Traefik - frustrated ...help

Traefik Traefik v1
1

First post here ,hope i'm doing it right ...

I've been trying to setup Traefik on my QNAP NAS for about 2 weeks ,

I disable the Qnap webserver ,

nothing is listening to port 80.

I think i passed all posts/guides i could find but still ... not working.

I need it basically a reverse proxy so when internally i could use
http :// myQnap.com
or using https from outside
So before jumping into deep water (which i actually did but didn't work).
I'd like to understand why Treafik is not working as expected on my setup.
I follow the beginner guide with simple setup:

docker-compose.yaml

version: '3.6'

networks:
  traefik_proxy:
    external: true
services:
  traefik:
    container_name: reverse-proxy
    image: traefik
    restart: always
    command: --web --docker
    domainname: xxxxx.myqnapcloud.com
    networks:
      - traefik_proxy   
    ports:
      - 8888:8080
      - 80:80
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /${PWD}/traefik/traefik.toml:/traefik.toml
      - /${PWD}/traefik/acme.json:/acme.json

  whoami:
    image: emilevauge/whoami
    networks:
      - traefik_proxy 
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"

treafik.toml

debug = true

logLevel = "DEBUG"
[accessLog]
filePath="/share/Avi/Dockers/traefik/log/traefik.log"

defaultEntryPoints = ["http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "docker.localhost"
exposedByDefault = false


[web]
address = ":8888"
  [web.auth.basic]
  users = ["admin:$<somePass>."]

On window 10 using chrome:

--> 192.168.1.113:8888/dashboard/ - accessible and whoami present there

But when I'm trying to access via

[http: whoami.docker.localhost/
Also not for:

http 192.168.1.113:8080

But when running on Nas directly (via ssh)

[~] # curl -H Host:whoami.docker.localhost http://127.0.0.1

Hostname: 26d9c7890ded
IP: 127.0.0.1
IP: 172.29.0.2
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.43.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.29.0.1
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 5aaa4582d502
X-Real-Ip: 172.29.0.1

Why i'm not able access from Chrome ?

How can i tell Treafik is actually doing anything?

Ur help is highly appreciated !

2

You have to remove this line because this override your TOML configuration.

Take a look to the documentation: Basics | Traefik | v1.7

This is for acme, if you don't use acme then you don't need this line.

It's the label syntax for the v2 (beta) of traefik, as you are using the v1, the valid label is:

- "traefik.frontend.rule=Host:whoami.docker.localhost"

Take a look to the documentation: Docker | Traefik | v1.7

TOML is not indentation based, then this line must be on the top of the file.

Take a look to the documentation: EntryPoints | Traefik | v1.7

[web] (or --web) is deprecated and replaced by [api].

Take a look to the documentation:

The path is inside the Traefik container, then need to be mounted.

whoami.docker.localhost is domain managed by your Docker deamon, then it's a local domain. Traefik is not a DNS server.

I recommend to use an explicit tag to avoid some bad surprise: image: traefik:v1.7.14

I recommend to read our quick start tutorial: Traefik | Traefik | v1.7

After a quick review, your configuration must be something like that:

defaultEntryPoints = ["http"]
logLevel = "DEBUG"

[accessLog]
  # the path is inside the Traefik container. Need to be mounted.
  filePath = "/etc/traefik/log/accesslog.log"

[entryPoints]
  [entryPoints.http]
    address = ":80"

  [entryPoints.dashboard]
    address = ":8080"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:$<somePass>."]

[docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false

[api]
  entryPoint = "dashboard"
  dashboard = true

version: '3.6'

services:
  traefik:
    container_name: reverse-proxy
    image: traefik:v1.7.14
    restart: always
    domainname: xxxxx.myqnapcloud.com
    networks:
      - traefik_proxy
    ports:
      - 80:80
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /${PWD}/traefik/traefik.toml:/traefik.toml
      - /${PWD}/traefik/log/:/etc/traefik/log/

  whoami:
    image: containous/whoami
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:whoami.docker.localhost"

networks:
  traefik_proxy:
    external: true
3

Thanks Idez,
You detailed reply is really appreciated!

I changed the file exactly as you describe.

