Single Sign on Keyrock-Grafana doesn't work - single-sign-on

I'm trying to use Keyrock to offer Single Sign-on on different platforms. Specifically, I want to offer that service in Grafana. I've seen the configuration to be changed in Grafana and my docker-compose is like this:
version: "3.1"
services:
grafana:
image: grafana/grafana:5.1.0
ports:
- 3000:3000
networks:
default:
ipv4_address: 172.18.1.4
environment:
- GF_AUTH_GENERIC_OAUTH_CLIENT_ID=90be8de5-69dc-4b9a-9cc3-962cca534410
- GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=9e98964b-5043-4086-9657-51f1d8c11fe0
- GF_AUTH_GENERIC_OAUTH_ENABLED=true
- GF_AUTH_GENERIC_OAUTH_AUTH_URL=http://172.18.1.5:3005/oauth2/authorize
- GF_AUTH_GENERIC_OAUTH_TOKEN_URL=http://172.18.1.5:3005/oauth2/token
- GF_AUTH_GENERIC_OAUTH_API_URL=http://172.18.1.5:3005/v1/users
- GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP = true
- GF_Server_DOMAIN=172.18.1.4
- GF_Server_ROOT_URL=http://172.18.1.4:3000
keyrock:
image: fiware/idm:7.5.1
container_name: fiware-keyrock
hostname: keyrock
networks:
default:
ipv4_address: 172.18.1.5
depends_on:
- mysql-db
ports:
- "3005:3005"
- "3443:3443"
environment:
- DEBUG=idm:*
- DATABASE_HOST=mysql-db
- IDM_DB_PASS_FILE=/run/secrets/my_secret_data
- IDM_DB_USER=root
- IDM_HOST=http://localhost:3005
- IDM_PORT=3005
- IDM_HTTPS_ENABLED=false
- IDM_HTTPS_PORT=3443
- IDM_ADMIN_USER=admin
- IDM_ADMIN_EMAIL=admin#test.com
- IDM_ADMIN_PASS=test
secrets:
- my_secret_data
healthcheck:
test: curl --fail -s http://localhost:3005/version || exit 1
mysql-db:
restart: always
image: mysql:5.7
hostname: mysql-db
container_name: db-mysql
expose:
- "3306"
ports:
- "3306:3306"
networks:
default:
ipv4_address: 172.18.1.6
environment:
- "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data"
- "MYSQL_ROOT_HOST=172.18.1.5"
volumes:
- mysql-db-sso:/var/lib/mysql
- ./mysql-data:/docker-entrypoint-initdb.d/:ro
secrets:
- my_secret_data
networks:
default:
ipam:
config:
- subnet: 172.18.1.0/24
volumes:
mysql-db-sso:
secrets:
my_secret_data:
file: ./secrets.txt
I have the Grafana application registered in Keyrock and has as callback http://172.18.1.4:3000/login. When I try to Sign-in in Grafana through Oauth it redirects me to the keyrock page to Sign-in, but when entering the credentials it returns me an invalid client_id, but it is the same one that returns Keyrock to me when obtaining the application information.
Is it possible that I lack something to configure or should it be done in another way?

Here is the working configuration for Keyrock 7.5.1 and Grafana 6.0.0
Grafana:
[auth.generic_oauth]
enabled = true
allow_sign_up = true
client_id = ${CLIENT_ID}
client_secret = ${CLIENT_SECRET}
scopes = permanent
auth_url = ${KEYROCK_URL}/oauth2/authorize
token_url = ${KEYROCK_URL}/oauth2/token
api_url = ${KEYROCK_URL}/user
App in Keyrock:
url - ${GRAFANA_ROOT_URL}
callback_url - ${GRAFANA_ROOT_URL}/login/generic_oauth
Token types - Permanent
So you need to fix env variable
GF_AUTH_GENERIC_OAUTH_API_URL
to
http://172.18.1.5:3005/user
and callback url
http://172.18.1.4:3000/login
to
http://172.18.1.4:3000/login/generic_oauth
and add oauth2 scopes

