Hello! Sorry if this question have been answered already, but I just can't wrap my head around using traefik only with local-resolved domain. So my goal here is to proxy my docker containers using a domain (something like myhomelab.local) that is available only on my LAN, possibly with TLS, certs and Authentik.

Everything I've stumbled upon online so far is either for cloudflare, very outdated (v2) or both. Here are some links:

Traefik forum
Git repo

Another git repo

And another one

Any help or tips will be much appreciated, as for now I don't even know where to start. Thanks in advance!

I have Traefik up and running (with Cloudflare, letsencrypt) successfully supplying certs and reverse proxying inside my network.

I am a database guy, so some of the Internet hosting stuff is out of my wheelhouse.

I would like to set up a service (overseer) so I can access it remotely via Traefik, preferably without a tunnel, etc.

Is there a guide for what I would need to do in Cloudflare, etc. to make this happen? I.e. do I need a static IP, what to configure in Cloudflare for DNS entries, etc.

All the guides I can find cover the docker (internal) side.

Hi all!

Does anyone know how to route from a specific host to a host + path using Traefik? (In other words, I will like that when I type "pihole.example.com/", the request to be routed to "pihole.example.com/admin/")

I am quite new to Traefik, so still trying to understand how all the pieces fit together.

docker-compose.yml (Pihole service):

    labels:
      # Traefik
      - "traefik.enable=true"
      # HTTP Routers
      - "traefik.http.routers.pihole.rule=Host(`pihole.example.com`)"
      - "traefik.http.routers.pihole.entrypoints=web"
      # Services
      - "traefik.http.services.pihole.loadbalancer.server.port=80"

      #- "traefik.http.middlewares.pihole.replacepath.path=/admin" # Test 1
      #- "traefik.http.middlewares.pihole.addprefix.prefix=/admin" # Test 2
      #- "traefik.http.routers.pihole.middlewares=myprefix" # Test 2

Hey Guys,
Could someone please help me with getting Graylog syslog proxying UDP 544?

Basically, my Traefik is running on K3S and I would like to add an syslog.fqdn.xyz to my clients, point my DNS to load balancer IP of K3S which should proxy the traffic to Graylog.

I have tried adding Traefik values, since it is UDP what do I do for ingressroute and service?
Basically, my Graylog is 192.168.0.10 (another VM outside of K3s) and I want the ingressroute for FQDN syslog.fqdn.xyz:544 to send logs to it.

additionalArguments:
  - "--entryPoints.syslog.address=:544/udp"

ports: 
# Syslog
  syslog:
    port: 544
    exposedPort: 544
    protocol: UDP

Hi, I have a question. I'm trying to set up Kubernetes using Minikube, and since Minikube is hidden in a Docker container behind the address 192.168.49.2, I thought of creating a reverse proxy on the host using Traefik.

This has worked out fairly well; I can redirect through the host to the Minikube dashboard ingress service and even to Keycloak (which also runs on the host alongside Traefik). Traefik and keycloak both runs on host as docker compose containers

I had the idea that it would be useful to have authentication (+ authorization) in one place, so I wondered if it is possible to secure the Minikube dashboard with Keycloak login, without relying on OAuth2 support on the dashboard's side (which in this case does not even exist). Basically, something like: you log in successfully to Keycloak, and then you are allowed access; otherwise, you are not. If it could also involve assigned user groups, that would be even better.

Is this setup even possible? Alternatively, could you recommend another mechanism that would allow me to manage users and their access to individual Traefik routers in one place (Traefik)?

Thank you

New to traefik (after trying and failing at it a few years back).

I can get an instance up and running, but I want to specify config files. When I do, the container fails.

I'm using the following compose file inside of portainer. No debug logs, as the app doesn't run:

version: '3'

services:
  reverse-proxy:
    # The official v3 Traefik docker image
    image: traefik:v3.2
    # Enables the web UI and tells Traefik to listen to docker
    command: 
      - --api.insecure=true
      - --providers.docker
      - --log.level=DEBUG

    networks:
      app-net:
        ipv4_address: "192.168.10.10"
    ports:
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/traefik/config.yml:/etc/traefik/config.yml:ro
      - /opt/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      
networks:
  app-net:
    name: "traefik-net"
    driver: "bridge"
    ipam:
      driver: "default"
      config: 
        - subnet: "192.168.10.0/24"

On a server I run docker with traefik for several docker-compose stacks, providing and managing their ACME-certs. Everything fine.

There are some services not in docker that also need TLS-certs, some for the same domains, like postfix and dovecot. So currently I stop traefik now and then (90 days), run `certbot renew` on the host, and restart the mail-services and traefik.

I'd prefer to be able to let postfix/dovecot use the certs generated by traefik. A quick look shows they are all inside one json-file, which isn't usable with the mail-services, afaik.

Is there a way to achieve this? Do I need some magic parameter ... or a helper script grepping the certs? thanks for pointers!

I had a bunch on sites that traefik was reverse proxy for, which later I removed. These are all with docker using labels to define the config. The docker containers are no longer running, but traefik is trying to renew the hosts (letsencrypt). It keeps failing as there isnt any DNS lookup.

Any idea where it's finding the domains? Or otherwise, how do I stop it?

Hello :)

I am trying to run this docker compose file:

version: '3'

services:
  reverse-proxy:
    # The official v3 Traefik docker image
    image: traefik:v3.2
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Path(`/whoami`)"
  nzbget:
    image: lscr.io/linuxserver/nzbget:latest
    container_name: nzbget
    environment:
      - TZ=Europe/Paris
      - NZBGET_USER=nzbget #optional
      - NZBGET_PASS=tegbzn6789 #optional
    volumes:
      - /Users/alexandrecolin/Documents/docker/nzbget:/config
    restart: unless-stopped
    labels:
      - "traefik.http.routers.nzbget.rule=Path(`/nzbget`)"
      - "traefik.http.services.nzbget.loadbalancer.server.port=6789"

version: '3'


services:
  reverse-proxy:
    # The official v3 Traefik docker image
    image: traefik:v3.2
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Path(`/whoami`)"
  nzbget:
    image: lscr.io/linuxserver/nzbget:latest
    container_name: nzbget
    environment:
      - TZ=Europe/Paris
      - NZBGET_USER=nzbget #optional
      - NZBGET_PASS=tegbzn6789 #optional
    volumes:
      - /Users/alexandrecolin/Documents/docker/nzbget:/config
    restart: unless-stopped
    labels:
      - "traefik.http.routers.nzbget.rule=Path(`/nzbget`)"
      - "traefik.http.services.nzbget.loadbalancer.server.port=6789"

When trying to access: http://localhost:8080 I have access to the dashboard but the url http://localhost/nzbget yield to the following error:

404 page not found404 page not found

Any idea what I am doing wrong?
Sincerely

Hello,

I'm in the process of moving all my services to differents machines/VM. What I'm essentially trying to do, is setting up a low power NUC, hosting all my main services 24/7, at the moment it's only running :

• Pihole as my home DHCP/DNS server (network host)
• Upsnap to enable wake on lan on my proxmox cluster (network host too)
• Traefik to access Pihole and Upsnap GUIs (and more services later)

My pihole container is running in network mode host, as recommended by the documentation ( https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#quick-start ) since i'm using it as a DHCP server

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    environment:
      - TZ=Europe/Paris
      - WEB_PORT=8081
      - INTERFACE=enp2s0
      - FTLCONF_LOCAL_IPV4=192.168.10.101
    volumes:
      - /mnt/docker-volumes/pihole/etc-pihole:/etc/pihole
      - /mnt/docker-volumes/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
      - ./hosts:/etc/hosts
      - ./etc-dnsmasq.d/10-home.conf:/etc/dnsmasq.d/10-home.conf
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    network_mode: host
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
    labels:
      - "traefik.enable=true"
      - "traefik.port=8081"
      - "traefik.http.routers.pihole.rule=Host(`pihole.homelab.fr`)"
      - "traefik.http.routers.pihole.middlewares=local-only@file,cors@file"
      - "traefik.http.routers.pihole.entrypoints=websecure"
      - "traefik.http.routers.pihole.tls.certresolver=ovhresolver"
      - "traefik.http.services.pihole.loadbalancer.server.port=8081"
      - "traefik.http.services.pihole.loadbalancer.passhostheader=true"

This is my Traefik compose file

services:
  traefik:
    container_name: traefik
    restart: unless-stopped
    image: traefik:v3.1.4
    env_file:
      - /mnt/docker-volumes/traefik/private.env
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/etc/traefik/
      - ./letsencrypt:/letsencrypt
    extra_hosts:
      - "host.docker.internal:host-gateway"
    networks:
      - traefik
    logging:
      driver: "json-file"
      options:
        max-size: "50m"

networks:
  traefik:
    external: true

• Pihole isn't running on the treafik network, since it's running in network host mode
• On Pihole GUI i've enabled the setting to listen to all interfaces
• The same settings are working with Upsnap, which also runs on host network mode

If I /bin/sh into Treafik :

• wget host.docker.internal:8099 (get the index of Upsnap) works
• wget host.docker.internal:8081/admin/ (get the index of Pihole) doesn't work :( note that wget 192.168.10.101:8081/admin/ (ip of the machine), from the container, works

I'd like to avoid having a file provider, if possible, I want to keep using the labels / integrating everything in my docker compose, but it seems that there's no way, using labels, to tell Treafik to use the 192.168.10.101 ip adress rather than host.docker.internal

Any idea ?

Thanks !

Okay I am not clear on what takes precedence or even what is supposed to be going on with Traefik and Docker.

If I want to use a dynamic configuration, I still need a static config, however that static config is limited to identifying providers, entrypoints, and other traefik service releated settings.

the dynamic config manages all of your routing and downstream service definitions.

I can wrap my head around this okay but I started delving into the docs and apparently in my docker-compose, I still need to have some labels, but it also sounds like I can configure routers and services directly via labels and forgo the dynamic config altogether for services that have their own local docker container.

If specifying a router in the labels automatically creates the service, why would anyone ever bother with the dynamic config since I can keep all of my router and service definitions in the docker-compose so I can limit the blast radius of any changes to any of the routed services?

I will still need to manage tcp and udp routing and services via the dynamic config, but at least for the docker containers I think I can keep things collected.

Am I understanding this correctly?

Entrypoints/providers in the traefik.yml For services originating in local docker containers, use the labels to define the routers and services in the docker-compose and then everything stays self contained in the compose. For services originating outside of the host and local docker environment I would need to include those services and rules within the dynamic config.

Hi,
I am looking for good example how to put Authentik behind Traefik proxy.
Right now I have configured Authentik behind Traefik, everything works fine, I can login to Authentik, got SSL cert from Let's Encrypt.
The problem is when I try to connect some external app (like Proxmox of Portainer) to Authentik...
When i go to the https://authentik.my-domain.com/application/o/pve/ from the browser i can see JSON with all information about endpoints etc. without any problem.. but when I try connect it to Proxmox I get error 500 all the time... with Portainer is even better... I go to portainer instance, click login with OAuth, it redirects me to Authentik login page, I can put username and password, the logon is success...and then i get error 500 from Portainer...
To communicate between docker cointainers I use traefik_proxy network where Traefik instance is connected to authentik instance.

Traefik is configured with dynamic config.

docker-compose.yml for Authentik

---
services:
  postgresql:
    container_name: authentik-postgresql
    image: docker.io/library/postgres:12-alpine
    
restart: unless-stopped
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "./data/postgresql:/var/lib/postgresql/data"
    networks:
      - internal
    env_file:
      - ".env"
  redis:
    container_name: authentik-redis
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "./data/redis:/data"
    networks:
      - internal

  server:
    container_name: authentik-server
    image: ghcr.io/goauthentik/server:latest
    command: server
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "./data/authentik/media:/media"
      - "./data/authentik/custom-templates:/templates"
    networks:
      internal: { }
      traefik_proxy: { }
    env_file:
      - ".env"
    restart: unless-stopped
    depends_on:
      - postgresql
      - redis

  worker:
    container_name: authentik-worker
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: worker
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./data/authentik/media:/media"
      - "./data/authentik/certs:/certs"
      - "./data/authentik/custom-templates:/templates"
    networks:
      - internal
    env_file:
      - ".env"
    depends_on:
      - postgresql
      - redis

networks:
  internal: { }
  traefik_proxy:
    external: true

authentik.yml in Traefik

---
http:
  routers:
    authentik:
      entryPoints:
        - "https"
      rule: "Host(`authentik.my-domain.com`)"
      middlewares:
      tls: { }
      service: authentik

  services:
    authentik:
      loadBalancer:
        servers:
          - url: "https://authentik-server:9443"
        passHostHeader: true

headers.yml in Traefik

---
tls:
  certificates:
    - certFile: /certs/traefik.cer
      keyFile: /certs/traefik.key

http:
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    default-whitelist:
      ipWhiteList:
        sourceRange:
          - "10.0.0.0/8"
          - "192.168.0.0/16"
          - "172.16.0.0/12"
    secured:
      chain:
        middlewares:
          - default-whitelist
          - default-headers

    authentik:
      forwardAuth:
        address: "http://authentik.my-domain.com:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

I am currently using traefik on my cluster to expose quite a few services, when I create a load balancer it binds to the host primary IP. The host itself is connected on tailscale so by using a CNAME in external DNS annotation I can access my traefik service via tailscale.

This however doesn't provide redundancy on a multi node setup so I was wondering if there is any way to "bind" traefik load balancer external IP to tailscale by running maybe a tailscale sidecar or a plug-in. Doing so I would always have that IP pointing to the lb even on a multi node setup.

Thanks.

I noticed that that when I run docker compose down then docker compose up -d on a web server, Traefik isn't able to serve it immediately.

It seems to need about 1 minute for it to work in which it serves a "404 not found" during the downtime.

Is this normal?

In short, I have a subdomain for DoH (DNS over HTTPS).

The URL to access the DoH server is:

• https://dns.mydomain.com/dns-query?name=domain.com&record=A

That URL will give me a valid DNS return.

What I'm trying to do is make it to where if I type in just dns.mydomain.com, it will automatically re-route me to https://dns.mydomain.com/dns-query, but if I'm on the /dns-query path, it will just stay there.

I came up with my own code, but once in a while, I get a 404, and I'm not sure why. Is this the correct entry for Traefik? Or is their a better way to do this.

http:
    middlewares:
        reroute-doh:
            redirectRegex:
                permanent: true
                regex: "^https?://(.*)"
                replacement: "https://dns.mydomain.com/dns-query"

I don't really understand what I am doing wrong. I set up Traefik and it is working correctly, as well as Immich is running correctly. But I can't get Traefik to route my to Immich. Thank you all for any help!

Here is my setup using docker:

Traefik is set up receiving https traffic through my subdomain. That is working correctly and I verified it with the demo whoami container within Traefik.

Immich works if I connect to it directly to it's local IP via Port 2283.

I have my router configured correctly to forwarding 443 to Traefik as mentioned above, tested correctly with whoami.

But if I connect to my subdomain, or even the internal IP to Traefik via https, I get a gateway timeout.

Here are my configs for Traefik:

version: "3.3"
services:
  traefik:
    image: "traefik:v3.2"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@mydomain"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

Here is my config for Immich:

name: immich
services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    volumes:
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - stack.env
    ports:
      - '2283:2283'
    depends_on:
      - redis
      - database
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich_server.rule=Host(`mydomain`)"
      - "traefik.http.routers.immich_server.entrypoints=websecure"
      - "traefik.http.services.immich_server.loadbalancer.server.port=2283"
      - "traefik.http.routers.immich_server.tls.certresolver=myresolver"
    restart: always
    healthcheck:
      disable: false

Hi everyone, im trying to do a very simply reverse proxy so i can access flood.nivaddo from 10.0.2.50:3000, i have setup everything that i think is needed(im also using the traefik from the proxmox helper scripts) i can only access it from http://flood.nivaddo:3000 and im clueless on what to do now. My config as following:

providers:
  file:
    directory: /etc/traefik/conf.d/

entryPoints:
  web:
    address: ':80'
  traefik:
    address: ':8080'

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: INFO

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

conf.d/flood.yaml

http:
  routers:
    flood:
      entryPoints:
        - web
      rule: "Host(`flood.nivaddo`)"
      service: flood

  services:
    flood:
      loadBalancer:
        servers:
          - url: "http://10.0.2.50:3000/"
      passHostHeader: true

unbound dns record

local-data: "flood.nivaddo. IN A 10.0.2.50"
local-data-ptr: "10.0.2.50 flood.nivaddo"

Hi everyone,
I have an homelab at home and everything go well with K3S with pre-installed traefik on it using standard port (443 and 80).

In addition I have a small VM in cloud that do SSH tunnel on standard port because at my home I don't have public ip. Till here all ok.

Now I'm trying to give more value of this VM in cloud and I decided to install a one node istance of K3S to deploy some light app, for example uptime-kuma that have sense to deploy on a different server from the one that you are monitoring.

Now I installed K3S without traefik and I'm just try to install it a second step by helm:
helm install traefik traefik/traefik -f traefik-values.yaml -n kube-system

Where in the traefik-values.yaml I just modified:

• ports.websecure.exposedport = 8444

• ports.web.exposedport= 8081

My expectations is that after deploying this ingress route:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: uptime-kuma-ingressroute
  namespace: kuma
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`kuma.mydomain.de`)
      kind: Rule
      services:
        - name: uptime-kuma
          port: 3001
---

Be able to type kuma.mydomain.de:8081 and reach it. Instead the result is a 404 page not found.

What is going wrong? what I'm missing?

In kube-system I have the "correct" svc:
│ traefik LoadBalancer 10.43.31.173<server-ip> web:8081►30971 websecure:8444►30182 19m

So to my (no-experienced) point of view it seems ok, but I don't know what other point I need to check. Also the strange things is that the traefik pod don't mach any error, so it seems like I reach the LoadBalancer but it didn't match the pod giving me the error.

How to configure Traefik to block traffic for specific paths such as /admin and /api for www and allow only for some specific range on K8s?

I have the following ingress configuration:

```yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: keycloak
annotations:
#traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
rules:
- host: "xxs.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8443
tls:
- hosts:
- "xxs.example.com"
secretName: org-tls-secret # Ensure this is the name of your TLS secret

```

Middleware ipAllowlist is confured in the same namespace

I spent a lot of time trying to make this work and finally this morning everything looked like it was indeed working. So I have moved my config from my testing docker-compose configuration to my docker-compose production stack, and changed some hardcoded stuff to some .env variables. I had also deleted the volume containing the acme.json because I had to change the name. And now, nothing is working anymore.

The challenge looks like it is working, or at least acme.json is filled but Certificates: null, not sure if it is right. The logs go like this:

{"message":"[INFO] [*.mydomain.duckdns.org] acme: Trying to solve DNS-01"}
{"message":"[INFO] [*.mydomain.duckdns.org] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,8.8.8.8:53]"}

This is strange because actually in my configuration I have

disablePropagationCheck: true

This morning the logs where different, and at some point I had:

{"message":"[INFO] [*.mydomain.duckdns.org] The server validated our request"}
{"message":"[INFO] [*.mydomain.duckdns.org] acme: Cleaning DNS-01 challenge"}

This "The server validated our request" is not appearing anymore.

Seems like at the end it surrenders and just disables the cert resolver:

{"message":"[INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/430999188297"}

I am going crazy honestly since I cannot figure out what the hell is wrong now. I cannot understand how everything has broken suddenly. Any help?

The relevant configuration:

# traefik.yml
api:
  dashboard: true
  insecure: false

serversTransport:
  insecureSkipVerify: false

providers:
  docker:
    network: public
    exposedByDefault: false
  file:
    directory: /etc/traefik
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: "https"
        
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: "mydomain.duckdns.org"
            sans: 
              - "*.mydomain.duckdns.org"

certificatesResolvers:
  letsencrypt:
    acme:
      email: mymail
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: duckdns
        disablePropagationCheck: true
        delayBeforeCheck: "0"
        resolvers:
          - 1.1.1.1:53
          - 8.8.8.8:53
          

# docker-compose.yml
volumes:
  letsencrypt-data:

services:

  whoami:
    image: traefik/whoami:v1.10.3
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"

  traefik:
    image: traefik:v3.1.7
    ports:
      - 80
      - 443
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - letsencrypt-data:/letsencrypt:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro

Kind of losing my mind here a bit.

Running everything in docker. The admin page works just fine, all of the routers are there and happy as far as I can tell.

I have confirmed that both containers are in the same docker network. The nginx container works by itself (I do have to add a ports directive to the docker-compose and redeploy). The Traefik dashboard shows no issues, can see the nginx container(regardless of whether I start it in the same compose file as traefik or separately). No errors in the admin page, only thing that shows up in the access log is the 404 that traefik is throwing.

What the hell am I missing here?

Access log has this:

xx.xx.xx.xxx - - [16/Nov/2024:03:39:59 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 1177 "-" "-" 0ms

docker_compose:

services:
  traefik:
    image: traefik:3.2
    container_name: traefik
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /run/docker.sock:/run/docker.sock:ro
      - ./config/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./logs:/logs:rw
    networks:
      - frontend
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.MYDOMAIN.com`)
      - traefik.http.routers.traefik.entrypoints=web

  nginx:
    image: nginx:latest
    container_name: nginx
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /home/HOMEDIR/webroot/MYDOMAIN:/usr/share/nginx/html:ro
      - ./logs:/var/log/nginx:rw
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginx.rule=Host(`MYDOMAIN.com`)
      - traefik.http.routers.nginx.rule=Host(`www.MYDOMAIN.com`)
      - traefik.http.routers.nginx.entrypoints=web
    networks:
      - frontend

networks:
  frontend:
    external: true

traefik.yml:

global:
  checkNewVersion: false
  sendAnonymousUsage: false
log:
  level: DEBUG
  filePath: "/logs/traefik.log"
accessLog:
  addInternals: true
  filePath: "/logs/access.log"
api:
  dashboard: true
  insecure: true
entryPoints:
  web:
    address:  ":80"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

Everytime I would start portianer I would get this odd error from traefik

traefik | 2024-11-15T19:00:19+01:00 ERR Router edge-http cannot be linked automatically with multiple Services: ["frontend" "edge"] providerName=docker routerName=edge-http

traefik | 2024-11-15T19:00:19+01:00 ERR Router edge-https cannot be linked automatically with multiple Services: ["edge" "frontend"] providerName=docker routerName=edge-https

traefik | 2024-11-15T19:00:19+01:00 ERR Router frontend-http cannot be linked automatically with multiple Services: ["edge" "frontend"] providerName=docker routerName=frontend-http

traefik | 2024-11-15T19:00:19+01:00 ERR Router frontend-https cannot be linked automatically with multiple Services: ["edge" "frontend"] providerName=docker routerName=frontend-https

Here are my labels for portainer

    labels:
      - "traefik.enable=true"


      - "traefik.http.routers.frontend-http.entrypoints=web"
      - "traefik.http.routers.frontend-http.rule=Host(`portainer.mairimashita.org`)"
      - "traefik.http.routers.frontend-https.entrypoints=websecure"
      - "traefik.http.routers.frontend-https.rule=Host(`portainer.mairimashita.org`)"
      - "traefik.http.routers.frontend-https.tls=true"
      - "traefik.http.routers.frontend-https.tls.certresolver=production"
      - "traefik.http.services.frontend.loadbalancer.server.port=9000"


      - "traefik.http.routers.edge-http.entrypoints=web"
      - "traefik.http.routers.edge-http.rule=Host(`edge.mairimashita.org`)"
      - "traefik.http.routers.edge-https.entrypoints=websecure"
      - "traefik.http.routers.edge-https.rule=Host(`edge.mairimashita.org`)"
      - "traefik.http.routers.edge-https.tls=true"
      - "traefik.http.routers.edge-https.tls.certresolver=production"
      - "traefik.http.services.edge.loadbalancer.server.port=8000"

Hello all.

Basically, I had everything setup for ssl certs properly when I had everything configured in the command section of my docker-compose. However, since I've moved to a static file config I can't get my certs to be applied properly, so I keep getting errors like

2024-11-14T18:45:16Z DBG  > Serving default certificate for request: "erebor.local.domain.tld"
2024-11-14T18:45:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.0.25:40676: remote error: tls: bad certificate
2024-11-14T18:45:18Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "erebor.local.domain.tld"2024-11-14T18:45:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "erebor.local.domain.tld"
2024-11-14T18:45:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.0.25:40676: remote error: tls: bad certificate
2024-11-14T18:45:18Z DBG  > Serving default certificate for request: "erebor.local.domain.tld"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228

I have tried everything I can, including reading through just about the entirety of the Traefik docs and using google-fu and ChatGPT, but I can't get this resolved. Chances are I just missed something super basic, but I can't figure it out at this point, and I've spent like 6 hours on it. I definitely see the TXT records for that domain show up in Cloudflare, and I see that it has propagated, but for some reason it's just not using the cert?

I will also note that this config is in-progress. I'm still removing redundancies, like the additional redirect schemes and such. I just figured it was best to include everything for right now.

Also, other domains such as `search.local.domain.tld` which is setup in a separate docker-compose file are also seeing the same problem. It is not just the routers that are defined in the static config. However, the problem is exclusive to those subdomains of `*.local.domain.tld`/

If anyone could help out, I would greatly appreciate it. I will include my static config and docker-compose below.

Config:

api:
  dashboard: true
log:
  filePath: "/opt/appdata/traefik/logs.log"
  level: DEBUG
serversTransport:
  insecureSkipVerify: true

entryPoints:
  http_internal:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https_internal
  http_external:
    address: ":81"
    http:
      redirections:
        entryPoint:
          to: https_external
  https_internal:
    address: ":443"
  https_external:
    address: ":444"
  metrics:
    address: ":8082"

http:
  routers:
    valinor:
      entryPoints:
        - http_internal
      rule: "Host(`valinor.local.domain.tld`)"
      service: valinor
      middlewares:
        - valinor-https-redirect

    valinor-secure:
      entryPoints:
        - https_internal
      rule: "Host(`valinor.local.domain.tld`)"
      service: valinor
      tls:
        certResolver: myresolver  # Use Let's Encrypt ACME resolver

    khazad-dum:
      entryPoints:
        - http_internal
      rule: "Host(`khazad-dum.local.domain.tld`)"
      service: khazad-dum
      middlewares:
        - khazad-dum-https-redirect

    khazad-dum-secure:
      entryPoints:
        - https_internal
      rule: "Host(`khazad-dum.local.domain.tld`)"
      service: khazad-dum
      tls:
        certResolver: myresolver  # Use Let's Encrypt ACME resolver

    rivendell:
      entryPoints:
        - http_internal
      rule: "Host(`rivendell.local.domain.tld`)"
      service: rivendell

    erebor:
      entryPoints:
        - http_internal
      rule: "Host(`erebor.local.domain.tld`)"
      service: erebor
      middlewares:
        - erebor-https-redirect

    erebor-secure:
      entryPoints:
        - https_internal
      rule: "Host(`erebor.local.domain.tld`)"
      service: erebor
      tls:
        certResolver: myresolver  # Use Let's Encrypt ACME resolver

  middlewares:
    https-redirect-external:
      redirectScheme:
        scheme: https
        permanent: true
        port: "444"

    https-redirect-internal:
      redirectRegex:
      redirectScheme:
        scheme: https
        permanent: true
        port: "443"

    security:
      headers:
        STSSeconds: 31536000
        STSIncludeSubdomains: true
        STSPreload: true
        forceSTSHeader: true
        #framedeny: true 
        browserXssFilter: true
        customRequestHeaders:
          X-Forwarded-Proto: https

    compatability:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https

    valinor-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    khazad-dum-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    erebor-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    sslheader:
      headers:
        sslProxyHeaders:
          - X-Forwarded-Proto: https

  services:
    valinor:
      loadBalancer:
        servers:
          - url: "https://192.168.0.10:8006"
        passHostHeader: true

    erebor:
      loadBalancer:
        servers:
          - url: "https://192.168.0.20:5001"
        passHostHeader: true

    khazad-dum:
      loadBalancer:
        servers:
          - url: "https://192.168.0.21"
        passHostHeader: true

    rivendell:it
      loadBalancer:
        servers:
          - url: "http://192.168.0.11"
        passHostHeader: true

tls:
  options:
    secure:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

certificatesResolvers:
  myresolver:
    acme:
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
        delayBeforeCheck: 120s
      email: "my_email@domain.tld"
      storage: "/letsencrypt/acme.json"


providers:
  docker:
    endpoint: "unix://var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: "/etc/traefik/"
    watch: true

metrics:
  prometheus:
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5
    entryPoint: metrics
    addEntryPointsLabels: true
    addServicesLabels: true


api:
  dashboard: true
log:
  filePath: "/opt/appdata/traefik/logs.log"
  level: DEBUG
serversTransport:
  insecureSkipVerify: true


entryPoints:
  http_internal:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https_internal
  http_external:
    address: ":81"
    http:
      redirections:
        entryPoint:
          to: https_external
  https_internal:
    address: ":443"
  https_external:
    address: ":444"
  metrics:
    address: ":8082"


http:
  routers:
    valinor:
      entryPoints:
        - http_internal
      rule: "Host(`valinor.local.domain.tld`)"
      service: valinor
      middlewares:
        - valinor-https-redirect


    valinor-secure:
      entryPoints:
        - https_internal
      rule: "Host(`valinor.local.domain.tld`)"
      service: valinor
      tls:
        certResolver: myresolver  # Use Let's Encrypt ACME resolver


    khazad-dum:
      entryPoints:
        - http_internal
      rule: "Host(`khazad-dum.local.domain.tld`)"
      service: khazad-dum
      middlewares:
        - khazad-dum-https-redirect


    khazad-dum-secure:
      entryPoints:
        - https_internal
      rule: "Host(`khazad-dum.local.domain.tld`)"
      service: khazad-dum
      tls:
        certResolver: myresolver  # Use Let's Encrypt ACME resolver


    rivendell:
      entryPoints:
        - http_internal
      rule: "Host(`rivendell.local.domain.tld`)"
      service: rivendell


    erebor:
      entryPoints:
        - http_internal
      rule: "Host(`erebor.local.domain.tld`)"
      service: erebor
      middlewares:
        - erebor-https-redirect


    erebor-secure:
      entryPoints:
        - https_internal
      rule: "Host(`erebor.local.domain.tld`)"
      service: erebor
      tls:
        certResolver: myresolver  # Use Let's Encrypt ACME resolver


  middlewares:
    https-redirect-external:
      redirectScheme:
        scheme: https
        permanent: true
        port: "444"


    https-redirect-internal:
      redirectRegex:
      redirectScheme:
        scheme: https
        permanent: true
        port: "443"


    security:
      headers:
        STSSeconds: 31536000
        STSIncludeSubdomains: true
        STSPreload: true
        forceSTSHeader: true
        #framedeny: true 
        browserXssFilter: true
        customRequestHeaders:
          X-Forwarded-Proto: https


    compatability:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https


    valinor-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true


    khazad-dum-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true


    erebor-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true


    sslheader:
      headers:
        sslProxyHeaders:
          - X-Forwarded-Proto: https


  services:
    valinor:
      loadBalancer:
        servers:
          - url: "https://192.168.0.10:8006"
        passHostHeader: true


    erebor:
      loadBalancer:
        servers:
          - url: "https://192.168.0.20:5001"
        passHostHeader: true


    khazad-dum:
      loadBalancer:
        servers:
          - url: "https://192.168.0.21"
        passHostHeader: true


    rivendell:
      loadBalancer:
        servers:
          - url: "http://192.168.0.11"
        passHostHeader: true


tls:
  options:
    secure:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305


certificatesResolvers:
  myresolver:
    acme:
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
        delayBeforeCheck: 120s
      email: "my_email@domain.tld"
      storage: "/letsencrypt/acme.json"



providers:
  docker:
    endpoint: "unix://var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: "/etc/traefik/"
    watch: true


metrics:
  prometheus:
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5
    entryPoint: metrics
    addEntryPointsLabels: true
    addServicesLabels: true

Docker-Compose:

version: "3.3"
services:
  traefik:
    image: traefik:v3.2.0
    container_name: traefik
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.traefik-https_internal-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.routers.traefik.entrypoints=http_internal
      - traefik.http.routers.traefik.rule=Host(`traefik.local.domain.tld`)
      - traefik.http.routers.traefik.middlewares=traefik-https_internal-redirect
      - traefik.http.routers.traefik-secure.entrypoints=https_internal
      - traefik.http.routers.traefik-secure.rule=Host(`traefik.local.domain.tld`)
      - traefik.http.routers.traefuk-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.certresolver=myresolver
      - traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.tld
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.tld
      - traefik.http.routers.traefik-secure.service=api@internal
    environment:
      - CF_DNS_API_TOKEN=$$TOKEN$$
    ports:
      - 80:80
      - 81:81
      - 443:443
      - 444:444
      - 8080:8080
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: "0.5"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/traefik/etc:/etc/traefik/
      - /mnt/marzarbul/traefik/traefik/rules.yml:/etc/traefik/traefik.yml
      - /mnt/traefik/data:/data
      - /mnt/traefik/traefik:/opt/appdata/traefik
      - /mnt/traefik/letsencrypt:/letsencrypt
    networks:
      - traefik
networks:
  traefik:
    external: true

version: "3.3"
services:
  traefik:
    image: traefik:v3.2.0
    container_name: traefik
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.traefik-https_internal-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.routers.traefik.entrypoints=http_internal
      - traefik.http.routers.traefik.rule=Host(`traefik.local.domain.tld`)
      - traefik.http.routers.traefik.middlewares=traefik-https_internal-redirect
      - traefik.http.routers.traefik-secure.entrypoints=https_internal
      - traefik.http.routers.traefik-secure.rule=Host(`traefik.local.domain.tld`)
      - traefik.http.routers.traefuk-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.certresolver=myresolver
      - traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.tld
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.tld
      - traefik.http.routers.traefik-secure.service=api@internal
    environment:
      - CF_DNS_API_TOKEN=$$TOKEN$$
    ports:
      - 80:80
      - 81:81
      - 443:443
      - 444:444
      - 8080:8080
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: "0.5"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/traefik/etc:/etc/traefik/
      - /mnt/marzarbul/traefik/traefik/rules.yml:/etc/traefik/traefik.yml
      - /mnt/traefik/data:/data
      - /mnt/traefik/traefik:/opt/appdata/traefik
      - /mnt/traefik/letsencrypt:/letsencrypt
    networks:
      - traefik
networks:
  traefik:
    external: true

I’m trying to deploy Traefik for the first time. I want to set it up on a “trunk” network that can talk to all subnets, where my firewall, DNS, etc. live. I want Traefik to proxy hosts on the various subnets. I’m having difficulty finding a guide that explains how to communicate with other subnets. Can anyone recommend a good guide for this setup? I want to read more before attempting it.

Wrote a guide on setting up monitoring for Traefik using StatsD to gather metrics and Graphite and Grafana for easy visualization and analysis. This approach makes it simple to set up a lightweight and robust monitoring stack, helping you stay on top of your system’s health and performance.

Hope this is helpful! It would be great to know who else uses this approach!

https://www.metricfire.com/blog/easiest-way-to-monitor-traefik-requests-using-statsd-and-metricfire/

I have been pulling my hair on this. I have traefik handling SSL for HTTP docker container. But I cannot seem to get the users' real IP both in X-Forwarded-For and Real-IP headers. They all come as the container IP. I have tried enabling proxy protocol both for version 1 and 2 but to no avail.

Here is my docker compose

services:
  traefik:
    image: traefik:v3.2
    command:
      - --api.insecure=true #remove in production!
      - --api.dashboard=true #remove in production!
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      - --log.level=ERROR
      - --entryPoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
#      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.email=${WEBMASTER_EMAIL}
      - --certificatesresolvers.myresolver.acme.storage=/ssl/acme.json
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./ssl:/ssl
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.$BASE_DOMAIN`)
      - traefik.http.routers.traefik.entrypoints=web
      - traefik.http.routers.traefik.service=traefik_service
      - traefik.http.services.traefik_service.loadbalancer.server.port=8080

  wordpress:
    ...
    ...
    labels:
      - traefik.enable=true
      - traefik.http.routers.wordpress_router.rule=Host(`$BASE_DOMAIN`)
      - traefik.http.routers.wordpress_router.entrypoints=websecure
      - traefik.http.routers.wordpress_router.service=web
      - traefik.http.routers.wordpress_router.tls.certresolver=myresolver
      - traefik.http.services.web.loadbalancer.server.port=80
      - traefik.tcp.services.web.loadbalancer.proxyprotocol.version=2
      - traefik.http.routers.websocket.rule=Host(`$WEBSOCKET_DOMAIN`)
      - traefik.http.routers.websocket.entrypoints=websecure
      - traefik.http.routers.websocket.service=wss
      - traefik.http.routers.websocket.tls.certresolver=myresolver
      - traefik.http.services.wss.loadbalancer.server.port=${WEBSOCKET_PORT}
      - traefik.tcp.services.wss.loadbalancer.proxyprotocol.version=2

How do I solve this issue?

I have deployed a SOLR container using docker and traefik. When I tried to access the API in my react app, I am getting CORS error. I have looked up online and tried many solutions but nothing seems to work. This is my docker compose file

version: '3.7'
services:
  solr:
    image: solr:latest
    container_name: solr
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - "8983:8983"
    volumes:
      - /data/solr:/var/solr
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.solr.entrypoints=http"
      - "traefik.http.routers.solr.rule=Host(`solr.exdomain.com`) || Host(`www.solr.exdomain.com`)"
      - "traefik.http.middlewares.solr-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.solr.middlewares=solr-https-redirect,redirect-www-to-non-www@file"
      - "traefik.http.routers.solr-secure.entrypoints=https"
      - "traefik.http.routers.solr-secure.rule=Host(`solr.exdomain.com`) || Host(`www.solr.exdomain.com`)"
      - "traefik.http.routers.solr-secure.tls=true"
      - "traefik.http.routers.solr-secure.service=solr"
      - "traefik.http.routers.solr-secure.middlewares=solr-https-redirect,redirect-www-to-non-www@file"
      - "traefik.http.services.solr.loadbalancer.server.port=8983"
      - "traefik.docker.network=proxy"
      - "traefik.http.middlewares.cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
      - "traefik.http.middlewares.cors.headers.accesscontrolallowheaders=*"
      - "traefik.http.middlewares.cors.headers.accesscontrolalloworiginlist=*"
      - "traefik.http.middlewares.cors.headers.addvaryheader=true"
networks:
  proxy:
    external: true

Hi,

I am setting up a new cluster as my old one broke and I couldn't recover it. I had traefik setup before but now my nodes are on talos linux instead of ubuntu.

I was following this guide by techno tim https://youtu.be/G4CmbYL9UPg?si=sueaCSz8ldkmNVwy but I can't seem to get it working, I keep getting a 404 page not found which leads me to believe metallb is working but traefik either won't redirect the traffic or traefik can't find the service.

I installed using helm and the values.yaml file down the bottom.

If anyone can help that would be great

dashboard-ingress.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik
  annotations: 
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.tinytown.au`)
      kind: Rule
      middlewares:
        - name: traefik-dashboard-basicauth
          namespace: traefik
      services:
        - name: api@internal
          kind: TraefikService

dashboard-middleware.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-dashboard-basicauth
  namespace: traefik
spec:
  basicAuth:
    secret: traefik-dashboard-auth

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-dashboard-basicauth
  namespace: traefik
spec:
  basicAuth:
    secret: traefik-dashboard-auth

values.yaml

globalArguments:
  - "--global.sendanonymoususage=false"
  - "--global.checknewversion=false"


additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--log.level=DEBUG"


deployment:
  enabled: true
  replicas: 2
  annotations: {}
  podAnnotations: {}
  additionalContainers: []
  initContainers: []


ports:
  web:
    redirectTo:
      port: websecure
      priority: 10
  websecure:
    http3:
      enabled: true
    advertisedPort: 4443
    tls:
      enabled: true
      
ingressRoute:
  dashboard:
    enabled: false


providers:
  kubernetesCRD:
    enabled: true
    ingressClass: traefik-external
    allowExternalNameServices: true
  kubernetesIngress:
    enabled: true
    allowExternalNameServices: true
    publishedService:
      enabled: false


rbac:
  enabled: true


service:
  enabled: true
  type: LoadBalancer
  annotations: {}
  labels: {}
  spec:
    loadBalancerIP: 192.168.10.81 # this should be an IP in the MetalLB range
  loadBalancerSourceRanges: []
  externalIPs: []

Hi all,

I’m setting up Traefik as a reverse proxy and followed this video to get started. So far, Traefik works great for Docker services on the same machine, but I’m running into a problem with a service on another device on my LAN.

Here’s the situation:

• The service is hosted on a local IP and I’m using Pi-hole for resolving A and CNAME records.

• The URL is secured with an SSL certificate, but when I access it, I get a “404 Not Found” error.

• My goal is to eventually use subdomain prefixes for services like Jellyfin and Home Assistant, but first I need to figure out why Traefik can’t resolve the local IP.

I’ve shared my config.yml here.

Any advice on troubleshooting this issue or pointers on the configuration would be highly appreciated! Thanks in advance!