Discourse with Traefik 2.0

SvenC56 · October 6, 2019, 6:57pm

Hi all,

I’m migrating to a new server and I want to use Traefik 2.0 as a reverse proxy. I’m currently struggling with the new configuration. I added a section at the bottom of the app.yml file. (Source: Discourse behind Traefik 🐭)

...

expose:
  - "8060:80"   # http
  - "8070:443" # https

...

docker_args:
  - "--network=web"
  - "--expose=8060"
  - "-l traefik.enable=true"
  - "-l traefik.http.routers.forum.rule=Host(`forum.example.com`)"
  - "-l traefik.http.routers.forum.entrypoints=websecure"
  - "-l traefik.http.routers.forum.tls=true"
  - "-l traefik.http.routers.forum.tls.certresolver=mytlschallenge"
  - "-l traefik.http.services.forum.loadbalancer.server.port=8060"
  - "-l traefik.docker.network=web"

This does not seem to work. When I open the route I get a Bad Gateway error. When I go directly to the ip_adress:8060 it opens discourse.

Does anyone have experience with Traefik 2.0?

Thank you!

SvenC56 · October 6, 2019, 7:33pm

After some trying I could solve it by my own.

For further notice I attach my app.yml:

...

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"
  #- "templates/web.socketed.template.yml" 

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
#expose:
#  - "8060:80"   # http
#  - "8070:443" # https

...

docker_args:
  - "--network=web"
  #- "--expose=8060"
  - "-l traefik.enable=true"
  - "-l traefik.http.routers.forum.rule=Host(`forum.example.com`)"
  - "-l traefik.http.routers.forum.entrypoints=websecure"
  - "-l traefik.http.routers.forum.tls=true"
  - "-l traefik.http.routers.forum.tls.certresolver=mytlschallenge"
  - "-l traefik.http.services.forum.loadbalancer.server.port=80"
  - "-l traefik.docker.network=web"

PackElend · November 30, 2019, 6:42pm

why it is neccessary to sue docker_args? According to GitHub - discourse/discourse_docker: A Docker image for Discourse it shall work like:

labels:
  monitor: 'true'
  app_name: {{config}}_discourse

Add labels to the current container. The above will add --l monitor=true -l app_name=dev_discourse to the options when running the container.

Moreover, where is docker_args explained?

PackElend · November 30, 2019, 7:09pm

@Cameron_D
how did you find out that docker_args is the way to go?

Cameron_D · December 8, 2019, 5:33am

I just couldn’t get the labels section working as expected. I’m not sure exactly why it wasn’t working anymore, or whether or not its been fixed since because I’ve just left my configuration as-is because its working.

PackElend · January 2, 2020, 10:44pm

Hi there,
can you share your traefik configuration?

I end up with 302, redirects automatically to https and then it ends…
Traefik dashbord says all ok.

my docker-compose.yml is here

version: "3.7"
    services:
      traefik-reverse-proxy:   
        # The official v2.0 Traefik docker image
        image: traefik:latest #traefik:v2.0
        container_name: "traefik"       
        command:
          # tell Traefik to listen to docker 
          - --providers.docker          # (Default: true)
          # Enable api/dashboard / (set the docker endpoint to speak to docker's API)
          - --api=true                    # (Default: false)
          # Activate dashboard. 
          - --api.dashboard               # (Default: true)
          # Enables the web UI / Traefik will listen on port 8080 by default for API request. / Activate API directly on the entryPoint named traefik. (Default: false) --> port '8080'v= entryPoint 'traefik', overrides --api
          - --api.insecure=true         # (Default: false) 
          # Enable additional endpoints for debugging and profiling. 
          - --api.debug=true            # (Default: false)
          # set debug level of the log
          - --log.level=DEBUG    
          # writting the accesslog
          - --accesslog=true    
          # defining the storage location inside the container, log file is written inside the container. To make it avaiable on the host it is mounted, see volumes section
          - --log.filePath=/var/traefik-container/logs/traefik-log.log
          - --accesslog.filepath=/var/traefik-container/logs/traefik-access.log
          # override the default port 80 entrypoint name  by "web"
          - --entrypoints.web.address=:80
          # declare the entrypointname for port 443
          - --entrypoints.websecure.address=:443
          #--providers.docker.endpoint=unix:///var/run/docker.sock    
          # Let's Encrypt
          - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
          - --certificatesresolvers.mytlschallenge.acme.email=my@email.com
          - --certificatesresolvers.mytlschallenge.acme.storage=/var/traefik-container/letsencrypt/acme.json
        ports:
          # The HTTP port
          - "80:80"
          # The HTTPS port
          - "443:443"
          # The Web UI (enabled by --api.insecure=true)
          - "8080:8080"
        volumes:        # syntax --> host-location:path-in-container
          # So that Traefik can listen to the Docker events
          - /var/run/docker.sock:/var/run/docker.sock
          - /var/traefik/log:/var/traefik-container/logs
          - /var/traefik/letsencrypt:/var/traefik-container/letsencrypt
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=bridge_proxy_traefikv2"
          - "traefik.http.routers.traefikv2.rule=Host(`traefik.mydomain.community`)"
          - "traefik.http.routers.traefikv2.entrypoints=web"
          - "traefik.http.services.traefikv2.loadBalancer.server.port=80"