Related

Teslamate SSL_ERROR_RX_RECORD_TOO_LONG

I'd like to have some security on my Teslamate setup.
I'd like to access it from the web.
I did create a domain name for it and I forwarded ports 3000,4000 to my Synology.
Right now I'm using the IP address locally to simplify the connection.
Currently my - VIRTUAL_HOST=IP Address of Synology.
I'm running it on a Synology NAS in Docker.
I'm trying to use traefik for a proxy
I'm getting an error saying:
SSL_ERROR_RX_RECORD_TOO_LONG
When I go to https://192.168.xxx.xxx:4000/ in my browser. (Synology IP address)
version: "3"
services:
teslamate:
image: teslamate/teslamate:latest
restart: unless-stopped
depends_on:
- db
environment:
- ENCRYPTION_KEY=${TM_ENCRYPTION_KEY}
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=db
- MQTT_HOST=mosquitto
- VIRTUAL_HOST=${FQDN_TM}
- CHECK_ORIGIN=true
# if you're going to access the UI from another machine replace
# "localhost" with the hostname / IP address of the docker host.
- TZ=${TM_TZ} # (optional) replace to use local time in debug logs. See "Configuration".
labels:
- 'traefik.enable=true'
- 'traefik.port=4000'
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.auth.basicauth.usersfile=/auth/.htpasswd"
- "traefik.http.routers.teslamate-insecure.rule=Host(`${FQDN_TM}`)"
- "traefik.http.routers.teslamate-insecure.middlewares=redirect"
- "traefik.http.routers.teslamate.rule=Host(`${FQDN_TM}`)"
- "traefik.http.routers.teslamate.middlewares=auth"
- "traefik.http.routers.teslamate.entrypoints=websecure"
- "traefik.http.routers.teslamate.tls.certresolver=tmhttpchallenge"
ports:
- 4000:4000
cap_drop:
- all
db:
image: postgres:14
#restart: unless-stopped
environment:
- POSTGRES_USER=${TM_DB_USER}
- POSTGRES_PASSWORD=${TM_DB_PASS}
- POSTGRES_DB=${TM_DB_NAME}
volumes:
- teslamate-db:/var/lib/postgresql/data
grafana:
image: teslamate/grafana:latest
#restart: unless-stopped
environment:
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=db
- GRAFANA_PASSWD=${GRAFANA_PW}
- GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
- GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
- GF_AUTH_BASIC_ENABLED=true
- GF_AUTH_ANONYMOUS_ENABLED=false
- GF_SERVER_DOMAIN=${FQDN_TM}
- GF_SERVER_ROOT_URL=https://${FQDN_GRAFANA}
- GF_SERVER_SERVE_FROM_SUB_PATH=true
ports:
- 3000:3000
volumes:
- teslamate-grafana-data:/var/lib/grafana
labels:
- 'traefik.enable=true'
- 'traefik.port=3000'
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.routers.grafana-insecure.rule=Host(`${FQDN_GRAFANA}`)"
- "traefik.http.routers.grafana-insecure.middlewares=redirect"
- "traefik.http.routers.grafana.rule=Host(`${FQDN_GRAFANA}`)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls.certresolver=tmhttpchallenge"
mosquitto:
image: eclipse-mosquitto:1.6
#restart: unless-stopped
command: mosquitto -c /mosquitto-no-auth.conf
ports:
- 1883:1883
- 9001:9001
volumes:
- mosquitto-conf:/mosquitto/config
- mosquitto-data:/mosquitto/data
proxy:
image: traefik:v2.7
#restart: unless-stopped
command:
- "--global.sendAnonymousUsage=false"
- "--providers.docker"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.tmhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.tmhttpchallenge.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.tmhttpchallenge.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.tmhttpchallenge.acme.storage=/etc/acme/acme.json"
#ports:
- 80:80
- 443:443
volumes:
- ./.htpasswd:/auth/.htpasswd
- ./acme/:/etc/acme/
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
teslamate-db:
teslamate-grafana-data:
mosquitto-conf:
mosquitto-data:

How to get Dapr Service to Service Invocation to work when running under docker-compose?

