I'm using Traefik to get SSL certificate for my fastapi application in a container. After spinning up the container I could find that my SSL certificate is just fine, but my website would throw me a "Bad Gateway" error.
Below are relevant parts of my docker-compose, a Dockerfile.traefik, which is built inside the docker-compose, and a traefik.prod.toml that is used within it.
For the api entrypoint, I'm using a python module toncinta-api(you can see it as the entrypoint of the service api in my docker-compose ), which contains the command uvicorn.run("api:app", host='0.0.0.0')
Docker-compose:
.
.
api:
image: toncinta/toncinta-python:chime
container_name: toncinta-api-default
#ports:
# - "80:80"
expose:
- 80
labels:
- "traefik.enable=true"
- "traefik.http.routers.fastapi.rule=Host(`toncinta-api.com`)"
- "traefik.http.routers.fastapi.tls=true"
- "traefik.http.routers.fastapi.tls.certresolver=letsencrypt"
stdin_open: true
tty: true
entrypoint: toncinta-api
traefik: # new
build:
context: .
dockerfile: Dockerfile.traefik
ports:
- 80:80
- 443:443
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik-public-certificates:/certificates"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.toncinta-api.com`) && (PathPrefix(`/`)"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.dashboard.service=api@internal"
Dockerfile.traefik
# Dockerfile.traefik
FROM traefik:v2.9.6
COPY ./traefik.prod.toml ./etc/traefik/traefik.toml
traefik.prod.toml
# traefik.prod.toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[accessLog]
[api]
dashboard = true
[providers]
[providers.docker]
exposedByDefault = false
[certificatesResolvers.letsencrypt.acme]
email = "[email protected]"
storage = "/certificates/acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"
I suspect this might be related to the ports I expose/use for uvicorn server and traefik. I followed some related stackoverflow discussions, but could not find a fix.
As doneforaiur pointed out, I managed to resolve it by adding port to the command like so:
uvicorn.run("api:app", host='0.0.0.0', port=5000)
and explicitly exposing it as a port in the service definition of my web service in docker-compose.But now my problem is that only
toncinta-api.com
gets HTTPS and browsers dismisswww.toncinta-api.com
as insecure. Is that something to do with how traefik configures the certificates, again, something to be changed still in my docker-compose?