        networks:
          - traefik
          #- default
          
       #Tiny Go webserver that prints os information and HTTP request to output
    #  whoami:
    #    image: "containous/whoami"
    #    container_name: "whoami"
    #    labels:
    #      - "traefik.enable=true"
    #      - "traefik.docker.network=bridge_proxy_traefikv2"
    #      - "traefik.http.routers.whoami.rule=Host(`mydomain.community`)"
    #      - "traefik.http.routers.whoami.entrypoints=web"
    #      - "traefik.http.services.whoami.loadBalancer.server.port=80"
    #    networks:
    #      - traefik
    #      #- default
          
      whoami_sub:
        image: "containous/whoami"
        container_name: "whoami_sub"
        labels:
          - "traefik.enable=true"
          - "traefik.name=whoami_sub"
          - "traefik.docker.network=bridge_proxy_traefikv2"
          - "traefik.http.routers.whoami_sub.rule=Host(`whoami.mydomain.community`)"
          - "traefik.http.routers.whoami_sub.entrypoints=web"
          #- "traefik.http.services.whoami_sub.loadBalancer.server.port=80"
        networks:
          - traefik
          - default

    networks:
      traefik:
        external:
          name: bridge_proxy_traefikv2

my discourse app.yml is here

## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
#  - "80:80"   # http
#  - "443:443" # https

params:
  db_default_text_search_config: "pg_catalog.english"

  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "128MB"

  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"

  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed

labels:
  app_name:                                                 discourse  
  traefik.enable:                                           true
  traefik.docker.network:                                   bridge_proxy_traefikv2  
  traefik.http.services.forum.loadbalancer.server.port:     80
  traefik.http.routers.forum.rule:                          Host(`forum.mydomain.community`)
  traefik.http.routers.forum.entrypoints:                   websecure
  traefik.http.routers.forum.tls:                           true
  traefik.http.routers.forum.tls.certresolver:              mytlschallenge
     
docker_args:
  - "--network=bridge_proxy_traefikv2"
 # - "-l traefik.enable=true"
 # - "-l traefik.http.routers.forum.rule=Host(`fairbnb.community`)"
 # - "-l traefik.http.routers.forum.entrypoints=websecure"
 # - "-l traefik.http.routers.forum.tls=true"
 # - "-l traefik.http.routers.forum.tls.certresolver=mytlschallenge"
 # - "-l traefik.http.services.forum.loadbalancer.server.port=80"
 # - "-l traefik.docker.network=web"
  
env:
  LANG: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 2

  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: forum.fairbnb.community

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  #DOCKER_USE_HOSTNAME: true

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'discourse@myemail.com'

  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: smtp.zoho.eu
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: discourse@myemail.com
  DISCOURSE_SMTP_PASSWORD: "tempPassword"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  LETSENCRYPT_ACCOUNT_EMAIL: me@example.com

  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com
  
## The Docker container is stateless; all data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  - exec: rails r "SiteSetting.notification_email='discourse@zoho.fairbnb.community'"
  - exec: echo "End of custom commands"

PackElend · January 4, 2020, 8:55pm

There were problems make Traefik’s dashboard available via a subdomain but discourse is still not reachable, see https://community.containo.us/t/discourse-instance-is-handled-by-api-internal-is-that-normal/3690/1
Here are my working configs.