I am receiving the following error when trying to call a service using Dapr SDK.
System.Net.Http.HttpRequestException: Connection refused (127.0.0.1:3500)
---> System.Net.Sockets.SocketException (111): Connection refused
Here is my docker-compose settings of the service I am trying to call:
quest-service:
image: ${DOCKER_REGISTRY-gamification}/quest-service:${TAG:-latest}
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- SeqServerUrl=http://seq
build:
context: .
dockerfile: Services/LW.Gamification.QuestService/Dockerfile
ports:
- "5110:80"
- "50010:50001"
quest-service-dapr:
image: "daprio/daprd:latest"
command: ["./daprd",
"-app-id", "Quest-Service",
"-app-port", "80",
"-components-path", "/Components",
"-config", "/Configuration/config.yaml"
]
volumes:
- "./Dapr/Components/:/Components"
- "./Dapr/Configuration/:/Configuration"
depends_on:
- quest-service
network_mode: "service:quest-service"
And the settings for the caller:
player-service:
image: ${DOCKER_REGISTRY-gamification}/player-service:${TAG:-latest}
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- SeqServerUrl=http://seq
build:
context: .
dockerfile: Services/LW.Gamificaiton.PlayerService/Dockerfile
ports:
- "5109:80"
- "50009:50001"
player-service-dapr:
image: "daprio/daprd:latest"
command: ["./daprd",
"-app-id", "Player-Service",
"-app-port", "80",
"-components-path", "/Components",
"-config", "/Configuration/config.yaml"
]
volumes:
- "./Dapr/Components/:/Components"
- "./Dapr/Configuration/:/Configuration"
depends_on:
- player-service
network_mode: "service:player-service"
And here is the code that is failing to work:
// demo service to service call
var httpClient = DaprClient.CreateInvokeHttpClient("Quest-Service");
var requestUri = $"api/v1/Quest";
var result = await httpClient.GetFromJsonAsync<IEnumerable<string>>(requestUri);
Note: Messaging is working fine. :-)
I am new to Dapr so I must be doing something silly wrong, maybe something to do with ports.. I just don't know!
From following this question :Dapr Client Docker Compose Issue
I managed to get this partly working using the following docker-compose config:
services:
placement:
image: "daprio/dapr"
command: ["./placement", "-port", "50000", "-log-level", "debug"]
ports:
- "50000:50000"
quest-service:
image: ${DOCKER_REGISTRY-gamification}/quest-service:${TAG:-latest}
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- SeqServerUrl=http://seq
- DAPR_GRPC_PORT=50010
build:
context: .
dockerfile: Services/LW.Gamification.QuestService/Dockerfile
ports:
- "5110:80"
- "50010:50010"
depends_on:
- placement
- rabbitmq
- redis
- seq
- zipkin
quest-service-dapr:
image: "daprio/daprd:latest"
command: ["./daprd",
"-app-id", "Quest-Service",
"-app-port", "80",
"-placement-host-address", "placement:50000",
"-dapr-grpc-port", "50010",
"-components-path", "/Components",
"-config", "/Configuration/config.yaml"
]
volumes:
- "./Dapr/Components/:/Components"
- "./Dapr/Configuration/:/Configuration"
depends_on:
- quest-service
network_mode: "service:quest-service"
generatetraffic:
image: ${DOCKER_REGISTRY-gamification}/generatetraffic:${TAG:-latest}
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- SeqServerUrl=http://seq
- DAPR_GRPC_PORT=50017
build:
context: .
dockerfile: Services/LW.Gamification.GenerateTraffic/Dockerfile
ports:
- "5117:80"
- "50017:50017"
depends_on:
- placement
- rabbitmq
- redis
- seq
- zipkin
generatetraffic-dapr:
image: "daprio/daprd:latest"
command: ["./daprd",
"-app-id", "Generate-Traffic",
"-app-port", "80",
"-placement-host-address", "placement:50000",
"-dapr-grpc-port", "50017",
"-components-path", "/Components",
"-config", "/Configuration/config.yaml"
]
volumes:
- "./Dapr/Components/:/Components"
- "./Dapr/Configuration/:/Configuration"
depends_on:
- generatetraffic
network_mode: "service:generatetraffic"
However I still have issues with some of the documented APIs not working!.
var httpClient = DaprClient.CreateInvokeHttpClient("Quest-Service");
var requestUri = $"api/v1/Quest";
var result = await httpClient.GetAsync(requestUri);
Still fails?

