I have a node.js server that deals with authentication and thus needs traffic sent to it over https. It has to have a self signed cert, as it has a private ip and is only accessible behind the proxy anyway. I wanted to use the setting InsecureSkipVerify = true. Is there an environment variable for that? or how would I do this?

Hello,

I just tried traefik on rancher with a node app and it's working for http. But how can I setup https for this app with letsencrypt ?

Thanks

I'm currently facing the error stated in title when trying to issue a new certificate.

Is this related to the following issue?
traefik/traefik#1832

If yes, sorry for asking!

Regards,
Hermsi

PS:
Is it possible to use own certificates per service using labels?
I checked the rancher-traefik repository but did not find any related configuration-possibilities https://github.com/rawmind0/rancher-traefik

Traefik.toml is generated erroneously when using https, like did before and fixed by #5

Hey guys. Thanks for maintaining this.

Traefik has an RC out for 1.3 which includes the X-Forwarded-Prefix header, something we really need as we're doing a lot of PathPrefixStrip stuff. Any ideas when there will be an alpine-traefik image for this RC?

Cheers

First of all, thank you so much for making this work with Rancher. I've started using it as of yesterday and loved it.
However, I need the HTTP to HTTPS redirect working, and it seems to be in version 1.5. I was wondering if it's possible (or what is required) to upgrade this 1.5?

And, if someone is having a redirect loop like me, this PR fix the issue.

Thank you!

EDIT

I sent you a pull request:
#83

It would be great if we could have an additional ENV VAR to specify a value for web.auth.basic which allows the Traefik UI to be locked down.

See https://docs.traefik.io/toml/

Version 1.4.5-0 I used on Rancher
The default domain used *.rancher.internal
I don't know what's the reason

Last version broke feature that publishes the service as a stack with traefik.enable: stack

Hey,

I am wondering if it is possible to allow additional HTTP-Methods like PURGE for Varnish.

In the Traefik-Docs I found out that it is basically possible to add new methods via matchers:
https://docs.traefik.io/basics/#matchers

But I can't figure out how to realize new methods using rancher.

For now, when my traefik receives a "PURGE"-Request, it discards it and forwards to default "GET":

XXX.XX.XXX.XX - - [27/Oct/2017:16:06:47 +0000] "PURGE /.* HTTP/1.1" - - "http://varnish.domain.de/.*" "WordPress/4.8.2; http://varnish.domain.de" 3193 "Host-dev-varnish-varnish" - 0ms
XXX.XX.XXX.XX - - [27/Oct/2017:16:06:47 +0000] "GET /.* HTTP/1.1" 403 519 "https://varnish.domain.de/.*" "WordPress/4.8.2; http://varnish.domain.de" 3194 "Host-varnish-varnish-de" "http://XX.XX.XX.XX:8080" 5ms

Does one of you guys have a clue?

Thanks!

Hi,

Is it possible to add this feature to your rancher image to have it in the catalog ?

rawmind0/rancher-traefik#31

Do you prefer an issue in https://github.com/rancher/community-catalog ?

Best Regards

Yes! It's me again.

Here the problem is traefik 1.4.2 didn't refresh configurations automaticly on rancher.
If I change something like traefik.alias or traefik.port, I have to restart traefik to load new configuration.
BTW, I've alreay set accessKey and secretKey in Rancher Api Keys and set CONF_INTERVAL to 5.
Here is some snapshot to help resolve this problem:

Thank you for your help!

First, thanks for the job.
Possibility when TRAEFIK_HTTPS_ENABLE=only are activated, redirect all http endpoints to https ?

Thanks

I've installed traefik on rancher version is v1.4.0-rancher-1
but traefik.alias not work. traefik dashboard didn't show the alias domain and cannot proxy it correctly.
I have to rollback to version 1.3.6

Rancher server: Ubuntu 16.04
Rancher version: 1.6.7
traefik on rancher: v1.4.0-rancher-1(from rancher catlog)

Let's add an option to configure Rancher with the metadata provider coming in v1.4

traefik/traefik#1563

Am using rawmind/alpine-traefik:1.4.4-0 in Rancher 1.6.10 in metadata mode. Is there a way to utilize "constraints" or "rancher.constraints" as env variables so that I can run multiple traefik services and filter out what containers are seen by what traefik service?

The command line equivalent is: "--constraints=tag==my-stack"

I'm trying to start traefik on rancher with the latest template (v1.0.3-rancher1) and the following setting:

• http port: 80
• https port: 443
• enable https: only

With this config the server is not able to start and I'm getting the following error:

11/22/2016 4:15:48 PMtime="2016-11-22T15:15:48Z" level=fatal msg="Error creating server: listen tcp :80: bind: permission denied" 
11/22/2016 4:16:18 PM'traefik' failed to start (exit status 0) -- no output

I was able to start traefik with http only on port 8080.

I believe it has something to do with setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik, which should work in my opinion...

any ideas? 🍺

If I put the latest 1.2.3 alpine on port 80 and 443 instead of 8080 and 8443 I get permission denied errors:

="Error creating server: listen tcp :80: bind: permission denied

and if I leave http on port 8080 443 dies

="Error creating server: listen tcp :443: bind: permission denied

you can see me wrestling with the issue here

Hi!

Would you consider adding support for traefik.frontend.headers.SSLRedirect?

Hi,

i'm having an issue where this particular container is not resolving short name rancher-metadata but it does resolv rancher-metadata.rancher.internal

strange because I have this in resolv.conf :
search traefik.rancher.internal traefik.traefik.rancher.internal rancher.interna
l
nameserver 169.254.169.250

all my other containers do resolv the short name...

did you face anything similar?.

A

We just upgraded Traefik on our Rancher env from 1.3.6 to 1.4.3. In the Rancher upgrade dialog we answered the questions including the insertion of new certificate and key files, but Traefik 1.4.3 overwrote our certificates (or did not use them in the first place).

We adjusted the Traefik labels on our services to

Consequently we could not connect to our services via https without getting a Net Certificate Error. To resolve this issue we had to start a shell session in Traefik and overwrite the invalid key and cert file with the same one we entered in the Rancher questions in the first place. Restarted Traefik and all was well.

Nevertheless the Traefik should use the key and crt file entered in the Rancher Dialog.

P.S. We upgraded Traefik for three environments and had the same issue in all three of them.

Hello,

I tried to deploy traefik in rancher v 1.2 using the community template but it won't. here are the logs :

09/12/2016 08:20:09 New Monit id: c1491aafd515c976cfd2287bfedcba5e
09/12/2016 08:20:09 Stored in '/opt/traefik/.monit.id'
09/12/2016 08:20:09Starting Monit 5.20.0 daemon with http interface at [*]:2812
09/12/2016 08:20:09'traefik-traefik-1' Monit 5.20.0 started
09/12/2016 08:20:09'confd' process is not running
09/12/2016 08:20:09'confd' trying to restart
09/12/2016 08:20:09'confd' start: '/opt/tools/confd/bin/service-conf.sh start'
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Restarting traefik... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Stoping traefik... ]
09/12/2016 08:20:09cat: can't open '/opt/traefik/traefik.pid': No such file or directory
09/12/2016 08:20:09kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Generating traefik configuration... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Redirecting traefik log... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Redirecting traefik log... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Starting traefik... ]
09/12/2016 08:20:09nohup: appending output to nohup.out
09/12/2016 08:20:09'traefik' process is not running
09/12/2016 08:20:09'traefik' trying to restart
09/12/2016 08:20:09'traefik' start: '/opt/traefik/bin/traefik-service.sh start'
09/12/2016 08:20:09Reinitializing monit daemon
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Generating traefik configuration... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Redirecting traefik log... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Redirecting traefik log... ]
09/12/2016 08:20:09Fri Dec 9 07:20:09 UTC 2016 - [ Starting traefik... ]
09/12/2016 08:20:09nohup: appending output to nohup.out

Any idea please ?

Follows issue video. Do not worry about the information contained. IP is dynamic and so on. Everything changes there nothing is definitive. It's on a Google Cloud machine. I show all settings in the video.

Cheers

https://youtu.be/ofSypJF-Gpk

version: '2'
services:
  traefik:
    privileged: true
    image: rawmind/alpine-traefik:1.4.0-3
    environment:
      TRAEFIK_ADMIN_AUTH_METHOD: digest
      TRAEFIK_ADMIN_AUTH_USERS: ''
      TRAEFIK_ADMIN_ENABLE: 'true'
      TRAEFIK_ADMIN_READ_ONLY: 'false'
      TRAEFIK_ADMIN_STATISTICS: '10'
      TRAEFIK_HTTPS_COMPRESSION: 'true'
      TRAEFIK_HTTPS_ENABLE: 'false'
      TRAEFIK_HTTPS_PORT: '443'
      TRAEFIK_HTTP_COMPRESSION: 'true'
      TRAEFIK_HTTP_PORT: '80'
      TRAEFIK_INSECURE_SKIP: 'false'
      TRAEFIK_RANCHER_ENABLE: 'true'
      TRAEFIK_RANCHER_MODE: metadata
      TRAEFIK_DEBUG: 'true'
      TRAEFIK_RANCHER_DOMAIN: umover.com.br
    ports:
    - 8000:8000/tcp
    - 80:80/tcp
    - 443:443/tcp
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.container.hostname_override: container_name
      io.rancher.scheduler.global: 'true'

version: '2'
services:
  traefik:
    metadata:
      traefik:
        ssl_crt: ''
        ssl_key: ''
    retain_ip: true
    start_on_create: true
    health_check:
      healthy_threshold: 2
      response_timeout: 5000
      port: 8000
      unhealthy_threshold: 3
      interval: 5000
      strategy: recreate

I have been successful at accessing the dashboard on 8000 and my application on 80. However, when I try to access using port 443, the connection times out with a ERR_CONNECTION_REFUSED from chrome.

I have tried setting TRAEFIK_HTTPS_ENABLE = true, but the container hangs Initalizing with the following log output. I suspect this switch only applies if you are providing your own cert.

Thanks!

FYI - the current version in the rancher catalog is 1.1.2.

2/23/2016 1:38:48 PMtime="2016-12-23T18:38:48Z" level=error msg="Error creating TLS config tls: failed to find any PEM data in certificate input" 
12/23/2016 1:38:48 PMtime="2016-12-23T18:38:48Z" level=fatal msg="Error preparing server: tls: failed to find any PEM data in certificate input" 
12/23/2016 1:39:18 PM'traefik' failed to start (exit status 0) -- no output

TRAEFIK CONFIG

rawmind/alpine-traefik:1.1.2

8000 > 8000
80 > 80
443 > 443

CONF_INTERVAL = 10
TRAEFIK_ACME_EMAIL = <redacted>
TRAEFIK_ACME_ENABLE = true
TRAEFIK_ACME_ONDEMAND = true
TRAEFIK_ACME_ONHOSTRULE = true
TRAEFIK_HTTPS_ENABLE = false
TRAEFIK_HTTPS_PORT = 443
TRAEFIK_HTTP_PORT = 80

CONTAINER LABELS

traefik.port = 8000
traefik.path = /
traefik.enable = stack
traefik.domain = <redacted>
traefik.alias = 
traefik.acme = true

Would it be possible to specify a default domain that would be utilized when the traefik.domain label is not present on a service? I see that Traefik seems to support this, but I'm not sure that it functions like I am expecting.

As an example, if I made cluster-1.foo.com the default domain for traefik globally, all I would need to do is set traefik.port and traefik.enable within the services I would like to expose.

So I have hit the dreaded:

Error 429 - urn:acme:error:rateLimited - Error creating new cert :: too many certificates already issued for exact set of domains:

Because I have restarted traefik too many times this week on a few of my domains. So I decided to dig in and find the certs. @rawmind0 please correct me if I'm mistaken on any of this. But it looks like all the certs are stored in acme.json which is in the /opt/traefik/acme directory.

My question is can I volume mount in this directory? Perhaps using convoy-NFS? I'm going to give it a shot, but I'd welcome any comments or suggestions?

here's an example in PR form, feel free to reject. I'm going to test this out on a test environment.

Hi,

in my environment I use fluentd to gather logs from all containers and send them to logstash/elasticsearch. Would be really nice to catch traefik logs in the same way. Right now I need to mount host volume, attach file to fluentd and of course have to watch file with logrotate.
Adding ENV variable for:
accessLogsFile = "/opt/traefik/log/access.log"
to send them to stdout really helps.

Regards,
p.

Monit watches hardcoded for port 8000. if you deactivate the admin entrypoint, it fails and restarts traefik.

Suggestions: Set monit to watch the port of the first defined entrypoint of traefik.

Could your guys add compress options for trarfik on rancher?

Hi just starting out with traefik 1.0.1-1, and I'm also using rancher v1.1.4. I've been following rawmind0/alpine-traefik examples and articles, and I've been able to get web-test.backend.example.com to point at a service my back-end stack (in time will be my api) as well as web-test.proxy-test.example.com to point at a my service in my other webserver stack (in time to become a lightweight webserver serving a browser client app).

tl;dr; In short, I would like to specify ;Path:/api in the rules.toml config

Here's what I've been able to get working.

[backends]

    [backends.web-test__backend]
        [backends.web-test__backend.circuitbreaker]
            expression = "NetworkErrorRatio() > 0.5"
        [backends.web-test__backend.LoadBalancer]
            method = "drr"
        [backends.web-test__backend.servers.backend_web-test_1]
            url = "http://10.42.167.56:8080"
            weight = 0

    [backends.web-test__proxy-test]
        [backends.web-test__proxy-test.circuitbreaker]
            expression = "NetworkErrorRatio() > 0.5"
        [backends.web-test__proxy-test.LoadBalancer]
            method = "drr"
        [backends.web-test__proxy-test.servers.proxy-test_web-test_1]
            url = "http://10.42.8.81:8080"
            weight = 0

[frontends]

    [frontends.web-test__backend]
        backend = "web-test__backend"
        passHostHeader = true
        [frontends.web-test__backend.routes.service]
        rule = "Host:web-test.backend.example.com"

    [frontends.web-test__proxy-test]
        backend = "web-test__proxy-test"
        passHostHeader = true
        [frontends.web-test__proxy-test.routes.service]
        rule = "Host:web-test.proxy-test.example.com"

Here's where I'm somewhat confused. Currently our web client makes http reqs to an api @ example.com/api and I was under the assumption that I would be able to edit the rules.toml to something like:

[frontends]

   [frontends.web-test__backend]
       backend = "web-test__backend"
       passHostHeader = true
       [frontends.web-test__backend.routes.service]
       rule = "Host:dev.example.com;Path:/api"

   [frontends.web-test__proxy-test]
       backend = "web-test__proxy-test"
       passHostHeader = true
       [frontends.web-test__proxy-test.routes.service]
       rule = "Host:dev.example.com;"

where dev.example.com will route to the client and dev.example.com/api is routes to the api. When I set this config in traefik in rancher the container crashes. Not sure what I'm missing here. Any help is very much appreciated.

I'm attempting to implement v1.0.3-rancher1 on my Rancher v1.2.0-pre4-rc4 node, but the catalog only offers versions v1.0.0-beta555-rancher1 and v1.0.1-rancher1.

Is it possible to manually add this to Rancher (ie. pasting the rancher-compose.yml somewhere), or is it possible to update the catalog somehow?

If you set the variable TRAEFIK_HTTPS_ENABLE to "true" in version 1.0.1-1, the file traefik.toml is generated with error:

[entryPoints]
    [entryPoints.http]
  address = ":8080"  [entryPoints.https]
  address = ":8443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/opt/traefik/certs/traefik.crt"
      keyFile = "/opt/traefik/certs/traefik.key"

Error message:

Error reading TOML config file /opt/traefik/etc/traefik.toml : Near line 8 (last key parsed 'entryPoints.http'): Expected a top-level item to end with a new line, comment or EOF, but got '[' instead.

Using version 1.0.1 the error goes away.

I seem to be encountering a race condition related to configuration reloading when refresh_interval is set to the catalog default of 10 seconds.

Test Configuration

I'm testing in a Rancher environment with three hosts. Each host is running one instance of rawmind/alpine-traefik:1.1.2-1. I am automating deployments to this environment from GitLab which often results in multiple stacks being created/destroyed in a very short period of time.

docker-compose.yml

version: '2'
services:
  traefik-conf:
    image: rawmind/rancher-traefik:0.3.4-18
    network_mode: none
    volumes:
    - /opt/tools
    tty: true
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.container.start_once: 'true'
      io.rancher.scheduler.affinity:container_label_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
      io.rancher.scheduler.global: 'true'
  traefik:
    image: rawmind/alpine-traefik:1.1.2-1
    environment:
      CONF_INTERVAL: '10'
      TRAEFIK_ACME_EMAIL: [email protected]
      TRAEFIK_ACME_ENABLE: 'false'
      TRAEFIK_ACME_ONDEMAND: 'false'
      TRAEFIK_ACME_ONHOSTRULE: 'false'
      TRAEFIK_HTTPS_ENABLE: 'false'
      TRAEFIK_HTTPS_PORT: '443'
      TRAEFIK_HTTP_PORT: '80'
    tty: true
    volumes_from:
    - traefik-conf
    ports:
    - 8000:8000/tcp
    - 80:80/tcp
    - 443:443/tcp
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.sidekicks: traefik-conf
      io.rancher.container.hostname_override: container_name
      io.rancher.scheduler.global: 'true'

Symptoms

Traefik acts as if no configuration change has occurred. About a third of my deployments and up being unreachable (traefik responds with a 404 error) until I upgrade the Traefik services to force a reload.

What I've tried

I've had success in changing the refresh_interval to be less frequent. With a setting of 60 seconds I have not had a single occurrence of this issue so far.

Hi, I am having the behavior described in #3
and in
rawmind0/rancher-traefik#19

Specifically confd can't get rancher metadata because the container can't resolve rancher-metadata (though it can resolve http://rancher-metadata.rancher.internal)

while those issues say that the problem isn't in rancher traefik but rather in alpine 3.4 I'd have to disagree since the rancher-traefik image in the official catalog uses alpine 3.4. Since it also depends on your monit dockerfile to fix I'd also need to fork that repo as well. Or to change confd.

Since a few versions traefik has a "native" Rancher backend - do you have any plans of using it, instead the current implementation?

Hello,

I have installed Traefik from the Rancher catalog.
Rancher 1.2.2
Traefik 1.1.2

But Traefik do not detect any container IP for the backend redirection.

Causing "Internal server error"

Backend Service "Test" config:

Nginx Containers are exposing port 80, 443.

Labels:

traefik.port = 80
traefik.enable 	= true
traefik.domain 	= domain.com
traefik.alias = test
traefik.acme = false 

Networks are the same for Traefik and other services (managed)
I can ping traefik from a container in another stack.

Traefik Config

# traefik.toml
logLevel = "DEBUG"
traefikLogsFile = "/opt/traefik/log/traefik.log"
accessLogsFile = "/opt/traefik/log/access.log"
defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/opt/traefik/certs/traefik.crt"
      keyFile = "/opt/traefik/certs/traefik.key"

[web]
address = ":8000"

[file]
filename = "/opt/traefik/etc/rules.toml"
watch = true

Did I miss something ?

Thank you for your help.

rancher integration: external
https: true
Https keys: ---begin--- ... ---end---
Https crt: ---begin--- ... ---end---
compression: true
refresh Interval: 10
cattle url: v1 or v2 both I've tried
cattle access key & secret key: I generated new Environment API Keys for traefik.

I added or upgraded service and it'll be Service Unavailable

Hey,

I somehow can't manage to get Traefik working along with rancher.
As soon as I start Traefik, the service keeps in "Initializing"-state in rancher. (Check below for .yml-files)

I would really appreciate some help since I do not seem to understand the docs properly..^^
I grepped the labels from this documentation: https://docs.traefik.io/configuration/backends/rancher/

Interestingly, I am able to reach the Traefik Admin-Panel and inspect my containers and their rules.

I'm basically using three hosts. One Host with rancher-service and two "application"-hosts for everything else. Traefik ist supposed to boot on one host only.

Thank you in advance.

Regards,
Hermsi

Traefik docker-compose.yml:

version: '2'
volumes:
  $${acme_vol_name}:
    driver: local
services:
  traefik:
    image: rawmind/alpine-traefik:1.4.0-3
    environment:
      CATTLE_ACCESS_KEY: SECRET
      CATTLE_SECRET_KEY: SUPERSECRET
      CATTLE_URL: https://rancher.mydomain.de/v1/projects/1a5
      TRAEFIK_ACME_CASERVER: '"https://acme-v01.api.letsencrypt.org/directory"'
      TRAEFIK_ACME_EMAIL: [email protected]
      TRAEFIK_ACME_ENABLE: 'true'
      TRAEFIK_ACME_ONDEMAND: 'true'
      TRAEFIK_ACME_ONHOSTRULE: 'true'
      TRAEFIK_ADMIN_AUTH_METHOD: basic
      TRAEFIK_ADMIN_AUTH_USERS: lmao:$$apr1$$ahHVnXh/$$rpduzZZupOQ7/6KJ/mn0L.
      TRAEFIK_ADMIN_ENABLE: 'true'
      TRAEFIK_ADMIN_READ_ONLY: 'false'
      TRAEFIK_ADMIN_STATISTICS: '10'
      TRAEFIK_HTTPS_COMPRESSION: 'true'
      TRAEFIK_HTTPS_ENABLE: 'true'
      TRAEFIK_HTTPS_PORT: '8443'
      TRAEFIK_HTTP_COMPRESSION: 'true'
      TRAEFIK_HTTP_PORT: '8080'
      TRAEFIK_INSECURE_SKIP: 'false'
      TRAEFIK_RANCHER_ENABLE: 'true'
      TRAEFIK_RANCHER_MODE: api
    volumes_from:
    - traefik-acme
    ports:
    - 8000:8000/tcp
    - 8080:8080/tcp
    - 8443:8443/tcp
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.sidekicks: traefik-acme
      io.rancher.container.hostname_override: container_name
      io.rancher.scheduler.affinity:container_label_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
      io.rancher.scheduler.global: 'true'
  traefik-acme:
    image: rawmind/alpine-volume:0.0.2-1
    environment:
      SERVICE_GID: '10001'
      SERVICE_UID: '10001'
      SERVICE_VOLUME: /opt/traefik/acme
    network_mode: none
    volumes:
    - traefik_acme_vol:/opt/traefik/acme
    labels:
      io.rancher.container.start_once: 'true'
      io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
      io.rancher.container.hostname_override: container_name

rancher-compose.yml

version: '2'
services:
  traefik:
    metadata:
      traefik: &id001
        ssl_crt: |2+

        ssl_key: |2+

    retain_ip: true
    start_on_create: true
    health_check:
      healthy_threshold: 2
      response_timeout: 5000
      port: 8000
      unhealthy_threshold: 3
      interval: 5000
      strategy: recreate
  traefik-acme:
    metadata:
      traefik: *id001
    retain_ip: true
    scale: 1
    start_on_create: true

And thats my whoami-service for testing...
docker-compose.yml:

version: '2'
services:
  whois:
    image: jwilder/whoami
    stdin_open: true
    tty: true
    labels:
      traefik.frontend.rule: Host:whoami.hermsi.de
      traefik.enable: 'true'
      io.rancher.container.pull_image: always
      traefik.frontend.entryPoints: http,https

rancher-compose.yml

version: '2'
services:
  whois:
    scale: 1
    start_on_create: true

In the same way you have added support for minVersion = "VersionTLS12" by being able to set Environment Variable TRAEFIK_HTTPS_MIN_TLS, it would be great if you could add a TRAEFIK_HTTPS_CIPHERS that would add support for specifying an array of cipher suites like
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]

As shown at https://docs.traefik.io/configuration/entrypoints/#specify-minimum-tls-version
A more awesome thing would be to support mozilla recommendations:
https://wiki.mozilla.org/Security/Server_Side_TLS
e.g TRAEFIK_HTTPS_CIPHERS_LEVEL = modern | intermediate| old

The reasoning is that the current defaults is vulnerable to SWEET32 attack, since it includes 3DES ciphers.

Ref: nmap -sV --script ssl-enum-ciphers -p 443 yourhostbehindtraefik.com

Thanks,
/E

Hello,

some of my services remain unreachable after I restart them, however once I manually restart traefik things work again.

Here are my composer files

docker-compose.yml

version: '2'
volumes:
  tools-volume:
    driver: local
    per_container: true
  $$$${VOLUME_NAME}:
    driver: rancher-nfs
services:
  traefik-conf:
    image: rawmind/rancher-traefik:1.3.6
    network_mode: none
    volumes:
    - tools-volume:/opt/tools
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.container.start_once: 'true'
      io.rancher.scheduler.affinity:container_label_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
  traefik:
    image: rawmind/alpine-traefik:1.4.0-3
    environment:
      CATTLE_ACCESS_KEY: *snip*
      CATTLE_SECRET_KEY: *snip*
      CATTLE_URL: *snip*
      CONF_INTERVAL: '10'
      TRAEFIK_ACME_CASERVER: '"https://acme-v01.api.letsencrypt.org/directory"'
      TRAEFIK_ACME_EMAIL: *snip*
      TRAEFIK_ACME_ENABLE: 'true'
      TRAEFIK_ACME_ONDEMAND: 'true'
      TRAEFIK_ADMIN_ENABLE: 'true'
      TRAEFIK_HTTPS_ENABLE: 'true'
      TRAEFIK_HTTPS_PORT: '443'
      TRAEFIK_HTTP_PORT: '80'
      TRAEFIK_RANCHER_ENABLE: 'true'
      TRAEFIK_DEBUG: 'true'
      TRAEFIK_RANCHER_DOMAIN: *snip*
    volumes_from:
    - traefik-conf
    - traefik-acme
    ports:
    - 80:80/tcp
    - 443:443/tcp
    - 8000:8000/tcp
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.sidekicks: traefik-conf,traefik-acme
      io.rancher.container.hostname_override: container_name
      io.rancher.scheduler.global: 'true'
  traefik-acme:
    image: rawmind/alpine-volume:0.0.2-1
    environment:
      SERVICE_GID: '10001'
      SERVICE_UID: '10001'
      SERVICE_VOLUME: /opt/traefik/acme
    network_mode: none
    volumes:
    - TRAEFIK:/opt/traefik/acme
    labels:
      io.rancher.container.start_once: 'true'
      io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
      io.rancher.container.hostname_override: container_name

rancher-compose.yml

version: '2'
services:
  traefik-conf:
    metadata:
      traefik: &id001
        ssl_crt: ''
        ssl_key: ''
    retain_ip: true
    scale: 1
    start_on_create: true
  traefik:
    metadata:
      traefik: *id001
    retain_ip: true
    start_on_create: true
    health_check:
      healthy_threshold: 2
      response_timeout: 2000
      port: 80
      unhealthy_threshold: 3
      initializing_timeout: 60000
      interval: 2000
      strategy: recreate
      reinitializing_timeout: 60000
  traefik-acme:
    metadata:
      traefik: *id001
    retain_ip: true
    scale: 1
    start_on_create: true

Best regards

This PR describes a feature we would like to use:
traefik/traefik#1873

We have one admin task which takes several minutes to complete, and traefik is timing out. Is it possible to access this configuration without an enhancement to alpine-traefik?

Thanks!

Stu

rollback to version 1.4.0 or upgrade to 1.4.3 (not released yet)

traefik/traefik#2351

Hi,

I looking to do a proof of concept via play-with-docker and I always get Error forwarding request errors. I run Docker Swarm Mode.

Is your setup supposed to work out of the box? I use v1.4.0-rc1:

My Setup

## Create Swarm
docker swarm init --advertise-addr eth0

## List nodes
docker node ls

## Install common apps
apk update && apk upgrade && apk add nano curl bash git wget unzip ca-certificates

## 
IMG_traefik="devmtl/traefik-fire:edge_2017-09-04_23H06"
CTN_traefik="tool-traefik"
NTW_FRONT="ntw_front"

##
mkdir -p /mnt/DeployGRP/tooldata/traefik/
touch /mnt/DeployGRP/tooldata/traefik/acme.json

##
if [ ! "$(docker network ls --filter name=ntw_front -q)" ];then
  docker network create --driver overlay --subnet 10.11.10.0/24 --opt encrypted ntw_front
  sleep 2
fi

##
docker service create \
	--name "$CTN_traefik" --hostname "$CTN_traefik" \
	--network "$NTW_FRONT" --replicas "1" \
	--reserve-memory "64M" --limit-memory "128M" \
	-p 8080:8080 \
	-p 8443:8443 \
	-p 8000:8000 \
	--mount type=bind,src=/mnt/DeployGRP/tooldata/traefik/acme.json,dst=/opt/traefik/etc/traefik.toml \
	-e TRAEFIK_HTTP_PORT="8080" \
	-e TRAEFIK_HTTPS_ENABLE="true" \
	-e TRAEFIK_HTTPS_PORT="8443" \
	-e TRAEFIK_ADMIN_PORT="8000" \
	-e TRAEFIK_LOG_LEVEL="INFO" \
	-e TRAEFIK_DEBUG="false" \
	-e TRAEFIK_INSECURE_SKIP="false" \
	-e TRAEFIK_SSL_PATH="/opt/traefik/certs" \
	-e TRAEFIK_HTTPS_ENABLE="< true || only >" \
	-e TRAEFIK_ACME_ENABLE="true" \
	-e TRAEFIK_ACME_EMAIL="[email protected]" \
	-e TRAEFIK_ACME_ONDEMAND="true" \
	-e TRAEFIK_ACME_ONHOSTRULE="true" \
	-e TRAEFIK_K8S_ENABLE="false" \
	-e TRAEFIK_RANCHER_ENABLE="false" \
	"$IMG_traefik"

##
docker service create \
	--name "whoami1" --hostname "whoami1" \
	--network "$NTW_FRONT" --replicas "1" \
	--replicas "2" \
	--label traefik.backend="whoami1" \
	--label traefik.port="8080" \
	--label traefik.docker.network="ntw_front" \
	--label traefik.backend.loadbalancer.method="wrr" \
	--label traefik.backend.loadbalancer.swarm="true" \
	--label traefik.weight="10" \
	emilevauge/whoami

##
docker service create \
	--name "whoami2" --hostname "whoami2" \
	--network "$NTW_FRONT" --replicas "1" \
	--replicas "2" \
	--label traefik.backend="whoami2" \
	--label traefik.port="8080" \
	--label traefik.docker.network="ntw_front" \
	--label traefik.backend.loadbalancer.method="wrr" \
	--label traefik.backend.loadbalancer.swarm="true" \
	--label traefik.weight="10" \
	emilevauge/whoami

Errors

Thank you!

Hello. Sorry if I'm post in the wrong place but I need help.

I'm using traefik from rancher catalog and the image there is this one.
I'm trying to use letsencrypt((https://github.com/janeczku/rancher-letsencrypt)) from catalog with traefik.

I need to do this: example.com/.well-known/acme-challenge to rancher-letsencrypt
I have 4 domains and I want to redirect all them to rancher-letsencrypt service if the path /.well-known/acme-challenge is matched.

My configs are:

traefik.port=8000
traefik.frontend.rule=Host:mydomain.com
traefik.enable=true

Any ideia? I'm very beginner with this.
Thank you!

Thanks for this awesome image.

system: ubuntu 14.04 LTS

docker info

Containers: 11
 Running: 10
 Paused: 0
 Stopped: 1
Images: 13
Server Version: 1.12.5
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 59
 Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 3.13.0-105-generic
Operating System: Ubuntu 14.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.736 GiB
Name: VM-160-161-ubuntu
ID: BZZK:ACYM:OK3Q:7C6T:XHS3:CH2N:22FU:3ZFB:VYIZ:6UJT:7P2O:O5JG
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

# traefik.toml
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true

docker run -P -v /var/run/docker.sock:/var/run/docker.sock rawmind/alpine-traefik

The user traefik had no permission to access /var/run/docker.sock in container

bash-4.3$ ls -l /var/run/docker.sock                                                                                                       
srw-rw----    1 root     ping             0 Jan  4 07:43 /var/run/docker.sock 

Traefik with Docker backend mode works failed.

Any idea?

Hello,
So after an update on my host traefik won't start anymore. If this log can help you to find a solution...

26/10/2016 20:32:28'traefik' start: /opt/traefik/bin/traefik-service.sh
26/10/2016 20:32:28Wed Oct 26 18:32:28 UTC 2016 - [ Generating traefik configuration... ]
26/10/2016 20:32:28Wed Oct 26 18:32:28 UTC 2016 - [ Redirecting traefik log... ]
26/10/2016 20:32:28Wed Oct 26 18:32:28 UTC 2016 - [ Redirecting traefik log... ]
26/10/2016 20:32:28Wed Oct 26 18:32:28 UTC 2016 - [ Starting traefik... ]
26/10/2016 20:32:28nohup: appending output to nohup.out

$ cat nohup.out
time="2016-10-26T18:33:59Z" level=fatal msg="Error opening fileopen /opt/traefik
/log/access.log: permission denied"

$ ls -l log/
total 0
lrwxrwxrwx    1 traefik  traefik         12 Oct 26 18:35 access.log -> /proc/1/f
d/1
lrwxrwxrwx    1 traefik  traefik         12 Oct 26 18:35 traefik.log -> /proc/1/
fd/1

Edit I use the latest version 1.0.3-rancher1

Good evening @rawmind0

it's me again. I would be very happy if your are gracious enough to help me for the second time.

I'm currently struggling with setting up Traefik on two hosts:

My Setup looks like the following:

• Two Hosts with label traefik_lb=true and Traefik running on them. For config see [1]
• A webtest-stack bootet on every hosts. For config see [2]
• My domain with two a-records pointing to both hosts and using round robin dns
  

When I login into traefik admin-panel I see my frontend along with the corresponding backend:

But as soon as I visit the Frontend - no matter which server - I'm facing a 404 page not found-error.

Is it even possible to achieve this setup using Traefik? Am I missing an important detail?
I did a lot of research but I didn't find the thing I'm missing in this case.

Thanks a lot for your help!

Traefik-configuration [1]
docker-compose.yml:

version: '2'
volumes:
  $${acme_vol_name}:
    driver: local
services:
  traefik:
    image: rawmind/alpine-traefik:1.4.0-3
    environment:
      CATTLE_ACCESS_KEY: SECRET
      CATTLE_SECRET_KEY: SECRET AF
      CATTLE_URL: https://rancher.domain.de/v1/projects/1a5
      TRAEFIK_ACME_CASERVER: '"https://acme-v01.api.letsencrypt.org/directory"'
      TRAEFIK_ACME_EMAIL: [email protected]
      TRAEFIK_ACME_ENABLE: 'true'
      TRAEFIK_ACME_ONDEMAND: 'true'
      TRAEFIK_ACME_ONHOSTRULE: 'true'
      TRAEFIK_ADMIN_AUTH_METHOD: basic
      TRAEFIK_ADMIN_AUTH_USERS: user:$$apr1$$ahHVnXh/$$rpduzZZupOQ7/6KJ/mn0L.
      TRAEFIK_ADMIN_ENABLE: 'true'
      TRAEFIK_ADMIN_READ_ONLY: 'false'
      TRAEFIK_ADMIN_STATISTICS: '10'
      TRAEFIK_HTTPS_COMPRESSION: 'true'
      TRAEFIK_HTTPS_ENABLE: only
      TRAEFIK_HTTPS_PORT: '443'
      TRAEFIK_HTTP_COMPRESSION: 'true'
      TRAEFIK_HTTP_PORT: '80'
      TRAEFIK_INSECURE_SKIP: 'false'
      TRAEFIK_RANCHER_ENABLE: 'true'
      TRAEFIK_RANCHER_MODE: api
      LOGLEVEL: DEBUG
    volumes_from:
    - traefik-acme
    ports:
    - 8000:8000/tcp
    - 80:80/tcp
    - 443:443/tcp
    labels:
      io.rancher.scheduler.affinity:host_label: traefik_lb=true
      io.rancher.sidekicks: traefik-acme
      io.rancher.container.hostname_override: container_name
      io.rancher.scheduler.global: 'true'
  traefik-acme:
    image: rawmind/alpine-volume:0.0.2-1
    environment:
      SERVICE_GID: '10001'
      SERVICE_UID: '10001'
      SERVICE_VOLUME: /opt/traefik/acme
    network_mode: none
    volumes:
    - traefik_acme_vol:/opt/traefik/acme
    labels:
      io.rancher.container.start_once: 'true'
      io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
      io.rancher.container.hostname_override: container_name

rancher-compose.yml:

version: '2'
services:
  traefik:
    metadata:
      traefik: &id001
        ssl_crt: ''
        ssl_key: ''
    retain_ip: true
    start_on_create: true
    health_check:
      healthy_threshold: 2
      response_timeout: 5000
      port: 8000
      unhealthy_threshold: 3
      interval: 5000
      strategy: recreate
  traefik-acme:
    metadata:
      traefik: *id001
    retain_ip: true
    scale: 1
    start_on_create: true

webtest-configuration [2]
docker-compose.yml:

version: '2'
services:
  test:
    image: rawmind/web-test
    stdin_open: true
    tty: true
    labels:
      traefik.frontend.rule: Host:dev.domain.de
      traefik.enable: 'true'
      traefik.port: '8080'
      traefik.domain: dev.domain.de
      io.rancher.container.pull_image: always
      io.rancher.scheduler.global: 'true'
      traefik.frontend.entryPoints: http, https

rancher-compose.yml:

version: '2'
services:
  test:
    start_on_create: true