What’s Wrong with this Docker and Traefik setup v2.5?

  docker, docker-compose, traefik, ubuntu

I’m trying to get this to work on a home localserver, but no meaningful errors show up. I’m not sure if I need to change something on the machine itself or my config is incorrect.

I’m using Ubuntu Desktop 20.04, it’s basically a fresh install.

When I run docker hello-world or any docker cli command for running containers, I am able to access things just fine, but when I try my docker-compose files, I get
Error code: SEC_ERROR_INADEQUATE_KEY_USAGE :
I’m guessing something with my resolver is incorrect? I tried a lot of different things, but am unsure.
Below are the files that I’m working through to get it to work.

version: '3.7'
services:

  dockerproxy:
    container_name: dockerproxy
    image: tecnativa/docker-socket-proxy
    privileged: true
    restart: always
    logging:
      driver: journald
    environment:
      CONTAINERS: 1
    restart: always
    networks:
      - traefik
    ports:
      - 2375
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  traefik:
    image: traefik:v2.5
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    depends_on:
      - dockerproxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    networks:
      - default
      - traefik
      - serverpublic
      - serverprivate
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./config:/configurations
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./logs/traefik.log:/traefik.log
      - ./acme/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # Services - Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "trae[email protected]file,[email protected]"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "[email protected]"
      - "traefik.http.services.traefik.loadbalancer.server.port=8070"


networks:
  traefik:
    external: true
  serverpublic:
    external: true
  serverprivate:
    external: true

traefik.yml

# Traefik v2.5 - traefik.yml 2021

api:
  dashboard: true

# Writing Logs to a File, in JSON
log:
 level: DEBUG
 filePath: "log-file.log"
 format: json

# Configuring a buffer of 100 lines
accessLog:
 filePath: "log-access.log"
 bufferingSize: 100

# Configure metrics for prometheus
metrics:
  prometheus: {}

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "tcp://dockerproxy:2375"
    network: "traefik"
    exposedByDefault: false

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: http
  http:
    acme:
      email: [email protected]
      storage: acme.json
      httpChallenge:
        entryPoint: http

configuration/dynamic.yml

# traefik dynamic config/rules

http:
  middlewares:

    https_redirect:
      redirectScheme:
        scheme: https
        permanent: true

    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000

    user-auth:
      basicAuth:
        users:
          - "royadmin:$$password"
  middlewares-rate-limit:
    rateLimit:
      average: 100
      burst: 50


tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

Then below is another separate service, that I’m trying to test, but going to the local server IP shows the same Error Code as I mentioned above:

Basic Page Service, just an html page for testing

version: '3.7'
services:

  # homex is Caddy instance listening to port 80 and serving an index.html.
  homex:
    build:
      context: .
      dockerfile: ./dockerfiles/home-dockerfile
    networks:
      - traefik
      - serverpublic

    labels:
      - "traefik.enable:true"
      - "traefik.http.routers.homex.rule=Host(`localhost`)"
      - "traefik.http.routers.homex.entrypoints=https"
      - "traefik.http.routers.homex.tls.certresolver=letsencrypt"

networks:
   traefik:
      external: true
   serverpublic:
      external: true

Here is a traceback when I do run Traefik w/the docker-compose.yml

Starting dockerproxy ... done
Starting traefik     ... done
Attaching to dockerproxy, traefik
dockerproxy    | [WARNING] 296/204816 (1) : Can't open server state file '/var/lib/haproxy/server-state': No such file or directory
dockerproxy    | Proxy dockerbackend started.
dockerproxy    | Proxy dockerfrontend started.
dockerproxy    | [NOTICE] 296/204816 (1) : New worker #1 (8) forked
traefik        | time="2021-10-24T13:48:17-07:00" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
dockerproxy    | 172.26.0.5:57914 [24/Oct/2021:20:48:17.459] dockerfrontend dockerbackend/dockersocket 0/0/0/4/4 200 1046 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/version HTTP/1.1"
dockerproxy    | 172.26.0.5:57914 [24/Oct/2021:20:48:17.464] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 12881 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/json?limit=0 HTTP/1.1"
dockerproxy    | 172.26.0.5:57914 [24/Oct/2021:20:48:17.466] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 9752 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/a456f49a4f73a3292b45a1461091a35869df5e633de6e841d0dca26512836bfa/json HTTP/1.1"
dockerproxy    | 172.26.0.5:57914 [24/Oct/2021:20:48:17.467] dockerfrontend dockerbackend/dockersocket 0/0/0/1/1 200 6718 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/ab644f8795bd0e860496580bab303f86c176b1ee4872f3f34241510bd8c7c2fe/json HTTP/1.1"
dockerproxy    | 172.26.0.5:57914 [24/Oct/2021:20:48:17.468] dockerfrontend dockerbackend/dockersocket 0/0/0/0/0 200 7739 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/c552360b115fa00063f6ab998790925b642abe3369f1721f69df1d6a01ad73a7/json HTTP/1.1"
dockerproxy    | 172.26.0.5:57914 [24/Oct/2021:20:48:17.468] dockerfrontend dockerbackend/dockersocket 0/0/0/0/0 200 7366 - - ---- 1/1/0/0/0 0/0 "GET /v1.24/containers/aa08018aa3a644b86e33eb2f79898e91bf16bc35b7669bbce6ea673e84681b56/json HTTP/1.1"

Finally, I was looking at this: https://doc.traefik.io/traefik/middlewares/http/redirectscheme/
Would I specify that, redirect from http to https, as a label on any new services I add or how do I test it?

If I’m missing anything else, please let me know.

Source: Docker Questions

LEAVE A COMMENT