2

Disclaimer: My Docker and my Traefik knowledge is weak. I have several times tried following the Traefik docs and I usually just get confused, possibly because I want to tackle more than the simplest of cases but also, I'm sure I am missing some fundamentals.

In my current setup, I can create a web-based (port 80) Docker service that Traefik v2 picks up, creates a LE cert, redirects from http:80 to https:443, and exposes. Below is my docker-compose.yml for Traefik and also one for a sample service that works.

Let's say, however, that my web-based service really wants to run on a port other than 80. For instance, I want to run statping, which runs on port 8080. Is it possible, given the SSL setup that I currently have, to wire it up such that I can expose the entry point http://statping.MYTLD and rely on Traefik to: 1. redirect to https://statping.MYTLD, 2. obtain the certificate, and 3. expose my statping Docker container? Can Traefik handle the Acme http challenge even though the underlying service is not running on port 80? I figure it can, since my working sample isn't even exposing a port past the container level.

Note: I am most familiar with Docker Compose but perhaps for a service like statping, I need to figure out how to write my own DOCKERFILE so that I can cajole it into running on port 80 instead of port 8080?

Thanks for any insight!

Traefik docker-compose.yml:

version: "3.3"

networks:
  traefik:
    external: true

services:

  traefik:
    image: "traefik:v2.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"

      # FOR TESTING.
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

      - "--certificatesresolvers.myresolver.acme.email=craig@wereallconnected.ca"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"

    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

Sample service docker-compose.yml:

version: "3.3"

networks:
  traefik:
    external: true

services:

  whoami2:
    image: "traefik/whoami"
    container_name: "simple-service2"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami2.rule=Host(`whoami2.MYTLD`)"
      - "traefik.http.routers.whoami2.entrypoints=websecure"
      - "traefik.http.routers.whoami2.tls.certresolver=myresolver"

    networks:
      - traefik

    restart: unless-stopped
Craig Silver
  • 123
  • 1
  • 4

1 Answers1

2

From the traefik docs:

If a container exposes multiple ports, or does not expose any port, then you must manually specify which port Traefik should use for communication by using the label traefik.http.services.<service_name>.loadbalancer.server.port (Read more on this label in the dedicated section in routing).

So if whoami was listening on 8080 and didn't expose exactly one port, you should specify the label:

"traefik.http.services.whoami2.loadbalancer.server.port=8080"
BMitch
  • 5,189
  • 1
  • 21
  • 30