With my comments

docker-compose: traefikV2_docker-compose.yaml

# https://stackoverflow.com/questions/49718431/docker-compose-yml-file-naming-convention
version: "3.7"

services:
  traefik-reverse-proxy:   
    # The official v2.0 Traefik docker image
    #image: traefik:latest 
    #image: traefik:v2.0
    image: traefik:v2.1.1
    container_name: traefik
    #command: 
    ## to work with custom traefik configuration file you have to declare the local path and mount the location on the host, see volume section
    #- --configFile=/etc/traefik/traefik-config.yaml
    
    ports:
      # The HTTP port
      - 80:80
      # The HTTPS port
      - 443:443
      # The Web UI (enabled by --api.insecure=true)
      #- "8080:8080"
    
    volumes:         
    # syntax --> host-location:path-in-container, see https://docs.docker.com/compose/compose-file/#volumes
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      # mount the location for the log files to the host, so that I can read them on the host
        # chosen based on https://unix.stackexchange.com/questions/104936/where-are-all-the-posibilities-of-storing-a-log-file
      - /var/log/traefik:/var/log
      # mount the location for the certifcates to the host, so that I can read them on the host
        #based on https://www.getpagespeed.com/server-setup/ssl-directory and https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux
      - /etc/ssl/certs/traefik/letsencrypt:/etc/ssl/certs/letsencrypt
      # I use a customized "traefik.toml", so it has to be mounted into the traefik container (or stored there), combine 
        # https://stackoverflow.com/questions/47382756/why-is-my-traefik-toml-file-not-be-read-by-docker-compose-configuration
        # https://stackoverflow.com/questions/57200728/can-the-default-location-of-the-traefik-configuration-file-be-changed-in-the-off
        # https://stackoverflow.com/questions/45902133/how-to-use-custom-traefik-toml-file
        # https://docs.traefik.io/getting-started/configuration-overview/
      - /opt/traefik/traefik-config.yaml:/etc/traefik/traefik.yaml
    
    labels:
      - traefik.enable=true
      #- "traefik.docker.network=bridge_proxy_traefikv2"
      - traefik.http.routers.traefik_dashboard-router.rule=Host(`traefik.fairbnb.community`)
      - traefik.http.routers.traefik_dashboard-router.entrypoints=web
      #- "traefik.http.services.traefik_dashboard-service.loadBalancer.server.port=8080"
      - traefik.http.routers.traefik_dashboard-router.service=api@internal

    networks:
      - traefik
      #- default
      
   #Tiny Go webserver that prints os information and HTTP request to output
   #  whoami:
   #    image: "containous/whoami"
   #    container_name: "whoami"
   #    labels:
   #      - "traefik.enable=true"
   #      - "traefik.docker.network=bridge_proxy_traefikv2"
   #      - "traefik.http.routers.whoami-router.rule=Host(`fairbnb.community`)"
   #      - "traefik.http.routers.whoami-router.entrypoints=web"
   #      - "traefik.http.services.whoami-service.loadBalancer.server.port=80"
   #    networks:
   #      - traefik
   #      #- default
      
  whoami_viaSubdomain:
    image: "containous/whoami"
    container_name: "whoami_viaSubdomain"
    labels:
      - traefik.enable=true
      - traefik.docker.network=bridge_proxy_traefikv2
      - traefik.http.routers.whoami_viaSubdomain-router.rule=Host(`whoami.fairbnb.community`)
      - traefik.http.routers.whoami_viaSubdomain-router.entrypoints=web
      #- "traefik.http.services.whoami_viaSubdomain-service.loadBalancer.server.port=80"
    networks:
      - traefik
      #- default

networks:
  traefik:
    external:
      name: bridge_proxy_traefikv2

Traefik configuration: traefik-config.yaml

global:
  checkNewVersion: true
#  sendAnonymousUsage: true
#serversTransport:
#  insecureSkipVerify: true
#  rootCAs:
#  - foobar
#  maxIdleConnsPerHost: 42
#  forwardingTimeouts:
#    dialTimeout: 42
#    responseHeaderTimeout: 42
#    idleConnTimeout: 42

entryPoints:
  web:
    address: :80
    #transport:
    #  lifeCycle:
    #    requestAcceptGraceTimeout: 42
    #    graceTimeOut: 42
    #  respondingTimeouts:
    #    readTimeout: 42
    #    writeTimeout: 42
    #    idleTimeout: 42
    #proxyProtocol:
    #  insecure: true
    #  trustedIPs:
    #  - foobar
    #  - foobar
    #forwardedHeaders:
    #  insecure: true
    #  trustedIPs:
    #  - foobar
    #  - foobar
  websecure:
    address: :443
  #traefik_dashboard:
     #address: ":8080"     

