0

For a while now, I'm trying to set up Traefik on my Oracle Cloud VPS. The server is sitting behind Cloudflare, so I configured a origin certificate from them. This seems to be working, because when I want to access the dashboard, the configured certificate is delivered. Unfortunately, Traefik doesn't seem to route correctly to the dashboard as I always get a 404 back when I access the configured path: https://proxy.example.com/dashboard/.

My docker-compose.yml looks like this:

version: '3'

networks:
  proxy:
    name: proxy

services:
  proxy:
    image: traefik:2.8
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml
      - ./tls.yml:/tls.yml
      - ./cloudflare.crt:/cloudflare.crt
      - ./cloudflare.key:/cloudflare.key
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard-https.rule=Host(`proxy.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard-https.entrypoints=https"
      - "traefik.http.routers.dashboard-https.service=api@internal"
    networks:
      - proxy

The traefik.yml looks like:

log:
  level: DEBUG

api:
  insecure: false
  dashboard: true

entryPoints:
  https:
    address: ":443"

providers:
  docker:
    network: proxy
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "tls.yml"
    watch: true

For tls.yml I put the following content:

tls:
  certificates:
    - certFile: "/cloudflare.crt"
      keyFile: "/cloudflare.key"
  stores:
    default:
      defaultCertificate:
        certFile: "/cloudflare.crt"
        keyFile: "/cloudflare.key"

The folder has the following content:

cloudflare.crt  cloudflare.key  docker-compose.yml  tls.yml  traefik.yml

I've tried many things so far:

  • Disabled iptables by accepting everything on INPUT, OUTPUT and FORWARD.
  • Run another service on Docker and expose its http interface directly without Traefik, which worked.
  • Run a server directly on the host system (without Docker) and testing if the http interface is accessible, what also worked.

I'm pretty sure something is wrong with my Traefik configuration. Do you see any mistakes I did?

Robin
  • 768
  • 7
  • 15
  • Have you already debugged your local instance w/o the cloudflare proxy in the middle? `curl -v -H "Host: proxy.example.com" https://$traefik-ip:443/dashboard`. By the way: Cloudflare by default serves the certificate at the proxy level so you might see this instead of the cert you configured in traefik. – DASKAjA Jul 26 '22 at 14:57

1 Answers1

1

If only https is configured tls needs to be set to true, otherwise Traefik wont route to the designated service.

version: '3'

networks:
  proxy:
    name: proxy

services:
  proxy:
    image: traefik:2.8
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml
      - ./tls.yml:/tls.yml
      - ./cloudflare.crt:/cloudflare.crt
      - ./cloudflare.key:/cloudflare.key
    ports:
      - target: 443
        published: 443
        mode: host
    labels:
      - "traefik.enable=true"
# The line below was missing.
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.rule=Host(`proxy.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.entrypoints=https"
      - "traefik.http.routers.dashboard.service=api@internal"
    networks:
      - proxy
Robin
  • 768
  • 7
  • 15