I had the previous version (from last yr) of minio running well behind traefik and on portainer with no issues. I attempted an upgrade 4 days ago to the new version and it's been downhill since then. I get the login page but it won't accept credentials; Error:
{"code":500,"detailedMessage":"Post \"https://storage.example.com/\": dial tcp <ip>:443: i/o timeout","message":"invalid Login"}
I suspect it has something to do with the TLS certificate.
Below is my compose file, I've generated the certs as required; any assistance is is welcomed:
minio:
image: minio/minio
container_name: minio
restart: unless-stopped
command: server /data --certs-dir "./minio-data/certs" --address ":9000" --console-address ":9001"
networks:
- traefik-proxy2
expose:
- "9000"
- "9001"
volumes:
- ./minio-data:/data
environment:
- "MINIO_ROOT_USER=love"
- "MINIO_ROOT_PASSWORD=love1234"
- "MINIO_BROWSER_REDIRECT_URL=https://stash.example.com"
- "MINIO_SERVER_URL=https://storage.example.com"
labels:
- "traefik.enable=true"
- "traefik.http.services.minio.loadbalancer.server.port=9000"
- "traefik.http.routers.minio.rule=Host(`storage.example.com`)"
- "traefik.http.middlewares.minio-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.minio.middlewares=minio-https-redirect"
- "traefik.http.routers.minio.entrypoints=https"
- "traefik.http.routers.minio.service=minio"
- "traefik.http.routers.minio.tls=true"
- "traefik.http.routers.minio.tls.certresolver=http"
- "traefik.http.services.minio-console.loadbalancer.server.port=9001"
- "traefik.http.routers.minio-console.rule=Host(`stash.example.com`)"
I was getting the same Invalid Login error: Post "http://minio.localhost/": dial tcp: lookup minio.localhost on 127.0.0.11:53: no such host.
The following docker-compose.yml works. The solution is NOT to use MINIO_DOMAIN or MINIO_SERVER_URL. See # comments at environment: variables.
version: "3.3"
services:
minio:
# Please use fixed versions :D
image: minio/minio:RELEASE.2021-10-06T23-36-31Z
networks:
- traefik-proxy2
volumes:
- minio-data:/data
command:
- server
- /data
- --console-address
- ":9001"
environment:
- MINIO_ROOT_USER=love
- MINIO_ROOT_PASSWORD=love1234
# Do NOT use MINIO_DOMAIN or MINIO_SERVER_URL with Traefik.
# All Routing is done by Traefik, just tell minio where to redirect to.
- MINIO_BROWSER_REDIRECT_URL=http://stash.localhost
deploy:
labels:
- traefik.enable=true
- traefik.docker.network=traefik-proxy2
- traefik.constraint-label=traefik-proxy2
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`storage.localhost`)
- traefik.http.services.minio.loadbalancer.server.port=9000
- traefik.http.routers.minio-console.service=minio-console
- traefik.http.routers.minio-console.rule=Host(`stash.localhost`)
- traefik.http.services.minio-console.loadbalancer.server.port=9001
volumes:
minio-data:
networks:
traefik-proxy2:
external: true
Related
I would like to redirect from non-www to www.