api: 
#api: {}   
# Activate dashboard. 
  ## Enables the web UI @ port 8080/ Traefik will listen on port 8080 by default for API request. / Activate API directly on the entryPoint named traefik. (Default: false) --> port '8080'v= entryPoint 'traefik', overrides --api  
  #insecure: true
  ## Activate dashboard. (Default: true)
  # dashboard: true
  # Enable additional endpoints for debugging and profiling. 
   debug: true    
  
providers:
# providersThrottleDuration: 42
  docker:
    #constraints: foobar
    ## Watch provider. (Default: true)
    #watch: true
    ## Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: unix:///var/run/docker.sock)
    #endpoint: unix:///var/run/docker.sock
    #defaultRule: foobar
    #tls:
      #ca: foobar
      #caOptional: true
      #cert: foobar
      #key: foobar
      #insecureSkipVerify: true
    # Expose containers by default. (Default: true) / By default, routes for all detected containers are creates. ITo limit the scope of Traefik's service discovery, i.e. disallow route creation for some containers, you can do so in two different ways: gerneric exposedByDefault (overriden by traefik.enable), or with a finer granularity mechanism based on constraints.
    exposedByDefault: false
    #useBindPortIP: true
    #swarmMode: true
    # Default Docker network used.
    network: bridge_proxy_traefikv2
    # swarmModeRefreshSeconds: 42  

not used currently-metrics:    # this is only hear to fold/unfold the commented region in  Notepad++
#metrics:
#  prometheus:
#    buckets:
#    - 42
#    - 42
#    addEntryPointsLabels: true
#    addServicesLabels: true
#    entryPoint: foobar
#    manualRouting: true
#  datadog:
#    address: foobar
#    pushInterval: 42
#    addEntryPointsLabels: true
#    addServicesLabels: true
#  statsD:
#    address: foobar
#    pushInterval: 42
#    addEntryPointsLabels: true
#    addServicesLabels: true
#    prefix: traefik
#  influxDB:
#    address: foobar
#    protocol: foobar
#    pushInterval: 42
#    database: foobar
#    retentionPolicy: foobar
#    username: foobar
#    password: foobar
#    addEntryPointsLabels: true
#    addServicesLabels: true
#ping:
#  entryPoint: foobar
#  manualRouting: true
   #
log:
#Traefik's log file 
  # set debug level of the log
  level: DEBUG
  # defining the storage location inside the container, log file is written inside the container. To make it avaiable on the host it is mounted, see volumes section in docker-compose file
    # chosen based on https://unix.stackexchange.com/questions/104936/where-are-all-the-posibilities-of-storing-a-log-file
  filePath: /var/log/traefik-log.log
  # Traefik log format: json | common (Default: common)
  #format: common

accessLog:      
# Logging access attempts   
  # defining the storage location inside the container, log file is written inside the container. To make it avaiable on the host it is mounted, see volumes section in docker-compose file
    # chosen based on https://unix.stackexchange.com/questions/104936/where-are-all-the-posibilities-of-storing-a-log-file  
  filePath: /var/log/traefik-access.log
  # Access log format: json | common (Default: common)
  #format: common
#  filters:
#    statusCodes:
#    - foobar
#    - foobar
#    retryAttempts: true
#    minDuration: 42
#  fields:
#    defaultMode: foobar
#    names:
#      name0: foobar
#      name1: foobar
#    headers:
#      defaultMode: foobar
#      names:
#        name0: foobar
#        name1: foobar
#  bufferingSize: 42
   #
   
