docker-traefik
docker-traefik copied to clipboard
Published
20 hours ago •
htpcBeginner
htpcBeginner
traefik.domain.ext is not receiving SSL certificate when cloudflare proxy is turned on
Thank you so much for sharing and building such beautiful docker-compose ever! :) So helpful.
I am unable to get SSL issued for real cloudflare hosted *.domain.ext SAN no matter what.. Wondering what went wrong and what I am missing..
my docker-compose.yml file:
version: "3.7"
########################### NETWORKS
# Create t2_proxy network
# docker network create t2_proxy
# Alternatively, you can specify the gateway and subnet to use
# docker network create --gateway 192.168.90.1 --subnet 192.168.90.0/24 t2_proxy
# Subnet range 192.168.0.0/16 covers 192.168.0.0 to 192.168.255.255
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
############################# FRONTENDS
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $USERDIR/docker/traefik2/acme/acme.json
# chmod 600 $USERDIR/docker/traefik2/acme/acme.json
# touch $USERDIR/docker/traefik2/traefik.log
traefik:
container_name: traefik
image: traefik:chevrotin # the chevrotin tag refers to v2.2.x
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
# - --entrypoints.https.http.middlewares=chain-authelia@file
# Add dns-cloudflare as default certresolver for all services.
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
# networks:
# - t2_proxy
security_opt:
- no-new-privileges:true
ports:
# https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $USERDIR/docker/traefik2/rules:/rules # file provider directory
- /var/run/docker.sock:/var/run/docker.sock:ro
- $USERDIR/docker/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- $USERDIR/docker/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- $USERDIR/docker/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAIN1" # Pulls main cert for second domain
- "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAIN1" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Middlewares
# - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # No Authentication
# Google OAuth - Single Sign On using OAuth 2.0
# https://hub.docker.com/r/thomseddon/traefik-forward-auth
# https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth:latest
# image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi
restart: unless-stopped
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
# Allow apps to bypass OAuth. Radarr example below will by pass OAuth if API key is present in the request (eg. from NZB360 mobile app).
# While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of hte apps later.
# command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
command: --rule.whmcs.action=allow --rule.whmcs.rule="HeadersRegexp(`X-Forwarded-Uri`, `$WHMCS_API_KEY`)"
environment:
- CLIENT_ID=$GOOGLE_CLIENT_ID
- CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
- SECRET=$OAUTH_SECRET
- COOKIE_DOMAIN=$DOMAINNAME
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.$DOMAINNAME
- URL_PATH=/_oauth
- WHITELIST=$MY_EMAIL
- LOG_LEVEL=trace
- LOG_FORMAT=text
- LIFETIME=2592000 # 30 days
- DEFAULT_ACTION=auth
- DEFAULT_PROVIDER=google
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.oauth-rtr.entrypoints=https"
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
- "traefik.http.routers.oauth-rtr.tls=true"
## Middlewares
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.oauth-rtr.service=oauth-svc"
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
# Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
authelia:
container_name: authelia
image: authelia/authelia:latest
restart: always
networks:
t2_proxy:
ipv4_address: 192.168.90.253 # You can specify a static IP
# ports:
# - "9091:9091"
volumes:
- ${USERDIR}/docker/authelia/authelia:/var/lib/authelia
- ${USERDIR}/docker/authelia/configuration.yml:/etc/authelia/configuration.yml:ro
- ${USERDIR}/docker/authelia/users_database.yml:/etc/authelia/users_database.yml
environment:
- TZ=${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)"
- "traefik.http.routers.authelia-rtr.tls=true"
## Middlewares
- "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
