secured@file,nc-rep,nc-header
traefik.http.routers.nextcloud-secure.service    nextcloud
traefik.http.routers.nextcloud-secure.tls    true
traefik.http.routers.nextcloud-secure.tls.certresolver    http
traefik.http.routers.nextcloud.entrypoints    http
traefik.http.routers.nextcloud.rule    Host(`cloud.abcd.com`)
traefik.http.services.nextcloud.loadbalancer.server.port    80

Alles anzeigen

Methy · 25. März 2020

Hello,

in your traefik.yml you must force https redirection replace

Code

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
  dashboard:
    address: ":8080"

By

Code

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

Regarding the access problem I am sure it is related to the number of requests you made for nextcloud because each time you access the URL in https it makes a certificate request at LE

You just have to wait or test for another service

tinh_x7 · 25. März 2020

Your format is in tomal, but I’ll try it.

The config.yml is set for the https redirection.

I currently only has on cert for Traefik subdomain, how does I generate it for Nextcloud ?

Methy · 26. März 2020

my registrar is OVH, I just changed the DNS server to indicate that it is Cloudflare which manages the DNS zone

You create an account with cloudflare and enter the SID identifiers in the conf.

The DNs zone web interface is simple and intuitive

You can use a proxy to hide your public IP from your services.

I do not regret having tried.

tinh_x7 · 26. März 2020

I’m currently using NoIp, and they don’t have DNS challenge. Maybe I can try your method. I’m using http challenge like the tutorial instructed.

Other issue: I can’t access Traefik with internal ip, only with url.

Is this right ?

Methy · 26. März 2020

it works for me with the internal ip in http on port 8080 but not in https I have not looked at why.

However on the external url it works in https

tinh_x7 · 26. März 2020

is there a reason why you using DNS challenge instead HttpChallenge ?

Jetzt mitmachen!