not used currently-tracing:    # this is only hear to fold/unfold the commented region in  Notepad++
#tracing:   
#  serviceName: foobar
#  spanNameLimit: 42
#  jaeger:
#    samplingServerURL: foobar
#    samplingType: foobar
#    samplingParam: 42
#    localAgentHostPort: foobar
#    gen128Bit: true
#    propagation: foobar
#    traceContextHeaderName: foobar
#    collector:
#      endpoint: foobar
#      user: foobar
#      password: foobar
#  zipkin:
#    httpEndpoint: foobar
#    sameSpan: true
#    id128Bit: true
#    sampleRate: 42
#  datadog:
#    localAgentHostPort: foobar
#    globalTag: foobar
#    debug: true
#    prioritySampling: true
#    traceIDHeaderName: foobar
#    parentIDHeaderName: foobar
#    samplingPriorityHeaderName: foobar
#    bagagePrefixHeaderName: foobar
#  instana:
#    localAgentHost: foobar
#    localAgentPort: 42
#    logLevel: foobar
#  haystack:
#    localAgentHost: foobar
#    localAgentPort: 42
#    globalTag: foobar
#    traceIDHeaderName: foobar
#    parentIDHeaderName: foobar
#    spanIDHeaderName: foobar
#    baggagePrefixHeaderName: foobar
   #
not used currently-hostResolver:     # this is only hear to fold/unfold the commented region in  Notepad++
#hostResolver:
#  cnameFlattening: true
#  resolvConfig: foobar
#  resolvDepth: 42
  #
certificatesResolvers:
  tlsChallenge_letsencrypt:
    acme:
      email: my.secret@gmail.com
      # CA server to use. (Default: https://acme-v02.api.letsencrypt.org/directory)
      #caServer:        
      # location chosen based on  on https://www.getpagespeed.com/server-setup/ssl-directory and https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux
      storage: /etc/ssl/certs/letsencrypt/acme.json
      # KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: RSA4096)
      #keyType: {}         
      #dnsChallenge:
        # provider: foobar
        # delayBeforeCheck: 42
        # resolvers:
        # - foobar
        # - foobar
        # disablePropagationCheck: true
      #httpChallenge:
        # entryPoint: foobar
      tlsChallenge: {}
  #CertificateResolver1:
  #  acme:
  #    email: my.secret@gmail.com
  #    caServer: foobar
  #    storage: foobar
  #    keyType: foobar
  #    dnsChallenge:
  #      provider: foobar
  #      delayBeforeCheck: 42
  #      resolvers:
  #      - foobar
  #      - foobar
  #      disablePropagationCheck: true
  #    httpChallenge:
  #      entryPoint: foobar
  #    tlsChallenge: {}

Without my comments

docker-compose: traefikV2_docker-compose.yaml

root@Ubuntu18:/opt/10_docker-compose.yml-files# cat traefikV2_docker-compose.yaml | grep -v "#"
version: "3.7"

services:
  traefik-reverse-proxy:
    image: traefik:v2.1.1
    container_name: traefik

    ports:
      - 80:80
      - 443:443

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/log/traefik:/var/log
      - /etc/ssl/certs/traefik/letsencrypt:/etc/ssl/certs/letsencrypt
      - /opt/traefik/traefik-config.yaml:/etc/traefik/traefik.yaml

    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik_dashboard-router.rule=Host(`traefik.fairbnb.community`)
      - traefik.http.routers.traefik_dashboard-router.entrypoints=web
      - traefik.http.routers.traefik_dashboard-router.service=api@internal

    networks:
      - traefik


  whoami_viaSubdomain:
    image: "containous/whoami"
    container_name: "whoami_viaSubdomain"
    labels:
      - traefik.enable=true
      - traefik.docker.network=bridge_proxy_traefikv2
      - traefik.http.routers.whoami_viaSubdomain-router.rule=Host(`whoami.fairbnb.community`)
      - traefik.http.routers.whoami_viaSubdomain-router.entrypoints=web
    networks:
      - traefik

networks:
  traefik:
    external:
      name: bridge_proxy_traefikv2

Traefik configuration: traefik-config.yaml

root@Ubuntu18:/opt/traefik# cat traefik-config.yaml | grep -v "#"
global:
  checkNewVersion: true

entryPoints:
  web:
    address: :80
  websecure:
    address: :443

api:
   debug: true

providers:
  docker:
    exposedByDefault: false
    network: bridge_proxy_traefikv2

log:
  level: DEBUG
  filePath: /var/log/traefik-log.log

accessLog:
  filePath: /var/log/traefik-access.log

certificatesResolvers:
  tlsChallenge_letsencrypt:
    acme:
      email: my.secret@gmail.com
      storage: /etc/ssl/certs/letsencrypt/acme.json
      tlsChallenge: {}

PackElend · January 6, 2020, 1:51pm

@Cameron_D
@SvenC56
@Cerix
@huberfe
sorry for tagging your directly but it looks like that you are the only documented users running discourse behind Traefik.
Albeit there promise, that Traefik will take care about anything it seems not so simple to set up.
So far, I haven’t been successful:

working URLs:

not working URL:

http://forum.fairbnb.community/

It would highly appreciate if you could share the full configuration of Discourse and Traefik, enabling me to troubleshoot it better.