What I would like to do:
Type in the browser:
https://domainname.com
obtain:
https://www.domainname.com
What I write:
version: "3.9"
services:
traefik:
build: ./traefik
image: image-traefik-eb:v.1.0
container_name: container-traefik-eb
command:
- --log.level=INFO
- --log.filePath=/data-log/traefik.log
- --log.format=json
- --accesslog=true
- --api.insecure
- --api.dashboard
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certresolver=leresolver
- --certificatesresolvers.leresolver.acme.tlsChallenge=true
- --certificatesresolvers.leresolver.acme.email=##########gmail.com
- --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json
- --entrypoints.websecure.http.middlewares.redirect-non-www-to-www.redirectregex.permanent=true
- --entrypoints.websecure.http.middlewares.redirect-non-www-to-www.redirectregex.regex="^https?://(?:www\\.)?(.+)"
- --entrypoints.websecure.http.middlewares.redirect-non-www-to-www.redirectregex.replacement="https://www.${1}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./volumes/data-letsencrypt/:/letsencrypt
- ./volumes/data-log/:/data-log/
restart: always
ports:
- 80:80
- 443:443
networks:
- eb
- traefik-network
php:
build: ./php-apache
image: image-php-apache-eb:v.1.0
labels:
traefik.enable: 'true'
traefik.http.services.php.loadbalancer.server.port: 80
traefik.http.services.php.loadbalancer.server.scheme: http
traefik.http.routers.php.rule: Host(`www.#########.ml`,`#########.ml`)
traefik.http.routers.php.middlewares: redirect-non-www-to-www
volumes:
- ./volumes/data-php:/var/www/html
restart: always
depends_on:
- traefik
networks:
- eb
networks:
eb:
internal: true
traefik-network:
Dockerfile
FROM php:8.1-apache
EXPOSE 80
Dockerfile
FROM traefik:v2.8.0
Source from which I got the code:
https://medium.com/geekculture/how-to-redirect-from-non-www-to-www-with-traefik-659cb7197449
What I get:
ERROR: Invalid interpolation format for "command" option in service "traefik": "--entrypoints.websecure.http.middlewares.redirect-non-www-to-www.redirectregex.replacement="https://www.${1}""
ubuntu-22-04-lts#webserver:~/www.domainname.com$
A few steps forward:
With this new configuration:
A) I reach the dashboard in secure mode and on a valid certificate;
B) I reach the PHP service;
C) Redirect http to https and non-www to www;
With this new configuration:
D) I don't get a valid certificate for index.php (I get a certificate only for the dashboard)
E) I get a lot of error warnings on the nameserver.
version: "3.9"
services:
traefik:
build: ./traefik
image: image-traefik-eb:v.1.0
container_name: container-traefik-eb
command:
- --log.level=INFO
- --log.filePath=/data-log/traefik.log
- --log.format=json
- --accesslog=true
- --api.insecure=false
- --api.dashboard=true
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certresolver=leresolver
- --certificatesresolvers.leresolver.acme.tlsChallenge=true
- --certificatesresolvers.leresolver.acme.email=domain-name#gmail.com
- --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json
labels:
traefik.enable: true
traefik.http.routers.dashboard.rule: Host(`www.traefik.domain-name.ga`)
traefik.http.routers.dashboard.service: api#internal
traefik.http.routers.dashboard.middlewares: auth
traefik.http.middlewares.auth.basicauth.users: user:***********************
traefik.http.routers.unmatchedwww.rule: HostRegexp(`{name:^www\..*}`)
traefik.http.routers.unmatchedwww.service: noop#internal
traefik.http.routers.unmatchedwww.priority: 2
traefik.http.routers.matchlast.rule: PathPrefix(`/`)
traefik.http.routers.matchlast.priority: 1
traefik.http.routers.matchlast.middlewares: addwww
traefik.http.middlewares.addwww.redirectregex.regex: ^https://(?:www\.)?(.*)
traefik.http.middlewares.addwww.redirectregex.replacement: https://www.$${1}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./volumes/data-letsencrypt/:/letsencrypt
- ./volumes/data-log/:/data-log/
restart: always
ports:
- 80:80
- 443:443
networks:
- eb
- traefik-network
php:
build: ./php-apache
image: image-php-apache-eb:v.1.0
labels:
traefik.enable: 'true'
traefik.http.services.php.loadbalancer.server.port: 80
traefik.http.services.php.loadbalancer.server.scheme: http
traefik.http.routers.php.rule: Host(`www.domain-name.ga`)
traefik.http.routers.php.tls.domains[0].main: domain-name.ga
traefik.http.routers.php.tls.domains[0].sans: www.domain-name.ga
volumes:
- ./volumes/data-php:/var/www/html
restart: always
depends_on:
- traefik
networks:
- eb
networks:
eb:
internal: true
traefik-network:
FROM traefik:v2.8.0
FROM php:8.1-apache
EXPOSE 80
A few steps forward:
With these codes I improve the situation:
traefik.http.routers.php.tls.certresolver: leresolver
Host(`www.traefik.domain-name.ga`,`traefik.domain-name.ga`)
but i have problems with these links:
'https://traefik.domain-name.ga/'
'http://traefik.domain-name.ga/'
I have taken your config and removed HTTPS configuration (so I tested with only HTTP, so no additional layers of complexity, just testing plain HTTP and redirect logic). You will need to adjust and add HTTPS on your own since we are not using any HTTPS with Traeifk so I can't really help you with that. But nonetheless:
About your redirect logic, I had to move
traefik.http.middlewares.redirect-non-www-to-www.redirectregex
logic to the Labels section of the depending service instead of the traefik configuration to make it work. I created a custom domain called 'my-custom-domain.org' and I edited my hosts' file, to point it to my local dev environment.
