Skip to content

Instantly share code, notes, and snippets.

@x-yuri

x-yuri/traefik.md

Last active August 8, 2024 07:56
Show Gist options
  • Save x-yuri/a0eff5faf3cc757a0262235512bee011 to your computer and use it in GitHub Desktop.
Save x-yuri/a0eff5faf3cc757a0262235512bee011 to your computer and use it in GitHub Desktop.
Download ZIP
traefik
Raw
traefik.md

traefik

traefik/bc.sh:

#!/usr/bin/env bash
set -eu
service=(
    --project traefik
    --name traefik
    --image traefik:v3.1

    --cmd --entryPoints.http.address=:80
    --cmd --entryPoints.https.address=:443

    # --cmd --providers.docker
    --cmd --providers.docker.exposedbydefault=false

    --cmd --certificatesresolvers.tls-resolver.acme.email=me@gmail.com
    --cmd --certificatesresolvers.tls-resolver.acme.storage=acme/json
    # --cmd --certificatesresolvers.tls-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    --cmd --certificatesresolvers.tls-resolver.acme.tlschallenge

    # --cmd --certificatesresolvers.http-resolver.acme.email=me@gmail.com
    # --cmd --certificatesresolvers.http-resolver.acme.storage=acme/http
    # # --cmd --certificatesresolvers.http-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    # # --cmd --certificatesresolvers.http-resolver.acme.httpchallenge
    # --cmd --certificatesresolvers.http-resolver.acme.httpchallenge.entrypoint=http

    --cmd --accesslog
    --cmd --log.level=DEBUG

    --args -p 80:80
    --args -p 443:443

    --cmd --api
    # --cmd --api.dashboard=false

    --args -l traefik.enable=true

    --args -l traefik.http.routers.traefik-http.rule=Host'("traefik.example.com")'
    --args -l traefik.http.middlewares.redirect.redirectscheme.scheme=https
    --args -l traefik.http.routers.traefik-http.middlewares=redirect

    --args -l traefik.http.routers.traefik-https.rule=Host'("traefik.example.com")'
    # --args -l traefik.http.routers.traefik-https.rule='Host("traefik.example.com") && (PathPrefix("/api") || PathPrefix("/dashboard"))'
    --args -l traefik.http.routers.traefik-https.service=api@internal
    --args -l traefik.http.middlewares.ip-access.ipallowlist.sourcerange=IP
    --args -l traefik.http.middlewares.auth.basicauth.users=test:'$2y$05$7J1ejS9JHV8z1wYRkjF6/ehHi2PFZn1kkHdql2.O/NCaygTkuzZeu'
    --args -l traefik.http.routers.traefik-https.middlewares=ip-access,auth
    --args -l traefik.http.routers.traefik-https.tls.certresolver=tls-resolver
    # --args -l traefik.http.routers.traefik-https.tls.certresolver=http-resolver

    --args -v /var/run/docker.sock:/var/run/docker.sock:ro
    --args -v traefik_acme:/acme
)
~/bcompose/bc.sh \
    "${service[@]}" \
    -- \
    "$@"

prj/bc.sh:

#!/usr/bin/env bash
set -eu
service=(
    --project prj
    --name whoami
    --image traefik/whoami
    --external-network traefik

    --args -l traefik.enable=true
    # network tells traefik which ip to use
    --args -l traefik.docker.network=traefik

    --args -l traefik.http.routers.whoami-http.rule=Host'("example.com")'
    # a middleware can be defined multiple times (the same name) if the settings are the same
    --args -l traefik.http.middlewares.redirect.redirectscheme.scheme=https
    --args -l traefik.http.routers.whoami-http.middlewares=redirect

    --args -l traefik.http.routers.whoami-https.rule=Host'("example.com")'
    --args -l traefik.http.middlewares.ip-access.ipallowlist.sourcerange=IP
    --args -l traefik.http.middlewares.auth.basicauth.users=test:'$2y$05$7J1ejS9JHV8z1wYRkjF6/ehHi2PFZn1kkHdql2.O/NCaygTkuzZeu'
    --args -l traefik.http.routers.whoami-https.middlewares=ip-access,auth
    --args -l traefik.http.routers.whoami-https.tls.certresolver=tls-resolver
    # --args -l traefik.http.routers.whoami-https.tls.certresolver=http-resolver
)
~/bcompose/bc.sh \
    "${service[@]}" \
    -- \
    "$@"
$ curl -sSu test:password --location-trusted example.com
$ curl -sSu test:password --location-trusted traefik.example.com/api/rawdata | jq -C . | less -R

HTTPS router can't accept HTTP requests:

When a TLS section is specified, it instructs Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore HTTP (non TLS) requests).

https://doc.traefik.io/traefik/routing/routers/#general

In the rules one has to use backticks or double quotes:

To set the value of a rule, use backticks ` or escaped double-quotes \". Single quotes ' are not accepted since the values are Go's String Literals.

https://doc.traefik.io/traefik/routing/routers/#rule

traefik displays the static configuration when it starts (--log.level=DEBUG).