mailcow + jwilder reverse proxy

I try to set up my own mailserver, Mailcow was recommended.
DNS-provider:
Cloudflare with
CNAME mail.examle.com => examle.com, proxied
Because it is proxies, I cannot use normal ports like mentioned in the docs. Therefore I have to setup some forwarding...
Router:
Fritzbox with port forwadring
2052 => 25
2053 => 465
8080 => 587
2082 => 143
2083 => 993
2086 => 110
2087 => 995
8880 => 4190
Docker:
I use jwilders reverse proxy and it's LE-companion, which works well with everything else I have hosted so far.
${DOCKERDIR}/docker-compose-js.yml
version: '3'
services:
proxy:
build: ./reverse_proxy
container_name: proxy
restart: always
ports:
- 80:80
- 443:443
volumes:
- ${DOCKERDIR}/reverse_proxy/certs:/etc/nginx/certs:ro
- ${DOCKERDIR}/reverse_proxy/vhost.d:/etc/nginx/vhost.d
- ${DOCKERDIR}/reverse_proxy/html:/usr/share/nginx/html
- /var/run/docker.sock:/tmp/docker.sock:ro
environment:
- PUID=33
- PGID=33
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: ""
networks:
- proxy-tier
depends_on:
- le
le:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: le
volumes:
- ${DOCKERDIR}/reverse_proxy/certs:/etc/nginx/certs:rw
- ${DOCKERDIR}/reverse_proxy/vhost.d:/etc/nginx/vhost.d
- ${DOCKERDIR}/reverse_proxy/html:/usr/share/nginx/html
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- PUID=33
- PGID=33
- DEFAULT_EMAIL=*****
- NGINX_PROXY_CONTAINER=proxy
networks:
- proxy-tier
networks:
proxy-tier:
Then there is a (slightly) modified file for mailcow, just mentioning the changes
%{DOCKERDIR}/mailcow/docker-compose.yml
nginx-mailcow:
...
# ports:
# - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
# - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
...
There seems to be no way to remove those ports from it's original docker-compose.yml despite it not being recommended.
For all other changes I got
${DOCKERDIR}/mailcow/docker-compose-override.yml
version: '2.1'
services:
nginx-mailcow:
networks:
proxy-tier:
environment:
- VIRTUAL_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
- VIRTUAL_PORT=8080
- VIRTUAL_PROTO=http
- LETSENCRYPT_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
volumes:
- ${DOCKERDIR}/reverse_proxy/certs/${MAILCOW_HOSTNAME}:/etc/ssl/mail/
- ${DOCKERDIR}/reverse_proxy/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
ports:
dovecot-mailcow:
volumes:
- ${DOCKERDIR}/reverse_proxy/certs/${MAILCOW_HOSTNAME}:/etc/ssl/mail/
- ${DOCKERDIR}/reverse_proxy/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
postfix-mailcow:
volumes:
- ${DOCKERDIR}/reverse_proxy/certs/${MAILCOW_HOSTNAME}:/etc/ssl/mail/
- ${DOCKERDIR}/reverse_proxy/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
networks:
proxy-tier:
And finally the mailcow.conf (changes only)
${DOCKERDIR}/mailcow/mailcow.conf
MAILCOW_HOSTNAME=mail.example.com
HTTP_PORT=8080
#HTTP_BIND=0.0.0.0
HTTP_BIND=proxy
HTTPS_PORT=8443
#HTTPS_BIND=0.0.0.0
HTTPS_BIND=proxy
SKIP_LETS_ENCRYPT=y
When I try to connect to mail.example.com I get Error 526 Invalid SSL certificate.
Could someone pls show me where my config is wrong and how to change it so I get mailcow working?

