you don’t need that, better switch to the API and use traefik v2.1, so:
- "traefik.http.routers.traefik_dashboard-router.service=api@internal"
See Endless 502 / forwarding when calling dashboard via subdomain #6123 - #5 by ldez - Traefik v2 - Traefik Labs Community Forum
can you remove your comments
it make it easier to read for us.
No worries I was told the same once :).
I write my comments in extra line, so I can create a clean print easily using cat traefikV2.yaml | grep -v "#"
Okay, took me a few days to get to this. I have redone my Traefik configuration to use a yaml file instead of putting it all in docker-compose. However, after wiring everything up again, I seem to get the same or similar behavior – I am getting a 404 at my domain, and in the Traefik dashboard I see entrie under Services and routers for discourse, but nothing under routers.
version: '3'
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`monitor.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=user:redacted"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`monitor.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: nick@innomadic.com
storage: acme.json
httpChallenge:
entryPoint: http
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
expose:
params:
db_default_text_search_config: "pg_catalog.english"
db_shared_buffers: "128MB"
env:
LANG: en_US.UTF-8
UNICORN_WORKERS: 2
DISCOURSE_HOSTNAME: forum.example.com
DISCOURSE_DEVELOPER_EMAILS: 'info@example.com'
DISCOURSE_SMTP_ADDRESS: redacted.com
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: redacted
DISCOURSE_SMTP_PASSWORD: "redacted"
LETSENCRYPT_ACCOUNT_EMAIL: info@example.com
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
run:
- exec: echo "Beginning of custom commands"
- exec: echo "End of custom commands"
labels:
app_name: discourse
traefik.enable: true
traefik.docker.network: proxy
traefik.http.routers.discourse.rule: Host(`forum.example.com`)
traefik.http.routers.discourse.entrypoints: http
traefik.http.routers.discourse.middlewares: discourse_redirect2https
traefik.http.services.discourse.loadbalancer.server.port: 80
traefik.http.routers.discourse_secure.rule: Host(`forum.example.com`)
traefik.http.routers.discourse_secure.entrypoints: https
traefik.http.services.discourse_secure.loadbalancer.server.port: 80
traefik.http.routers.discourse_secure.tls.certresolver: tlsChallenge_letsencrypt
traefik.http.middlewares.discourse_redirect2https.redirectscheme.scheme: https
docker_args:
- "--network=proxy"
- "--expose=80"
I think I ran the docker network connect proxy command as well to attach this to the traefik network.
I appreciate any help to see what I’m missing here, and also I would love to hear if I have my security ducks in a row.
I don’t know what you’re missing. Here’s what I do in Ansible to crank up sites with traefik:
--docker-args "-l traefik.frontend.rule=Host:{{discourse_hostname}} \
-l traefik.frontend.entryPoints=https \
-l traefik.backend={{discourse_shortname}} \
-l traefik.port=80"
And then do
./launcher start {{ discourse_yml }} {{ docker_args }}
Adding the traefik rules in docker_args rather than in the yml has the added benefit of not having traefik pay attention to the container that’s getting bootstrapped.
I think that is Traefik v1 maybe?
Oh. Sorry. Yeah, I’m pretty sure that’s traefik 1, so I’m not going to be any help with specifics.
It doesn’t look like you’re setting any values in those labels in app.yml? I think that you need to set a rule and, maybe a middleware?
If you won’t want down time during a bootstrap you’ll want to set them with ./launcher start as in my example.
Maybe “middleware” is what used to be “backend”? You’ll need to do something to establish that the Discourse container is the server you want and . . . something else . . . to connect some front end/url with the appropriate backend/server.
They are being set, but you have to scroll a bit to the right to see them. Just a formatting thing.
Thanks
LOL. Sorry about that.
Well, I have no idea what I’m talking about, but it doesn’t make sense to me that you’d configure your discourse@docker as a load balancer.
Hey I think I got it.
I removed the line:
# traefik.http.services.discourse_secure.loadbalancer.server.port: 80
but left this one:
traefik.http.services.discourse.loadbalancer.server.port: 80
labels:
app_name: discourse
#----Traefik lables------------------------
traefik.enable: true
traefik.docker.network: proxy
#---HTTP ROUTER SECTION-------------------
traefik.http.routers.discourse.rule: Host(`forum.example.com`)
#--HTTP SECTION--------------------------
traefik.http.routers.discourse.entrypoints: http
traefik.http.routers.discourse.middlewares: discourse_redirect2https
traefik.http.services.discourse.loadbalancer.server.port: 80
#---HTTPS ROUTER SECTION
traefik.http.routers.discourse_secure.rule: Host(`forum.example.com`)
#--HTTPS SECTION
traefik.http.routers.discourse_secure.entrypoints: https
# traefik.http.services.discourse_secure.loadbalancer.server.port: 80
#--TLS SECTION
traefik.http.routers.discourse_secure.tls.certresolver: tlsChallenge_letsencrypt
#---MIDDLEWARE SECTION redirect http to https
traefik.http.middlewares.discourse_redirect2https.redirectscheme.scheme: https
Not sure how I got that or why it is the way it is, but it works. So using all of the configuration I posted above in the thread, but making this one change, is working for me now.
Thanks all!
that is correct.
I put that in my config:
#—SERVICE SECTION tell treafik where to send the request
traefik.http.services.discourse.loadbalancer.server.port: 80
does that ring a bell?
What are you doing here is to tell to whom (service) the request is send to and at what port.
You could solve it also by using expose but than for a security perspective you want expose as little as possible of you containers. In addition, traefik picks the first port if yuo expose multiple ports, so using loadbalancer is cleaner
I don’t do that as this path is the default path
you don’t work with the full path here, using an default path. I don’t like this because you have to keep in mind the path. I do storage: /etc/ssl/certs/letsencrypt/acme.json
I define the network, I don’t like default settings
providers: docker: exposedByDefault: false network: bridge_proxy_traefikv2
you don’t need to do this, this is done by loadbalancer
you may want to give this network a name, in my case
networks: traefik: external: name: bridge_proxy_traefikv2
I’ve been working through your suggestions here. Thank you for your response.
I should point out that for the endpoint you say to trust the default and for the storage location you say you don’t like to trust defaults. 
I did try to make the change for acme.json you mentioned:
However, my traefik container did not find the file then. It showed up as an error in the log. So I have left it as acme.json for now.
I wanted to ask about this one though:
Aren’t you just renaming the network here, or giving it a localized name? I think I just referred to it as proxy in the other configuration and here locally. It still has a name that I defined, I am just not renaming it. At least that’s my understanding.
I have one final notable concern. I noticed after my “Success!” post above that although HTTPS is working, I am getting mixed content warning. So not everything is getting encrypted.
I am getting the mixed content error for my Discourse installation, but not the Wordpress installation I have on the same server. So it must be particular to my Discourse settings.
Looking in the developer console I see:
Loading mixed (insecure) display content “http://talk.redacted.com/uploads/default/optimized/1X/_129430568242d1b7f853bb13ebea28b3f6af4e7_2_180x180.png” on a secure page FaviconLoader.jsm:174:19
So maybe somehow my redirect is not working properly?
I am attaching relevant files below for review.