My Traefik configs at the of this post Endless 502 / forwarding when calling dashboard via subdomain #6123 - Traefik v2 - Containous Community Forum

huberfe · January 6, 2020, 2:14pm

As i am only on my mobile, please check my config here: traefik - SeAT Discourse Documentation
Please Note: i only had it running with v1.6 and v1.7 of traefik. No idea if that will work with v2

With that multiple users were able to use my plugin, use discourse and traefik.

Note: i haven’t read a single post in this tread, simply answering on the ping

PackElend · January 6, 2020, 2:51pm

thx a ot

I will try to translate it from v1 to v2.

I’m already getting an idea out of it, need some hours to think through it.

I assume that the templates for SSL and Let’s Encrypt are commmented so the to the template section looks like

    templates:
          - "templates/postgres.template.yml"
          - "templates/redis.template.yml"
          - "templates/web.template.yml"
          - "templates/web.ratelimited.template.yml"
        ## Uncomment these two lines if you wish to add Lets Encrypt (https)
          #- "templates/web.ssl.template.yml"
          #- "templates/web.letsencrypt.ssl.template.yml"

huberfe · January 6, 2020, 3:58pm

yeah why would you want the discourse container to manage your ssl-certificates, if you are about to enable a proxy infront?

please post your solution as soon as you are done.

PackElend · January 6, 2020, 4:03pm

in Run other websites on the same machine as Discourse - #301 see

I would suggest do add the template section in the docs as well. I noticed that it was not commented in my install, as I did standalone first to get the app.yml. In the very beginning, I forgot to comment them. Could avoid that others run in the same problem.

for sure

PackElend · January 6, 2020, 7:03pm

it doesn’t show the static configuration of Traefik, does it?

PackElend · January 6, 2020, 8:05pm

Good News Everyone ! http://forum.fairbnb.community/ is reachable.

This is the configuration with minimum changes in app.yml to have it served via http, I will dive into https on the weekend.

templates:
    - "templates/postgres.template.yml"
    - "templates/redis.template.yml"
    - "templates/web.template.yml"
    - "templates/web.ratelimited.template.yml"
    ## Uncomment these two lines if you wish to add Lets Encrypt (https)
    #- "templates/web.ssl.template.yml"
    #- "templates/web.letsencrypt.ssl.template.yml"  

expose:
      #- "80:80"   # http
      #- "443:443" # https

labels:
    traefik.enable:                                               true
    traefik.http.services.discourse.loadbalancer.server.port:     80
    traefik.http.routers.discourse.rule:                          Host(`forum.fairbnb.community`)
    traefik.http.routers.discourse.entrypoints:                   web

Cerix · January 6, 2020, 8:28pm

For SSL just configure Traefik + Let’s Encrypt, you don’t need to use discourse ssl.

Traefik will mange encryption over all of yours containers

Currently i’m using traefik 1.6 so i don’t now yet how to enable it on traefik v2

PackElend · January 7, 2020, 8:09am

yep , see Run other websites on the same machine as Discourse but it looks like that discourse expect certain header information when the client speaks to proxy via https.

Run other websites on the same machine as Discourse

server {
	listen 80; listen [::]:80;
	server_name forum.example.com;  # <-- change this

	location / {
		proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
		proxy_set_header Host $http_host;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Real-IP $remote_addr;
	}
}

I’ve briefly read into it. I’ll try to translate in text understandable by the nine-to-five user.

yep, see also in Traefik Proxy HTTPS & TLS Overview |Traefik Docs - Traefik. In the beginning, I started with https straight away and certification creation went successful but that is it. Now I have to align it with the knowledge I have gained since then.

So you use https to reach your forum, don’t you?
Can you share the config of Traefik and Discourse? The more is shared the easier it gonna be for me on the weekend.
V1 to v2 guidance is given in Traefik V2 Migration Documentation - Traefik but I try to have it explained here on the weekend.

Cerix · January 7, 2020, 9:11am

OK this is my traefik.toml, not valid for new version v2

defaultEntryPoints = ["http", "https"]

[web]
address = ":8080"
  [web.auth.basic]
  users = ["yourusername:yourpassword"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[acme]
email = "XXXXXXXX"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[acme.httpChallenge]
entryPoint = "http"
minVersion = "VersionTLS12"

part of Discourse Config

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"

expose:
  - "80"   # http ------ just espose container ports 
  - "443" # https ------ you don't need to expose external host port

labels:
  traefik.port: '80'
  traefik.backend: 'mycontainername'
  traefik.frontend.rule: 'Host:www.myhost.com'
  traefik.docker.network: 'mynetworkname'
docker_args:
  - "--network=mynetworkname"

with this config traefik redirect all request from port 80 “http” to port 443 “https”,
enable FORCE HTTPS in discourse admin panel to avoid errors.

