[REQUEST] Traefik reverse proxy


Recommended Posts

On 6/2/2018 at 4:36 PM, primeval_god said:

Before everyone jumps ship from traefik here, I want to chime in and say that i believe there is a way to shore up the security to an acceptable level. Unfortunately i haven't gotten it to work quite yet. I believe the key lies in a program called docker-proxy-acl which provides can restrict access to certain endpoints on the docker socket. At the moment traefik does not function correctly through this proxy but I hopeful that the issue can be fixed in short order.

Check out the docker-proxy-acl container available here https://hub.docker.com/r/dcflachs/docker-proxy-acl/ . I believe that it prevents the type of attack described above. This particular container has a version of docker-proxy-acl that supports traefik, which requires the containers, info, version, networks, tasks, events and services endpoints.

Link to comment
  • 2 months later...
  • 1 month later...

How do I change the backend url that traefik points towards? The gui says "http://172.17.0.2:8091" however the docker is actually accessible on "http://10.0.0.53:8091". Any help is greatly appreciated.

 

Edit: Never mind, seems to be an issue with my comcast router not with traefik.

Edited by mysterio0
Link to comment

Hi, has someone figured out how to use Traefik with e.g. Booksonic.

What I'd like to do would be to redirect to the address, e.g. 172.17.0.2:4040/booksonic when calling booksonic.<domain>.duckdns.org.

Currently Traefik redirects to 172.17.0.2:4040 but not to 172.17.0.2:4040/booksonic.

 

How do I need to setup Traefik to achieve this?

Link to comment
  • 4 months later...
5 hours ago, Tuumke said:

Anyone else having issues that traefik is really slow?

Slow in what way? I have been generally pleased with the performance of Traefik, however i have noticed that it recently seems slow to see and update new docker configurations and occasionally misses them all together. I am fairly certain that mine is a setup issue with the docker socket proxy i am using however.

Link to comment
  • 2 weeks later...
On 2/11/2019 at 3:15 PM, primeval_god said:

Slow in what way? I have been generally pleased with the performance of Traefik, however i have noticed that it recently seems slow to see and update new docker configurations and occasionally misses them all together. I am fairly certain that mine is a setup issue with the docker socket proxy i am using however.

Slow as in health says that response time is 1000ms =/ also have a DEV setup with dockers and traefik, but that is on a Ubuntu VPS i rend. MS = 4~6 there..

Link to comment
  • 5 months later...

Hi All, 

Trying to get Traefik working but I am unsure how things should be. So I have been following this blog https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/#Create_Proxy_Networks and I have Traefik running and 2 items showing in the dashboard. From the logs I am reasonably sure I have it creating Lets Encrypt certificates for them.

 

image.thumb.png.9e7a548a742ed83fde85c5d42841a381.png

 

However its not working, so some questions if I may

1) The backend ip address seems wrong to me. Should it be local server ip address i.e. 192.168.0.1:7878

2) I am trying to work out how far the request is getting. Should I see the request in the logs? I have debug = true and logLevel = "DEBUG"

every so often the logs will spit out

3) Do I need to create a docker network for them? I thought them all being on Bridge would be fine.

 

Any help to point me in the right direction would be amazing thanks!