How to fix dynamodb local call using docker-compose

I'm starting a springboot app and dynamodb local in docker containers via docker-compose.
Both containers come up successfully.
When I use the container name for the AMAZON_AWS_DYNAMODB_ENDPOINT value, I get the following error:
[https-jsse-nio-8443-exec-6] [2019-04-15 08:03:42,239] INFO com.amazonaws.protocol.json.JsonContent [] - Unable to parse HTTP response content
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (byte[])"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved here.</p>
</body></html>
Further down I'm getting the following error:
com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: null (Service: AmazonDynamoDBv2; Status Code: 301; Error Code: null; Request ID: null)
If I replace the AMAZON_AWS_DYNAMODB_ENDPOINT value with my Windows computer IP address (running the containers) it works successfully.
Any suggestions on how to get the container name working?
Here's my docker-compose:
version: '3'
services:
dynamodb:
image: amazon/dynamodb-local
ports:
- "8000:8000"
volumes:
- dynamodata:/data
command: "-jar DynamoDBLocal.jar -sharedDb -dbPath ."
app:
build: .
ports:
- "8443:8443"
environment:
- SERVER_PORT=8443
- SERVER_SSL_KEY_STORE=/etc/ssl/key
- SERVER_SSL_KEY_STORE_TYPE=PKCS12
- SERVER_SSL_KEY_ALIAS=tomcat
- SERVER_SSL_KEY_STORE_PASSWORD=xxxxxx
- SPRING_PROFILES_ACTIVE=aws,local
- DATAPOWER_ENABLED=true
# - AMAZON_AWS_DYNAMODB_ENDPOINT=${DYNAMODB_ENDPOINT:-http://dynamodb:8000} <--- does not work
# - AMAZON_AWS_DYNAMODB_ENDPOINT=${DYNAMODB_ENDPOINT:-http://xx.xxx.xxx.xxx:8000} <--- works
- AMAZON_AWS_DYNAMODB_REGION=${DYNAMODB_REGION:-us-east-1}
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-local}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-xxxxxxxxxx}
- ENV=dev
- AWS_REGION=us-east-1
volumes:
dynamodata:
Thanks
Try adding networks something like this:
version: '3'
services:
dynamodb:
image: amazon/dynamodb-local
ports:
- "8000:8000"
volumes:
- dynamodata:/data
command: "-jar DynamoDBLocal.jar -sharedDb -dbPath ."
networks:
- my-network
app:
build: .
ports:
- "8443:8443"
environment:
- SERVER_PORT=8443
- SERVER_SSL_KEY_STORE=/etc/ssl/key
- SERVER_SSL_KEY_STORE_TYPE=PKCS12
- SERVER_SSL_KEY_ALIAS=tomcat
- SERVER_SSL_KEY_STORE_PASSWORD=xxxxxx
- SPRING_PROFILES_ACTIVE=aws,local
- DATAPOWER_ENABLED=true
# - AMAZON_AWS_DYNAMODB_ENDPOINT=${DYNAMODB_ENDPOINT:-http://dynamodb:8000} <--- does not work
# - AMAZON_AWS_DYNAMODB_ENDPOINT=${DYNAMODB_ENDPOINT:-http://xx.xxx.xxx.xxx:8000} <--- works
- AMAZON_AWS_DYNAMODB_REGION=${DYNAMODB_REGION:-us-east-1}
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-local}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-xxxxxxxxxx}
- ENV=dev
- AWS_REGION=us-east-1
networks:
- my-network
volumes:
dynamodata:
networks:
my-network:
driver: bridge

How to set password for Traefik dashboard with CLI argument?