In the end i came down to the working configuration:
version: "3.9"
services:
traefik:
image: traefik:v2.8.1
container_name: container-traefik-eb
command:
- --log.level=INFO
- --log.format=json
- --accesslog=true
- --api.insecure
- --api.dashboard
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: always
ports:
- 80:80
- 443:443
networks:
- eb
php:
image: nginx:latest
labels:
traefik.enable: 'true'
traefik.http.services.php.loadbalancer.server.port: 80
#traefik.http.services.php.loadbalancer.server.scheme: http
traefik.http.routers.php.rule: Host(`www.my-custom-domain.org`,`my-custom-domain.org`)
traefik.http.routers.php.service: php
traefik.http.routers.php.entrypoints: web
traefik.http.routers.php.middlewares: redirect-non-www-to-www
traefik.http.middlewares.redirect-non-www-to-www.redirectregex.permanent: true
traefik.http.middlewares.redirect-non-www-to-www.redirectregex.regex: "^http://my-custom-domain.org/(.*)"
traefik.http.middlewares.redirect-non-www-to-www.redirectregex.replacement: "http://www.my-custom-domain.org/$${1}"
restart: always
depends_on:
- traefik
networks:
- eb
networks:
eb:
external: true
I have tested this configuration in incognito mode and it works as intended for all http://my-custom-domain.org -> http://www.my-custom-domain.org redirects.
I hope you find it useful and are successful with HTTPS additions, or that any other member which works with Traefik here will be able to help you with that issue.
I have a minio docker service running, which is connectable on storage/console.
My traefik also works for this.
But I suspect the connections to use the pattern BUCKET.backup.lo.domain.com which leads to a 404 from traefik.
I clearly see this pattern, for example, when using Cyberduck to connect (in the traefik logs and Cyberduck itself). The connection itself is possible (backup.lo.domain.com). I also get the buckets listed. But as soon as I click on the bucket it shows a modal with the bucket.lo.domain.com pattern and the traefik default certificate.
version: "3.8"
volumes:
minio-data:
services:
minio:
container_name: minio-backup
image: quay.io/minio/minio:RELEASE.2022-01-08T03-11-54Z
networks:
- traefik
volumes:
- minio-data:/data
command:
- server
- /data
- --console-address
- ":9001"
environment:
- TZ=${TIME_ZONE}
- MINIO_ROOT_USER=root
- MINIO_ROOT_PASSWORD=password
- MINIO_BROWSER_REDIRECT_URL=https://backup-console.lo.domain.com
- MINIO_DOMAIN=https://backup.lo.domain.com
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`backup.lo.domain.com`)
- traefik.http.routers.minio.tls.certresolver=letsenc
- traefik.http.routers.minio.entrypoints=websecure
- traefik.http.services.minio.loadbalancer.server.port=9000
- "traefik.http.routers.minio-console.service=minio-console"
- "traefik.http.routers.minio-console.rule=Host(`backup-console.lo.domain.com`)"
- "traefik.http.routers.minio-console.entrypoints=websecure"
- "traefik.http.routers.minio-console.tls.certresolver=letsenc"
- "traefik.http.services.minio-console.loadbalancer.server.port=9001"
restart: unless-stopped
traefik:
image: traefik
container_name: traefik
command:
- --providers.docker=true
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
labels:
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsenc"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.domains[0].main=lo.domain.com"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.lo.domain.com"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
restart: unless-stopped
networks:
traefik:
networks:
traefik_public:
Any ideas? Could I use something like wildcards for subdomains?