 

````

time="2019-08-06T10:27:50Z" level=debug msg="Wiring frontend frontend-Host-radarr-testdomain-com-1 to entryPoint https"
time="2019-08-06T10:27:50Z" level=debug msg="Creating backend backend-radarr"
time="2019-08-06T10:27:50Z" level=debug msg="Adding TLSClientHeaders middleware for frontend frontend-Host-radarr-testdomain-com-1"
time="2019-08-06T10:27:50Z" level=debug msg="Creating load-balancer wrr"
time="2019-08-06T10:27:50Z" level=debug msg="Creating server server-radarr-114ed0fd98e0c1baf2940cc3a160bc98 at http://172.17.0.29:7878 with weight 1"
time="2019-08-06T10:27:50Z" level=debug msg="Creating route route-frontend-Host-radarr-testdomain-com-1 Host:radarr.testdomain.com"
time="2019-08-06T10:27:50Z" level=debug msg="Wiring frontend frontend-Host-radarr-testdomain-com-1 to entryPoint http"
time="2019-08-06T10:27:50Z" level=debug msg="Creating backend backend-radarr"
time="2019-08-06T10:27:50Z" level=debug msg="Adding TLSClientHeaders middleware for frontend frontend-Host-radarr-testdomain-com-1"
time="2019-08-06T10:27:50Z" level=debug msg="Creating load-balancer wrr"
time="2019-08-06T10:27:50Z" level=debug msg="Creating server server-radarr-114ed0fd98e0c1baf2940cc3a160bc98 at http://172.17.0.29:7878 with weight 1"
time="2019-08-06T10:27:50Z" level=debug msg="Creating route route-frontend-Host-radarr-testdomain-com-1 Host:radarr.testdomain.com"
time="2019-08-06T10:27:50Z" level=debug msg="Wiring frontend frontend-Host-traefik-testdomain-com-0 to entryPoint https"
time="2019-08-06T10:27:50Z" level=debug msg="Creating backend backend-traefik"
time="2019-08-06T10:27:50Z" level=debug msg="Adding secure middleware for frontend frontend-Host-traefik-testdomain-com-0"
time="2019-08-06T10:27:50Z" level=debug msg="Adding TLSClientHeaders middleware for frontend frontend-Host-traefik-testdomain-com-0"
time="2019-08-06T10:27:50Z" level=debug msg="Creating load-balancer wrr"
time="2019-08-06T10:27:50Z" level=debug msg="Creating server server-traefik-480b5571116c13a981a6e94d60062912 at http://172.17.0.30:8080 with weight 1"
time="2019-08-06T10:27:50Z" level=debug msg="Creating route route-frontend-Host-traefik-testdomain-com-0 Host:traefik.testdomain.com"
time="2019-08-06T10:27:50Z" level=debug msg="Wiring frontend frontend-Host-traefik-testdomain-com-0 to entryPoint http"
time="2019-08-06T10:27:50Z" level=debug msg="Creating backend backend-traefik"
time="2019-08-06T10:27:50Z" level=debug msg="Adding secure middleware for frontend frontend-Host-traefik-testdomain-com-0"
time="2019-08-06T10:27:50Z" level=debug msg="Adding TLSClientHeaders middleware for frontend frontend-Host-traefik-testdomain-com-0"
time="2019-08-06T10:27:50Z" level=debug msg="Creating load-balancer wrr"
time="2019-08-06T10:27:50Z" level=debug msg="Creating server server-traefik-480b5571116c13a981a6e94d60062912 at http://172.17.0.30:8080 with weight 1"
time="2019-08-06T10:27:50Z" level=debug msg="Creating route route-frontend-Host-traefik-testdomain-com-0 Host:traefik.testdomain.com"
time="2019-08-06T10:27:50Z" level=debug msg="Adding certificate for domain(s) *.testdomain.com"
time="2019-08-06T10:27:50Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-06T10:27:50Z" level=info msg="Server configuration reloaded on :8080"
time="2019-08-06T10:27:50Z" level=info msg="Server configuration reloaded on :80"

time="2019-08-06T10:28:21Z" level=debug msg="Provider event received {Status:start ID:e6cbef6b1a69b225e19f66df98cbd8d8caa7f7775c018aae2d6fec8723e73e58 From:temal/logio-server Type:container Action:start Actor:{ID:e6cbef6b1a69b225e19f66df98cbd8d8caa7f7775c018aae2d6fec8723e73e58 Attributes:map[image:temal/logio-server name:logio-server]} Scope:local Time:1565087301 TimeNano:1565087301929970138}"