There's a manual in here for that but it's heavily tight for TOML, I need CLI argument, as I'm in docker-swarm with Consul setup and highly available
consul:
image: consul
command: agent -server -bootstrap-expect=1
volumes:
- consul-data:/consul/data
environment:
- CONSUL_LOCAL_CONFIG={"datacenter":"ams3","server":true}
- CONSUL_BIND_INTERFACE=eth0
- CONSUL_CLIENT_INTERFACE=eth0
deploy:
replicas: 1
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
networks:
- traefik
proxy_init:
image: traefik:1.6.3-alpine
command: >
storeconfig
--api
--entrypoints=Name:http Address::80 Redirect.EntryPoint:https
--entrypoints=Name:api Address::8080 Auth.Basic.Users:test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/ Auth.HeaderField:X-WebAuth-User
--entrypoints=Name:https Address::443 TLS
--defaultentrypoints=http,https
--acme
--acme.storage="traefik/acme/account"
--acme.entryPoint=https
--acme.httpChallenge.entryPoint=http
--acme.onHostRule=true
--acme.acmelogging=true
--acme.onDemand=false
--acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
--acme.email="whatever#gmail.com"
--docker
--docker.swarmMode
--docker.domain=swarm.xxx.io
--docker.endpoint=unix://var/run/docker.sock
--docker.watch
--consul
--consul.watch
--consul.endpoint=consul:8500
--consul.prefix=traefik
--logLevel=DEBUG
--accesslogsfile=/dev/stdout
networks:
- traefik
deploy:
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
depends_on:
- consul
proxy:
image: traefik:1.6.3-alpine
depends_on:
- traefik_init
- consul
command: >
--consul
--consul.endpoint=consul:8500
--consul.prefix=traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- webgateway
- traefik
ports:
- 80:80
- 443:443
- 8080:8080
deploy:
mode: replicated
replicas: 2
restart_policy:
condition: on-failure
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
volumes:
- "/var/run/docker.sock:/var/run/docker.sock
You can also set labels for traefik container too. Traefik can manage own container so you can set http basic auth through label like you do with any other container. The only problem I've had is that DNS challenge from ACME client fails, but it works with self-signed certificates.
deploy:
labels:
- "traefik.docker.network=infra_traefik"
- "traefik.port=8080"
- "traefik.tags=monitoring"
- "traefik.backend.loadbalancer.stickiness=true"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.rule=Host:proxy01.swarm.lympo.io,proxy.swarm.lympo.io"
- "traefik.frontend.auth.basic=admin:$$apr1$$Xv0Slw4m$$MqFgCq4Do83fcKIsPTDGu/"
restart_policy:
condition: on-failure
placement:
constraints:
- node.role == manager
This is the configuration I use. I have two different endpoints for ping(8082) and API/Dashboard (8081 with basic auth):
version: "3.4"
services:
traefik_init:
image: traefik:1.7.9
command:
- "storeconfig"
- "--api"
- "--api.entrypoint=foo"
- "--ping"
- "--ping.entrypoint=bar"
- "--accessLog"
- "--logLevel=INFO"
- "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
- "--entrypoints=Name:https Address::443 TLS"
- "--entrypoints=Name:foo Address::8081 Auth.Basic.Users:admin:$$2a$$10$$i9SzMNSHJlab7zKH28z17uicrnXbHfIicWJVPanNBxf6aiNyoMare"
- "--entrypoints=Name:bar Address::8082"
- "--defaultentrypoints=http,https"
Warning: $ character should be escaped with another $ in YAML