The problem here is that buckets do not have sub-domain DNS entries in your setup. If you disable this and use path-style requests things should work fine: https://docs.cyberduck.io/protocols/s3/#disable-use-of-virtual-host-style-requests
Specifically, you need to set s3.bucket.virtualhost.disable to true in Cyberbuck.
I'm running the basic TLS challenge docker example:
version: "3.3"
services:
traefik:
image: "traefik:v2.4"
restart: always
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.mytlschallenge.acme.email=${SSL_EMAIL}"
- "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- ${DATA_FOLDER}/letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
n8n:
image: mjysci/n8n:latest-rpi
restart: always
ports:
- "127.0.0.1:5678:5678"
labels:
- traefik.enable=true
- traefik.http.routers.n8n.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
- traefik.http.routers.n8n.tls=true
- traefik.http.routers.n8n.entrypoints=websecure
- traefik.http.routers.n8n.tls.certresolver=mytlschallenge
- traefik.http.middlewares.n8n.headers.SSLRedirect=true
- traefik.http.middlewares.n8n.headers.STSSeconds=315360000
- traefik.http.middlewares.n8n.headers.browserXSSFilter=true
- traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
- traefik.http.middlewares.n8n.headers.forceSTSHeader=true
- traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
- traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.n8n.headers.STSPreload=true
environment:
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER
- N8N_BASIC_AUTH_PASSWORD
- N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
- N8N_PORT=5678
- N8N_PROTOCOL=https
- NODE_ENV=production
- WEBHOOK_TUNNEL_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${DATA_FOLDER}/.n8n:/home/node/.n8n
But when I'm running it says:
level=error msg="Unable to obtain ACME certificate for domains \"<MY_DOMAIN>\": unable to generate a certificate for the domains [<MY_DOMAIN>]: error: one or more domains had a problem:\n[<MY_DOMAIN>] [<MY_DOMAIN>] acme: error presenting token: timeout 2021-02-01 10:09:04.491784271 +0000 UTC m=+378.657940910\n" providerName=mytlschallenge.acme routerName=n8n#docker rule="Host(`<MY_DOMAIN>`)"
In the browser, the application is available and works well with HTTPS but it says the certificate isn't valid (obviously). What could be wrong here?
i'm having the same problem on some domains.
It looks like its a timeout.
i tried to restart traefik now. same issue again.
ps: add traefik in the title of the thread, you may gain more visibility and answers.
EDIT: I reverted to version 2.3.7 and it works again.
there must be a bug in 2.4 (latest)
i created an issue :
https://github.com/traefik/traefik/issues/7848
My config is a simple Docker Swarm (on Docker for Windows) with a Treafik container and a very simple Spring Boot 'echo' container.
I would like to forward a browser request for 'localhost/traefik' to the Traefik dashboard and 'localhost/echo/something' to a simple Sprint Boot echo application.
Expected to work:
localhost/treafik => gives a "Gateway timeout"
localhost/echo/something => gives a "Gateway timeout"
Expected not to work, but bypass Traefik (incorrectly):
localhost:8080 => shows the Traefik dashboard
localhost:8082/echo/something => { "status":"something" }
How can I improve the docker-compose.yml file to get the expected result? Can this have to do with 'networking'? When creating any network, even an overlay, gave error messages.
version: '3.7'
services:
traefik:
image: traefik:latest
command: --api --docker
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- //k/data/slackbot/traefik.toml:/traefik.toml
ports:
- "80:80"
- "8080:8080"
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:localhost;PathPrefixStrip:/traefik"
- "traefik.port=8080"
- "traefik.protocol=http"
- "traefik.backend=traefik"
slackbotsimple:
image: solvedshared/slackbotsimple:latest
ports:
- 8082:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:localhost;PathPrefix:/echo"
- "traefik.port=8082"
- "traefik.protocol=http"
- "traefik.backend=slackbotsimple
The first issue was a networking issue. Solved, thanks to clever Jim.