time="2019-08-06T10:28:21Z" level=debug msg="originLabelsmap[org.opencontainers.image.description:A modern reverse-proxy org.opencontainers.image.version:v1.7.12 traefik.frontend.headers.STSIncludeSubdomains:true traefik.frontend.headers.browserXSSFilter:true traefik.frontend.headers.contentTypeNosniff:true traefik.frontend.rule:Host:traefik.testdomain.com org.opencontainers.image.url:https://traefik.io traefik.frontend.headers.STSPreload:true traefik.frontend.headers.STSSeconds:315360000 org.opencontainers.image.documentation:https://docs.traefik.io org.opencontainers.image.title:Traefik traefik.backend:traefik traefik.frontend.auth.basic.usersFile:/shared/.htpasswd traefik.frontend.headers.forceSTSHeader:true traefik.frontend.headers.frameDeny:true traefik.port:8080 org.opencontainers.image.vendor:Containous traefik.docker.network:bridge traefik.enable:true traefik.frontend.headers.SSLHost:testdomain.com traefik.frontend.headers.SSLRedirect:true]"
time="2019-08-06T10:28:21Z" level=debug msg="allLabelsmap[:map[traefik.enable:true traefik.frontend.headers.browserXSSFilter:true traefik.frontend.auth.basic.usersFile:/shared/.htpasswd traefik.docker.network:bridge traefik.port:8080 traefik.frontend.headers.SSLHost:testdomain.com traefik.frontend.headers.SSLRedirect:true traefik.frontend.rule:Host:traefik.testdomain.com traefik.frontend.headers.forceSTSHeader:true traefik.frontend.headers.frameDeny:true traefik.frontend.headers.contentTypeNosniff:true traefik.frontend.headers.STSPreload:true traefik.frontend.headers.STSSeconds:315360000 traefik.backend:traefik traefik.frontend.headers.STSIncludeSubdomains:true]]"
time="2019-08-06T10:28:21Z" level=debug msg="originLabelsmap[build_version:Linuxserver.io version:- v0.2.0.1358-ls27 Build-date:- 2019-07-30T01:12:09-04:00 maintainer:sparklyballs traefik.docker.network:bridge traefik.enable:true traefik.frontend.rule:Host:radarr.testdomain.com traefik.port:7878 MAINTAINER:sparkyballs,TheLamer]"
time="2019-08-06T10:28:21Z" level=debug msg="allLabelsmap[:map[traefik.frontend.rule:Host:radarr.testdomain.com traefik.port:7878 traefik.docker.network:bridge traefik.enable:true]]"

 

time="2019-08-06T10:29:23Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-radarr\":{\"servers\":{\"server-radarr-114ed0fd98e0c1baf2940cc3a160bc98\":{\"url\":\"http://172.17.0.29:7878\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-traefik\":{\"servers\":{\"server-traefik-480b5571116c13a981a6e94d60062912\":{\"url\":\"http://172.17.0.30:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-radarr-testdomain-com-1\":{\"entryPoints\":[\"https\",\"http\"],\"backend\":\"backend-radarr\",\"routes\":{\"route-frontend-Host-radarr-testdomain-com-1\":{\"rule\":\"Host:radarr.testdomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"frontend-Host-traefik-testdomain-com-0\":{\"entryPoints\":[\"https\",\"http\"],\"backend\":\"backend-traefik\",\"routes\":{\"route-frontend-Host-traefik-testdomain-com-0\":{\"rule\":\"Host:traefik.testdomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null,\"headers\":{\"sslRedirect\":true,\"sslHost\":\"testdomain.com\",\"stsSeconds\":315360000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"frameDeny\":true,\"contentTypeNosniff\":true,\"browserXssFilter\":true},\"auth\":{\"basic\":{\"usersFile\":\"/shared/.htpasswd\"}}}}}"
time="2019-08-06T10:29:23Z" level=info msg="Skipping same configuration for provider docker"