Not sure if u set to 8080:8080 by mistake, cause I set the dashboard on 8888 but on docker-compose i tried:

    ports:
      - 80:80
      - 8080:8080
 # tried also - 8888:8080
  1. No dashboard:
  • on 192.168.1.112:8888 or 8080 when set on docker-compose to 8080
  • or 192.168.1.113:8888 or 8080 when set on docker-compose to 8080

Container status:

 docker container ls

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                        NAMES
f84f982c3868        traefik:v1.7.14     "/traefik"          6 minutes ago       Up 6 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:8080->8080/tcp   reverse-proxy
05431cfdaace        containous/whoami   "/whoami"           6 minutes ago       Up 6 minutes        80/tcp                                       traefik_whoami_1
  1. No log prints from container
 *docker logs 05431cfdaace*
Starting up on port 80
Starting up on port 80

 *docker logs f84f982c3868*
<nothing prints>

I also tried the path u used in the toml: /etc/traefik/log/accesslog.log

actually there's no /etc/traefik folder.

Can u please also advise how i point the log to folder /share/Avi/Dockers/traefik/log/ ?
I actually mount in d-c file:

  - /${PWD}/traefik/log/:/etc/traefik/log/

Regarding you comment :

whoami.docker.localhost is domain managed by your Docker deamon, then it's a local domain. Traefik is not a DNS server.

You mean I can't accessing whoami from the chrome browser from address:

Thanks again for your help,

4

Warning: logs != access logs

version: '3.6'

services:
  traefik:
    container_name: reverse-proxy
    image: traefik:v1.7.14
    restart: always
    domainname: xxxxx.myqnapcloud.com
    networks:
      - traefik_proxy
    ports:
      - 80:80
      - 8888:8888 # <---
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /${PWD}/traefik/traefik.toml:/traefik.toml
      - /share/Avi/Dockers/traefik/log/:/etc/traefik/log/ # <----

  whoami:
    image: containous/whoami
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:whoami.docker.localhost"

networks:
  traefik_proxy:
    external: true

defaultEntryPoints = ["http"]
logLevel = "DEBUG"

[accessLog]
  filePath = "/etc/traefik/log/accesslog.log"

[entryPoints]
  [entryPoints.http]
    address = ":80"

  [entryPoints.dashboard]
    address = ":8888" # <---
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:$<somePass>."]

[docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false

[api]
  entryPoint = "dashboard"
  dashboard = true
5

Thanks again Idez,
got some progress ,
please note as new user i'm not able to write more than 2 url/links
so consider http:// as HP and https:// as PS
and I also had to add some spaces in url/email

Actually the reason toml wasn't read was stupid "/":

 - /${PWD}/traefik/log/:/etc/traefik/log**/**

Surprising that small little thing has such an impact .

i'm ready for the next step:
Set Treafik as reverse proxy + SSL.

I'd treafik allow accessing home-assistant from local network with HP
i.e HP 192. 168.1 .112:8123
(hopefully someday/somehow I I manage to access it with some "dns" shortcut as HP homeassitant).

and from outside network with PS.
using my domain xxxx myqnaplcoud.com.

I configure the docker-compose.yml and treafik.toml (see below .)

All went smoothly:
acem.json - generated with PK and Certificate
HA - accessing (internally) through
HP 192.168.1.112:8123 - working (no change)

trying accessing outside network PS xxxx myqnapcloud com:443 is failed.

i port forward port 443:443 for this IP (not sure if required).

error in access.log :

46.19.85.181 - - [18/Aug/2019:20:33:41 +0000] "GET / HTTP/2.0" 404 19 "-" "Mozilla/5.0 (Linux; Android 9; VTR-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36" 31 "**backend not found**" "/" 0ms

is that mean the https redirect didn't work?
btw- can connect through:
HP xxxx.myqnapcloud.com:8123

So i think something with redirect not working properly ,
or the backend setting is either incorrect (maybe i need to use other IP?)

defaultEntryPoints = ["http"]
logLevel = "INFO"

[accessLog]
  filePath = "/etc/traefik/log/accesslog.log"

[traefikLog]
  filePath = "/etc/traefik/log/traefik.log"
  
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

  [entryPoints.dashboard]
    address = ":8888"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:$XXXXXXXXXXXXXXXXXXXXXXXXXX."]

[docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false
  watch = true
  
[api]
  entryPoint = "dashboard"
  dashboard = true


[acme]
email = "mygmail   @gmail.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"

[[acme.domains]]
  main = "mygmail.myqnapcloud.com"


[file]
[backends]
  [backends.backend-homeassistant]
    [backends.backend-homeassistant.servers]
      [backends.backend-homeassistant.servers.server-homeassistant-ext]
        url = "HP     192.168.1.112:8123"  ## not sure for this one
        weight = 0
[frontends]
  [frontends.frontend-homeassistant]
    backend = "backend-homeassistant"
    passHostHeader = true
    [frontends.frontend-homeassistant.routes]
      [frontends.frontend-homeassistant.routes.route-homeassistant-ext]
      rule = "Host:xxxxxmyqnapcloud.com"

docker-compose.yml

version: '3.6'

networks:
  traefik_proxy:
    external: true


services:
  traefik:
    container_name: reverse-proxy
    image: traefik:v1.7.14
    restart: always
    domainname: xxxxx.myqnapcloud.com
    networks:
      - traefik_proxy
    ports:
      - 80:80
      - 443:443
      - 8888:8888 
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $PWD/traefik/traefik.toml:/etc/traefik/traefik.toml
      - $PWD/traefik/log/:/etc/traefik/log 
      - ${PWD}/traefik/acme.json:/acme.json
    
  homeassistant:
    container_name: home-assistant
    image: homeassistant/home-assistant:latest
    ports:
      - 8123:8123
    volumes:
      - /share/user/HA/:/config
      - /etc/localtime:/etc/localtime:ro
    restart: always
    network_mode: host
6

Instead of access logs, I recommend to read Traefik logs.

  • remove the [file], [backends], [frontends] sections.
  • the redirection works but your backends definitions and defaultEntryPoints are wrong.
defaultEntryPoints = ["http", "https"]
logLevel = "INFO"

[accessLog]
  filePath = "/etc/traefik/log/accesslog.log"

[traefikLog]
  filePath = "/etc/traefik/log/traefik.log"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
  [entryPoints.dashboard]
    address = ":8888"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:$XXXXXXXXXXXXXXXXXXXXXXXXXX."]

[retry]

[docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false
  watch = true

[api]
  entryPoint = "dashboard"
  dashboard = true

[acme]
  email = "mygmail@gmail.com"
  storage = "acme.json"
  entryPoint = "https"
  onHostRule = true
  [acme.httpChallenge]
    entryPoint = "http"

version: '3.6'

services:
  traefik:
    container_name: reverse-proxy
    image: traefik:v1.7.14
    restart: always
    domainname: xxxxx.myqnapcloud.com
    networks:
      - traefik_proxy
    ports:
      - 80:80
      - 443:443
      - 8888:8888
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${PWD}/traefik/traefik.toml:/etc/traefik/traefik.toml
      - ${PWD}/traefik/log/:/etc/traefik/log
      - ${PWD}/traefik/acme.json:/acme.json

  homeassistant:
    container_name: home-assistant
    image: homeassistant/home-assistant:latest
    volumes:
      - /share/user/HA/:/config
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.port=8123"
      - "traefik.frontend.rule=Host:xxxxx.myqnapcloud.com"
    restart: always
    network_mode: host

networks:
  traefik_proxy:
    external: true
1 Like
7

Thanks you very much Idez - it is working !!

actually ur suggestion worked perfectly,
and also the configuration i post also worked I just forget to add defaultEntryPoints = ["http", "https"].
As understand using tag [file] in toml allow traefik to work on docker/application from outside right?

which mean i can separate the containers.
I manage to connect outside with httpS to my domain.myqnap.com and also locally with http

few questions if i may:

  1. By current setup it looks like i don't actually need to open any port in the router (beside 443)?

  2. Is there an option in traefik to renew the SSL automatically?

  3. in my qnap server apache is running and listening on port 80, I stopped it manually so i could install traefik.
    the problem i notice that after restart ,qnap reseting apache setting and it start apache automatically on port 80.
    is there an option to set traefik listen to other port ?is there a problem apache runs on 80 and traefik on other?

  4. Do you have any other recommendation for this setup for making it more secured?

I really appreciate your help,
your detailed and clear answer helped me solve and i'm grateful for that.
Karma exists :slight_smile:

1 Like
8

[file] allow to define some routing on application outside of orchestrators (Docker, k8s, ...)

no because the HTTP challenge require the port 80.
but you can use the TLS challenge instead (I recommend that)

Traefik will renew automatically Let's Encrypt certificates 30 days before expiration.

I recommend to configure or stop Apache instead.

https://forum.qnap.com/viewtopic.php?t=135738
https://wiki.qnap.com/wiki/Modify_apache.conf

1 Like