The other issue was that I used the wrong port number. To route from the frontend '/echo' to the backend, the 'ports' section is NOT used. I could route directly to the exposed port of the slackbot application!
Take a look at the ports config: only 80 is available.
version: '3.7'
services:
traefik:
image: traefik:latest
command: --api --docker
restart: always
networks:
- slackbotnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- //k/data/slackbot/traefik.toml:/traefik.toml
ports:
- "80:80"
labels:
- "traefik.enable=true"
- "traefik.docker.network=slackbotnet"
- "traefik.frontend.rule=Host:localhost;PathPrefixStrip:/traefik"
- "traefik.port=8080"
- "traefik.protocol=http"
- "traefik.backend=traefik"
slackbotsimple:
image: solvedshared/slackbotsimple:latest
networks:
- slackbotnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.docker.network=slackbotnet"
- "traefik.frontend.rule=Host:localhost;PathPrefix:/echo"
- "traefik.port=8080"
- "traefik.protocol=http"
- "traefik.backend=slackbotsimple"
networks:
slackbotnet:
name: slackbotnet
I've tried to get this up and running for two days now and some simple HTTP -> HTTPs redirect does not work! :(
Pretty simple use case:
whoami.my-example-domain.com:80 => redirect to whoami.my-example-domain.com:443 and then traefik internally redirects to :80 of my whoami service docker container.
Here's the docker-compose.yml
version: "3"
services:
reverse-proxy:
image: traefik:alpine
command:
- --logLevel=WARN
- --defaultentrypoints=http,https
- --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
- --entrypoints=Name:https Address::443 TLS
- --acme
- --acme.email=myemail#gmail.com
- --acme.storage=acme.json
- --acme.entryPoint=https
- --acme.httpChallenge.entryPoint=http
- --acme.OnHostRule=true
- --acme.onDemand=false
- --acme.acmeLogging=true
- --docker
- --docker.watch
- --docker.exposedbydefault=false
- --docker.domain=docker.localhost
restart: always
networks:
- web
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /opt/data/traefik/acme.json:/acme.json
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:whoami.some-example-domain.com"
- "traefik.port=80"
- "traefik.frontend.entryPoints=http"
networks:
web:
external: true
When I now call http://whoami.some-example-domain.com (this is just a demo domain and won't work) => it redirects to HTTPs... which is cool, but then it throws the famous "404 page not found" traefik standard error.
If already tried to set the following labels to the container:
"traefik.port=80"
"traefik.frontend.entryPoints=http"
That didn't work either.
Any help would be appreciated! Thanks in advance!
Regards,
Sascha
You have to remove traefik.frontend.entryPoints (linked to defaultentrypoints) or use traefik.frontend.entryPoints=http,https
version: "3"
services:
reverse-proxy:
image: traefik:v1.7.8
command:
- --logLevel=WARN
- --defaultentrypoints=http,https
- --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
- --entrypoints=Name:https Address::443 TLS
- --acme
- --acme.email=myemail#gmail.com
- --acme.storage=acme.json
- --acme.entryPoint=https
- --acme.httpChallenge.entryPoint=http
- --acme.OnHostRule=true
- --acme.onDemand=false
- --acme.acmeLogging=true
- --docker
- --docker.exposedbydefault=false
- --docker.domain=some-example-domain.com
restart: always
networks:
- web
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /opt/data/traefik/acme.json:/acme.json
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:some-example-domain.com"
networks:
- web
networks:
web:
external: true