````

Link to comment
1 hour ago, Squiggley said:

 

1) The backend ip address seems wrong to me. Should it be local server ip address i.e. 192.168.0.1:7878

 

 

 

Those IP addresses look correct. The addresses will not be that of your server but rather the address that Docker assigns the container internally, normally starting with 172.

1 hour ago, Squiggley said:

2) I am trying to work out how far the request is getting. Should I see the request in the logs? I have debug = true and logLevel = "DEBUG"

every so often the logs will spit out

Yes I believe you should see the request in the logs with the debugging levels you have set.

1 hour ago, Squiggley said:

3) Do I need to create a docker network for them? I thought them all being on Bridge would be fine.

As long as both traefik and the containers it is proxying to are on the same network it should be fine. I used to have all of mine on the default bridge network. Then i had traefik on the default bridge, and the containers on a custom network (traefik was attached to that network as well), now i have traefik et al on a custom bridge.

  • Like 1
Link to comment
8 minutes ago, primeval_god said:

 

 

 

Those IP addresses look correct. The addresses will not be that of your server but rather the address that Docker assigns the container internally, normally starting with 172.


Yes I believe you should see the request in the logs with the debugging levels you have set.


 

As long as both traefik and the containers it is proxying to are on the same network it should be fine. I used to have all of mine on the default bridge network. Then i had traefik on the default bridge, and the containers on a custom network (traefik was attached to that network as well), now i have traefik et al on a custom bridge.

 

Marvellous I will stop trying to work out if thats the bit thats wrong then :)

 

So if I dont see the request coming in then surely it must be a port forwarding issue?

 

They are all on the default bridge network, which I will leave them on for just now untill I get it all working.

thanks very much for your response

Edited by Squiggley
Link to comment
2 minutes ago, Squiggley said:

 

So if I dont see the request coming in then surely it must be a port forwarding issue?

That would also be my first guess, along with the possibility of an incorrectly configured traefik entrypoint (with regards to what port the entrypoint uses vs what port is mapped through docker to the host). One possibility that i am not sure about is the certificate aspect. I dont use lets encrypt on my setup (well i do but not in traefik, i have an nginx reverse proxy doing ssl unwrapping on a separate entrypoint server) so i am not sure if or how that could be part of the issue. 

  • Like 1
Link to comment
5 minutes ago, Squiggley said:

Marvellous I will stop trying to work out if thats the bit thats wrong then :)

 

So if I dont see the request coming in then surely it must be a port forwarding issue?

 

They are all on the default bridge network, which I will leave them on for just now untill I get it all working.

thanks very much for your response

I am a complete dufus I must have checked the port forwarding many times last night and stared right past the problem!

The problem was between the chair and the monitor!

 

thanks again @primeval_god

Link to comment
3 minutes ago, primeval_god said:

@Squiggley Glad you got it working. Quick sidebar question, are you directly passing the docker socket to traefik or using a socket proxy?

Not 100% sure what you mean but I am guessing you mean this? endpoint = "unix:///var/run/docker.sock"

I actually have it commented out so whatever the default behaviour is.

 

Is this something I should be changing?

Link to comment

I am not sure about that particular line but yes, that is docker socket. Traefik uses the docker socket to query docker about containers, but there are security implications with giving containers access to the socket. The recommended way to do it so far as i know is to use a program to proxy the docker socket to limit what traefik can do with it (or anything else that you give access to). The traefik documentation says something about doing it via  HAProxy and a TCP socket. I personally use a docker-proxy-acl container. https://github.com/titpetric/docker-proxy-acl https://hub.docker.com/search?q=docker-proxy-acl&type=image

Link to comment
17 hours ago, primeval_god said:

I am not sure about that particular line but yes, that is docker socket. Traefik uses the docker socket to query docker about containers, but there are security implications with giving containers access to the socket. The recommended way to do it so far as i know is to use a program to proxy the docker socket to limit what traefik can do with it (or anything else that you give access to). The traefik documentation says something about doing it via  HAProxy and a TCP socket. I personally use a docker-proxy-acl container. https://github.com/titpetric/docker-proxy-acl https://hub.docker.com/search?q=docker-proxy-acl&type=image

Thanks for the heads up I will look into using that!

Link to comment
  • 9 months later...
On 2/11/2019 at 6:15 AM, primeval_god said:

Slow in what way? I have been generally pleased with the performance of Traefik, however i have noticed that it recently seems slow to see and update new docker configurations and occasionally misses them all together. I am fairly certain that mine is a setup issue with the docker socket proxy i am using however.

Not at all, we use it at Fortune 5 company. :) 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.