PackElend · January 7, 2020, 7:49pm

@pfaffman, I don’t know if notifcation still works, if I quote you reply in another topic, so I tag you.

So your config looks like the one above but

and using Environment variables (this approach is referenced in https://stackoverflow.com/questions/52804610/how-do-you-set-environmental-variables-for-traefik and https://blog.raveland.org/post/traefik_compose)

PackElend · January 11, 2020, 7:32pm

so https works
and I think I understood how that all works . I will try to write it down the comings days

my config

discourse app.yml extract

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  #- "80:80"   # http
  #- "443:443" # https
  #- "80"      # http
  #- "443"     # https
  #- "40080:80"
  #- "40443:443"

labels:
  app_name:                                                                     discourse

  #----Traefik lables------------------------
  traefik.enable:                                                               true
  traefik.docker.network:                                                       bridge_proxy_traefikv2

   #---HTTP ROUTER SECTION-------------------
  traefik.http.routers.discourse.rule:                                          Host(`forum.fairbnb.community`)
    #--HTTP SECTION--------------------------
  traefik.http.routers.discourse.entrypoints:                                   web
  traefik.http.routers.discourse.middlewares:                                   discourse_redirect2https         
  #traefik.http.services.discourse.loadbalancer.server.port:                     80  

   #---HTTPS ROUTER SECTION
  traefik.http.routers.discourse_secure.rule:                                   Host(`forum.fairbnb.community`)
    #--HTTPS SECTION
  traefik.http.routers.discourse_secure.entrypoints:                            websecure
  traefik.http.services.discourse_secure.loadbalancer.server.port:              80
    #--TLS SECTION
  traefik.http.routers.discourse_secure.tls.certresolver:                       tlsChallenge_letsencrypt

   #---MIDDLEWARE SECTION redirect http to https
  traefik.http.middlewares.discourse_redirect2https.redirectscheme.scheme:      https

docker_args:
  - "--network=bridge_proxy_traefikv2"
  
params:

Treafik Static Config

global:
  checkNewVersion: true
entryPoints:
  web:
    address: :80
  websecure:
    address: :443

api:
   debug: true

providers:
  docker:
    exposedByDefault: false
    network: bridge_proxy_traefikv2

log:
  level: DEBUG
  filePath: /var/log/traefik-log.log

accessLog:
  filePath: /var/log/traefik-access.log

certificatesResolvers:
  tlsChallenge_letsencrypt:
    acme:
      email: my.secret@gmail.com
      storage: /etc/ssl/certs/letsencrypt/acme.json
      tlsChallenge: {}

pc1oad1etter · February 11, 2020, 8:44am

Greetings,

I used this post as a guide for setting up Discourse to work with Traefik. I have traefik working with another web app.

When I visit the forum.private .com , I get a “404 page not found” error.

Something seems to be working, because I in the Traefik dashboard in the services tab, I can see a discourse@docker and discourse_secure@docker

However, there is nothing for discourse in the routers tab.

The changes I have made to app.yml are here, largely based on the post linked above. I added an an exposed port on the docker arguments at the bottom which seemed to open up the services mentioned above. I’d appreciate any help!

Traefik docker-compose

version: "3.3"

services:
  ################################################
  ####        Traefik Proxy Setup           #####
  ###############################################
  traefik:
    image: traefik:v2.0
    restart: always
    container_name: traefik
    ports:
      - "80:80" # <== http
      - "8080:8080" # <== :8080 is where the dashboard runs on
      - "443:443" # <== https
    command:
    #### These are the CLI commands that will configure Traefik and tell it how to work! ####