## HTTP Services
- "traefik.http.routers.authelia-rtr.service=authelia-svc"
- "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
# Portainer - WebUI for Containers
portainer:
container_name: portainer
image: portainer/portainer:latest
restart: unless-stopped
command: -H unix:///var/run/docker.sock
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
# ports:
# - "$PORTAINER_PORT:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/docker/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
- "traefik.http.routers.portainer-rtr.tls=true"
## Middlewares
# - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" # No Authentication
# - "traefik.http.routers.portainer-rtr.middlewares=chain-basic-auth@file" # Basic Authentication
# - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" # Google OAuth 2.0
- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" # Authelia
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
############################# SMART HOME
# Mosquitto - MQTT Broker
# Create mosquitto.conf, passwd, mosquitto.log files and set permissions to 775 user:docker
# dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd
mosquitto:
image: eclipse-mosquitto:latest
container_name: mosquitto
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- "$MOSQUITTO_HTTP_PORT:1883" #http
- "9001:9001" #websockets
# - "$MOSQUITTO_HTTPS_PORT:8883" #https
volumes:
- ${USERDIR}/docker/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
- ${USERDIR}/docker/mosquitto/config/passwd:/mosquitto/config/passwd
- ${USERDIR}/docker/shared:/shared
environment:
PUID: ${PUID}
PGID: ${PGID}
TZ: ${TZ}
# MotionEye - Video Surveillance
motioneye:
image: ccrisan/motioneye:master-amd64
container_name: motioneye
restart: unless-stopped
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- "$MOTIONEYE_CAM1:8081"
- "$MOTIONEYE_CAM2:8082"
- "$MOTIONEYE_PORT:8765"
volumes:
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
- ${USERDIR}/docker/motioneye/etc:/etc/motioneye
- ${USERDIR}/docker/motioneye/var:/var/lib/motioneye
environment:
PUID: ${PUID}
PGID: ${PGID}
TZ: ${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.motioneye-rtr.entrypoints=https"
- "traefik.http.routers.motioneye-rtr.rule=Host(`meye.$DOMAINNAME`)"
- "traefik.http.routers.motioneye-rtr.tls=true"
## Middlewares
- "traefik.http.routers.motioneye-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.motioneye-rtr.service=motioneye-svc"
- "traefik.http.services.motioneye-svc.loadbalancer.server.port=8765"
############################# DATABASE
# MariaDB - MySQL Database
mariadb:
container_name: mariadb
# image: linuxserver/mariadb:latest
image: clearlinux/mariadb:latest
command: "mysqld --character_set_server=utf8mb4 --collation_server=utf8mb4_unicode_ci --innodb_file_format=Barracuda --transaction-isolation=READ-COMMITTED --binlog-format=ROW"
restart: always
networks:
# - default
t2_proxy:
ipv4_address: 192.168.90.250
aliases:
- authelia
- mysql
- mariadb
security_opt:
- no-new-privileges:true
# ports:
# - "3306:3306"
volumes:
# - ${USERDIR}/docker/mysql/scripts:/docker-entrypoint-initdb.d:ro
- ${USERDIR}/docker/mariadb/mysql:/var/lib/mysql:rw #Persistent storage
- ${USERDIR}/docker/mariadb/custom_config:/etc/mysql/conf.d:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=${PUID}
- PGID=${PGID}
- MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
- MYSQL_DATABASE=${AUTHELIA_MYSQL_DB}
- MYSQL_USER=${AUTHELIA_MYSQL_USER}
- MYSQL_PASSWORD=${AUTHELIA_MYSQL_PASSWORD}
healthcheck:
test: ["CMD", "mysqladmin", "ping", "--silent", "-uroot", "-p${MYSQL_ROOT_PASSWORD}"]
interval: 20s
timeout: 10s
retries: 10
# mysql db backup
db-backup:
container_name: db-backup
image: tiredofit/db-backup
depends_on:
- mariadb
volumes:
- ${USERDIR}/docker/mariadb/backups:/backup
- /etc/localtime:/etc/localtime:ro
environment:
#- DB_SERVER=mariadb
- DB_TYPE=mariadb
- DB_HOST=mariadb
- DB_USER=root
- DB_PASS=${MYSQL_ROOT_PASSWORD}
- DB_DUMP_FREQ=1440
- DB_DUMP_BEGIN=+530
#- DB_DUMP_TARGET=${USERDIR}/docker/mariadb/backups
- DB_CLEANUP_TIME=8640
- COMPRESSION=XZ
- SPLIT_DB=TRUE
networks:
- t2_proxy
restart: always
# phpMyAdmin - Database management
# Create a new user with admin privileges. Cannot login as MySQL root for some reason.
phpmyadmin:
image: phpmyadmin/phpmyadmin:latest
container_name: phpmyadmin
restart: unless-stopped
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
# ports:
# - "$PHPMYADMIN_PORT:80"
# volumes:
# - ${USERDIR}/docker/phpmyadmin:/etc/phpmyadmin
environment:
- PMA_HOST=$DB_HOST
- PMA_PORT=$DB_PORT
- PMA_USER=root
- PMA_PASSWORD=$MYSQL_ROOT_PASSWORD
# - PMA_ARBITRARY=1
- PMA_ABSOLUTE_URI=https://pma.$DOMAINNAME
- MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
- "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME`)"
- "traefik.http.routers.phpmyadmin-rtr.tls=true"
## Middlewares
- "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-authelia@file"
## HTTP Services
- "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
- "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"
############################# REDIS
# Redis - Key-value Store
redis:
container_name: redis
image: redis
restart: always
entrypoint: redis-server --appendonly yes
networks:
- t2_proxy
# ports:
# - "6379:6379"
sysctls:
net.core.somaxconn: '65535'
volumes:
- ${USERDIR}/docker/redis/data:/data #Persistent storage
- /etc/localtime:/etc/localtime:ro
#- ${USERDIR}/docker/redis/redis.conf:/usr/local/etc/redis/redis.conf
# Redis Commander - Redis Management Tool
rediscommander:
container_name: rediscommander
image: rediscommander/redis-commander
restart: always
depends_on:
- redis
networks:
- t2_proxy
# ports:
# - "8081:8081"
environment:
- REDIS_HOST=redis
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.rediscommander-rtr.entrypoints=https"
- "traefik.http.routers.rediscommander-rtr.rule=Host(`rediscmd.$DOMAINNAME`)"
- "traefik.http.routers.rediscommander-rtr.tls=true"
## Middlewares
# - "traefik.http.routers.rediscommander-rtr.middlewares=chain-no-auth@file"
- "traefik.http.routers.rediscommander-rtr.middlewares=chain-authelia@file" # Authelia
## HTTP Services
- "traefik.http.routers.rediscommander-rtr.service=rediscommander-svc"
- "traefik.http.services.rediscommander-svc.loadbalancer.server.port=8081"
File1: middlewares.toml
[http.middlewares.middlewares-basic-auth]
[http.middlewares.middlewares-basic-auth.basicAuth]
# users = [
# "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1",
# ]
realm = "Traefik2 Basic Auth"
usersFile = "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml
[http.middlewares]
[http.middlewares.middlewares-rate-limit]
[http.middlewares.middlewares-rate-limit.rateLimit]
average = 100
burst = 50
# Available Header Options:
#####https://github.com/unrolled/secure#available-options
#####https://docs.traefik.io/middlewares/headers/
# A great resource for these headers is your preferred browser's docs. Firefox: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
# https://developers.google.com/search/reference/robots_meta_tag
# https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
# CSP for VNC: https://github.com/cockpit-project/cockpit/pull/5932
# Check headers here, don't include OAuth when checking headers, otherwise you are checking google's headers: https://securityheaders.com
# or check them here: https://observatory.mozilla.org/
# CAUTION: Any headers defined in docker-compose (yml) will OVERWRITE ALL of the headers defined below.
[http.middlewares.middlewares-secure-headers]
[http.middlewares.middlewares-secure-headers.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlMaxAge = 100
hostsProxyHeaders = ["X-Forwarded-Host"]
sslRedirect = true
stsSeconds = 63072000
stsIncludeSubdomains = true
stsPreload = true
forceSTSHeader = true
# frameDeny = true #overwritten by customFrameOptionsValue
customFrameOptionsValue = "allow-from https:sxxxxxxxx.com" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff = true
browserXssFilter = true
# sslForceHost = true # add sslHost and all of the
# sslHost = "example.com"
referrerPolicy = "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
[http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
server = ""
[http.middlewares.middlewares-oauth]
[http.middlewares.middlewares-oauth.forwardAuth]
address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
trustForwardHeader = true
authResponseHeaders = ["X-Forwarded-User"]
[http.middlewares.middlewares-authelia]
[http.middlewares.middlewares-authelia.forwardAuth]
address = "http://authelia:9091/api/verify?rd=https://authelia.sxxxxxxxx.com"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups"]
File2: middlewares-chains.toml
[http.middlewares]
[http.middlewares.chain-no-auth]
[http.middlewares.chain-no-auth.chain]
middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers"]
[http.middlewares.chain-basic-auth]
[http.middlewares.chain-basic-auth.chain]
middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth"]
[http.middlewares.chain-oauth]
[http.middlewares.chain-oauth.chain]
middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-oauth"]
[http.middlewares.chain-authelia]
[http.middlewares.chain-authelia.chain]
middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-authelia"]
~/docker & ~/docker/traefik/rules/ directory
Cloudflare
Do you get this fixed? I do not see an A record. I assume you have that in your DNS list.
Also, did you look at your traefik logs for errors?
EDIT. I will leave it in here but this is really not an issue but a support request.
A Record exists, rest are CNAME records. This issue started soon after you introduced Authelia, So i might revert back to old Traefik docker-compose instructions to find out if that works.
Sure, I don't want to take anymore of your valuable time. Thanks anyway.
I will keep posted for anyone who might have got into similar issue, if I find any solution.
Check that the folder for the acme.json is there and also double check it's permission / ownership. Do a tail of your docker logs on traefik and see if it's failing somewhere.
Can you try disabling SSL for the ACME requests?
Create a Page Rule in cloudflare with the address:
*yourdomain.net/.well-known/acme-challenge/*
and set SSL to Off.
All of the links I had bookmarked regarding this are broken now, but there is a CF community post about it here: https://community.cloudflare.com/t/lets-encrypt-acme-challenge-with-cloudflare/103109
I'm basically doing what the top poster asked about, using the SSL Off rule above.
Did you ever solve this? I am facing the same issue right now when trying to get renewed certificates, because the old ones expired.