api:
dashboard: true
entryPoints:
http:
address: “:80”
https:
address: “:443”
providers:
docker:
exposedByDefault: false
network: proxy
certificatesResolvers:
http:
acme:
email: info@private.com
storage: acme.json
httpChallenge:
entryPoint: http
version: ‘3’
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
labels:
- “traefik.enable=true”
- “traefik.http.routers.traefik.entrypoints=http”
- “traefik.http.routers.traefik.rule=Host(monitor.private.com)”
- "traefik.http.middlewares.traefik-auth.basicauth.users=private:private”
- “traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https”
- “traefik.http.routers.traefik.middlewares=traefik-https-redirect”
- “traefik.http.routers.traefik-secure.entrypoints=https”
- “traefik.http.routers.traefik-secure.rule=Host(monitor.private.com)”
- “traefik.http.routers.traefik-secure.middlewares=traefik-auth”
- “traefik.http.routers.traefik-secure.tls=true”
- “traefik.http.routers.traefik-secure.tls.certresolver=http”
- “traefik.http.routers.traefik-secure.service=api@internal”
networks:
proxy:
external: true
templates:
expose:
params:
db_default_text_search_config: “pg_catalog.english”
db_shared_buffers: “128MB”
env:
LANG: en_US.UTF-8
UNICORN_WORKERS: 2
DISCOURSE_HOSTNAME: talk.private.com
DISCOURSE_DEVELOPER_EMAILS: ‘info@private.com’
LETSENCRYPT_ACCOUNT_EMAIL: info@private.com
volumes:
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
run:
labels:
app_name: discourse
traefik.enable: true
traefik.docker.network: proxy
traefik.http.routers.discourse.rule: Host(talk.private.com)
traefik.http.routers.discourse.entrypoints: http
traefik.http.routers.discourse.middlewares: discourse_redirect2https
traefik.http.services.discourse.loadbalancer.server.port: 80
traefik.http.routers.discourse_secure.rule: Host(talk.private.com)
traefik.http.routers.discourse_secure.entrypoints: https
traefik.http.routers.discourse_secure.tls: true
traefik.http.routers.discourse_secure.service: discourse
traefik.http.routers.discourse_secure.tls.certresolver: http
traefik.http.middlewares.discourse_redirect2https.redirectscheme.scheme: https
docker_args:
So, any thoughts about why I’m getting the mixed content error?
Well, for a moment I thought discourse had become sentient because I got this notification in my admin view:
However, I made this change and still got the mixed content error. I also logged out, deleted cache and logged in again. Same thing.
It looks like my login requests are still encrypted, so that’s good, I guess, but I need to get ride of this mixed content error. Configuration is above in the previous post.
Another update: the mixed content warning is now gone. I’m not clear why. I guess that it’s related to the force_https setting, however, it I didn’t get a clean page load for maybe 30 minutes after I changed the setting, despite the fact that I cleared my cache and logged out and in, as I noted above.
The good news is I seem to have a functioning Discourse installation behind a Traefic reverse proxy.
it is the pics, what are sourced via http connections, had the same problem, see:
have you mounted the volume correctly, traefik can be quite confusing when it comes to the paths.
I do e.g.:
volumes: - /etc/ssl/certs/traefik/letsencrypt:/etc/ssl/certs/letsencrypt - /opt/traefik/traefik-config.yaml:/etc/traefik/traefik.yaml - /etc/passwd.traefik.dashboard:/etc/passwd.BasicAuth.dashboard - /etc/passwd.traefik.whoami:/etc/passwd.BasicAuth.whoami
I cannot remember but there was a reason for it, maybe to see it well in the CLI when listing networks
No I did not mount like this. Here is is my volumes section from docker-compose for traefik:
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
I notice that mine doesn’t even mention let’s encypt, whereas yours does. I guess you created that deeply nested folder in your docker-compose directory, and put your acme.json?
the other things I notice is that I have this docker/sock and localtime. Not sure what the localtime one is, and maybe the docker.sock statement is a security problem. Need to read up on that.
let’s encrypt cert creation is done by Traefik. Mounting a volume allows me to have it stored on the host instead of the docker
I recall that getting all the mounting done was a real hassle, did allo of checks doing docker exec -it
lsdirviI see. How is that beneficial?
Also, I tried removing - "/var/run/docker.sock:/var/run/docker.sock" from my traefik docker-compose, and everything 404s. I see some scary warnings about using this, but it comes straight from the Traefik website and I’m not sure how to get it to work without it.
I am using this post as a guide to set up a proxy… for my proxy (?!) to make it more secure than it was before with this /var/run/docker.sock.
I am a little bit unclear on whetehr the socket-proxy ‘proxy’ network should be the same network I was using for my main traefik proxy network or if it should be separate. Which I guess could also mess up my security if I misunderstood it.
this is also mentioned here
https://docs.traefik.io/v2.0/providers/docker/#docker-api-access
I suggest to start a discussion about this in https://community.containo.us/ to come up with proper hardening guide.
I rose my safety concerns here: Learning how to secure Traefik ending up with some safety concerns - Traefik v2 - Traefik Labs Community Forum what received some likes but no answer.
That should be combined with docker hardening guides https://owasp.org/www-project-cheat-sheets/cheatsheets/Docker_Security_Cheat_Sheet.html
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.