      - --api.insecure=true # <== Enabling insecure api, NOT RECOMMENDED FOR PRODUCTION
      - --api.dashboard=true # <== Enabling the dashboard to view services, middlewares, routers, etc...
      - --api.debug=true # <== Enabling additional endpoints for debugging and profiling
      ## Log Settings (options: ERROR, DEBUG, PANIC, FATAL, WARN, INFO) - https://docs.traefik.io/observability/logs/ ##
      - --log.level=DEBUG # <== Setting the level of the logs from traefik
      ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
      - --providers.docker=true # <== Enabling docker as the provider for traefik
      - --providers.docker.exposedbydefault=false # <== Don't expose every container to traefik, only expose enabled ones
      - --providers.file.filename=/dynamic.yaml # <== Referring to a dynamic configuration file
      - --providers.docker.network=web # <== Operate on the docker network named web
      ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
      - --entrypoints.web.address=:80 # <== Defining an entrypoint for port :80 named web
      - --entrypoints.web-secured.address=:443 # <== Defining an entrypoint for https on port :443 named web-secured
      ## Certificate Settings (Let's Encrypt) -  https://docs.traefik.io/https/acme/#configuration-examples ##
      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true # <== Enable TLS-ALPN-01 to generate and renew ACME certs
      - --certificatesresolvers.mytlschallenge.acme.email=private@private.com # <== Setting email for certs
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json # <== Defining acme file to store cert information
    volumes:
      - ./letsencrypt:/letsencrypt # <== Volume for certs (TLS)
      - /var/run/docker.sock:/var/run/docker.sock # <== Volume for docker admin
      - ./dynamic.yaml:/dynamic.yaml # <== Volume for dynamic conf file, **ref: line 27
    networks:
      - web # <== Placing traefik on the network named web, to access containers on this network
    labels:
    #### Labels define the behavior and rules of the traefik proxy for this container ####
      - "traefik.enable=true" # <== Enable traefik on itself to view dashboard and assign subdomain to view it
      - "traefik.http.routers.api.rule=Host(`monitor.private.com`)" # <== Setting the domain for the dashboard
      - "traefik.http.routers.api.service=api@internal" # <== Enabling the api to be a service to access


networks:
  web:
    external: true
  backend:
    external: false

volumes:
  db_data: {}
  wordpress:
    external: true
  db:
    external: true

Discourse app.yml

## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  # "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  #- "80:80"   # http
  #- "443:443" # https

params:
  db_default_text_search_config: "pg_catalog.english"

  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "128MB"

  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"

  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed

env:
  LANG: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 2

  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: forum.private.com

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  #DOCKER_USE_HOSTNAME: true

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'private@private.com'

  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: in-v3.mailjet.com
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: redacted
  DISCOURSE_SMTP_PASSWORD: "redacted"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  LETSENCRYPT_ACCOUNT_EMAIL: private@private.com

  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com

## The Docker container is stateless; all data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
  - exec: echo "End of custom commands"

labels:
  app_name:                                                                     discourse

  #----Traefik lables------------------------
  traefik.enable:                                                               true
  traefik.docker.network:                                                       web

   #---HTTP ROUTER SECTION-------------------
  traefik.http.routers.discourse.rule:                                          Host(`forum.private.com`)
    #--HTTP SECTION--------------------------
  traefik.http.routers.discourse.entrypoints:                                   web
  traefik.http.routers.discourse.middlewares:                                   discourse_redirect2https         
  traefik.http.services.discourse.loadbalancer.server.port:                     80  

   #---HTTPS ROUTER SECTION
  traefik.http.routers.discourse_secure.rule:                                   Host(`forum.private.com`)
    #--HTTPS SECTION
  traefik.http.routers.discourse_secure.entrypoints:                            web-secured
  traefik.http.services.discourse_secure.loadbalancer.server.port:              80
    #--TLS SECTION
  traefik.http.routers.discourse_secure.tls.certresolver:                       tlsChallenge_letsencrypt

   #---MIDDLEWARE SECTION redirect http to https
  traefik.http.middlewares.discourse_redirect2https.redirectscheme.scheme:      https

docker_args:
  - "--network=web"
  - "--expose=80"

Thanks

Topic		Replies	Views
Solved: Discourse behind Traefik Installation	6	1532	June 11, 2022
Configure Discourse - Environment AWS Linux 2 AMI and Apache2 (httpd) Installation advanced-setup	3	2010	July 7, 2023
Discourse with jwilder/nginx-proxy howtos? Installation	12	7799	June 19, 2022
Discourse working with jwilder /nginx proxy & acme-companion Installation	7	4974	February 9, 2022
Install Discourse on a residential internet with Cloudflare Tunnel Sysadmins arm , how-to , raspberry-pi , install	59	7074	October 15, 2024

Discourse with Traefik 2.0

my config

discourse app.yml extract

Treafik Static Config

Related topics