2024-08-08T07:32:44Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.1.1 built on 2024-07-30T13:55:22Z version=3.1.1
2024-08-08T07:32:44Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={
    accessLog: {
        fields: {defaultMode:"keep", headers: {defaultMode: "drop"}},
        filters: {},
        format: "common"
    },
    api: {dashboard: true},
    certificatesResolvers: {
        tls-resolver: {
            acme: {
                caServer: "https://acme-v02.api.letsencrypt.org/directory",
                certificatesDuration: 2160,
                email: "me@gmail.com",
                keyType: "RSA4096",
                storage: "acme/json",
                tlsChallenge: {}
            }
        }
    },
    entryPoints: {
        http: {
            address: ":80",
            forwardedHeaders: {},
            http: {},
            http2: {maxConcurrentStreams: 250},
            transport: {
                lifeCycle: {graceTimeOut: "10s"},
                respondingTimeouts: {idleTimeout: "3m0s", readTimeout: "1m0s"}
            },
            udp: {timeout: "3s"}
        },
        https: {
            address: ":443",
            forwardedHeaders: {},
            http: {},
            http2: {maxConcurrentStreams: 250},
            transport: {
                lifeCycle: {graceTimeOut: "10s"},
                respondingTimeouts: {idleTimeout: "3m0s", readTimeout: "1m0s"}
            },
            udp: {timeout: "3s"}
        }
    },
    global: {checkNewVersion: true},
    log: {format: "common", level: "DEBUG"},
    providers: {
        docker: {
            defaultRule: "Host(`{{ normalize .Name }}`)",
            endpoint: "unix:///var/run/docker.sock",
            watch: true
        },
        providersThrottleDuration: "2s"
    },
    serversTransport: {maxIdleConnsPerHost: 200},
    tcpServersTransport: {dialKeepAlive: "15s", dialTimeout: "30s"}
}
...
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384
    > Trying to challenge certificate for domain [traefik.example.com] found in HostSNI rule
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851
    > Looking for provided certificate(s) to validate ["traefik.example.com"]...
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:897
    > Domains need ACME certificates generation for domains "traefik.example.com".
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    domains=["traefik.example.com"]
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:619
    > Loading ACME certificates [traefik.example.com]...
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251
    > Building ACME client...
    providerName=tls-resolver.acme
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257
    > https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
2024-08-08T07:32:46Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:371
    > Register...
    providerName=tls-resolver.acme
2024-08-08T07:32:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] acme: Registering account for me@gmail.com
    lib=lego
2024-08-08T07:32:46Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:331
    > Using TLS Challenge provider.
    providerName=tls-resolver.acme
2024-08-08T07:32:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] acme: Obtaining bundled SAN certificate
    lib=lego
2024-08-08T07:32:48Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/387571547766
    lib=lego
2024-08-08T07:32:48Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] acme: use tls-alpn-01 solver
    lib=lego
2024-08-08T07:32:48Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] acme: Trying to solve TLS-ALPN-01
    lib=lego
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_tls.go:42
    > TLS Challenge Present temp certificate for traefik.example.com
    providerName=tlsalpn.acme
...
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131
    > Adding certificate for domain(s) acme challenge temp,traefik.example.com
...
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384
    > Trying to challenge certificate for domain [traefik.example.com] found in HostSNI rule
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851
    > Looking for provided certificate(s) to validate ["traefik.example.com"]...
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895
    > No ACME certificate generation required for domains
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    domains=["traefik.example.com"]
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:54Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] The server validated our request
    lib=lego
2024-08-08T07:32:54Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_tls.go:89
    > TLS Challenge CleanUp temp certificate for traefik.example.com
    providerName=tlsalpn.acme
2024-08-08T07:32:54Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] acme: Validations succeeded; requesting certificates
    lib=lego
...
2024-08-08T07:32:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384
    > Trying to challenge certificate for domain [traefik.example.com] found in HostSNI rule
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851
    > Looking for provided certificate(s) to validate ["traefik.example.com"]...
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895
    > No ACME certificate generation required for domains
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    domains=["traefik.example.com"]
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:58Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
    > [INFO] [traefik.example.com] Server responded with a certificate.
    lib=lego
2024-08-08T07:32:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:643
    > Certificates obtained for domains [traefik.example.com]
    ACME CA=https://acme-v02.api.letsencrypt.org/directory
    acmeCA=https://acme-v02.api.letsencrypt.org/directory
    providerName=tls-resolver.acme
    routerName=traefik-https@docker
    rule="Host(\"traefik.example.com\")"
...
2024-08-08T07:32:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131
    > Adding certificate for domain(s) traefik.example.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment