Good morning, I am setting up a bastion container, here is my compose docker file:
traefik:
restart: always
image: traefik
container_name: traefik
hostname: traefik
command:
- --log.level=info
- --api.insecure=true
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.web-secure.address=:443
- --entryPoints.smtp.address=:25
- --entryPoints.smtp-ssl.address=:465
- --entryPoints.imap-ssl.address=:993
- --entryPoints.sieve.address=:4190
- --entryPoints.ssh-proxy.address=:8022
- --metrics.prometheus=true
- --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
- --providers.docker.watch
- --certificatesresolvers.myresolver.acme.httpchallenge=true
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.myresolver.acme.email=mail@mail
- --certificatesresolvers.myresolver.acme.storage=/certs/acme.json
ports:
- 80:80
- 443:443
- 8080:8080
- 25:25
- 465:465
- 993:993
- 4190:4190
- 8022:8022
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/log/traefik:/var/log
- ./traefik/certs:/certs
networks:
- backend
- frontend
labels:
- traefik.http.middlewares.traefik-redirect-web-secure.redirectscheme.scheme=https
[...]
trasa_app:
image: seknox/trasa:v1.1.4
container_name: trasa_app
restart: always
labels:
- traefik.enable=true
- traefik.http.middlewares.bastion-redirect-web-secure.redirectscheme.scheme=https
- traefik.http.routers.bastion-web.middlewares=bastion-redirect-web-secure
- traefik.http.routers.bastion-web.rule=Host(`bastion.${DOMAINNAME}`)
- traefik.http.routers.bastion-web.entrypoints=web
- traefik.http.routers.bastion-web-secure.rule=Host(`bastion.${DOMAINNAME}`)
#- traefik.http.routers.bastion-web-secure.tls.certresolver=myresolver
- traefik.http.routers.bastion-web-secure.tls=false
- traefik.http.routers.bastion-web-secure.entrypoints=web-secure
- traefik.tcp.routers.ssh-proxy.rule=HostSNI(`*`)
- traefik.tcp.routers.ssh-proxy.entrypoints=ssh-proxy
- traefik.tcp.routers.ssh-proxy.service=ssh-proxy
- traefik.tcp.services.ssh-proxy.loadbalancer.server.port=8022
environment:
- TRASA.LISTENADDR=bastion.${DOMAINNAME}
- TRASA.AUTOCERT=true
- DATABASE.SERVER=pgdb
- REDIS.SERVER=redis:6379
- PROXY.GUACDADDR=guacd:4822
volumes:
- /tmp/trasa/accessproxy/guac:/tmp/trasa/accessproxy/guac
links:
- pgdb:pgdb
- redis:redis
- guacd:guacd
networks:
- frontend
- backend
Here is my problem: When traefik manages the container certificate of trasa_app: I get an error "Error while setting TCP connection deadline: set tcp {ip}: use of closed network connection"
So what I want to do is disable obtaining the certificate from the trafik container so that the trasa_app container manages its own certificate.
so I added the label traefik.http.routers.bastion-web-secure.tls=false but when I access bastion.domainname: the certificate is "TRAEFIK DEFAULT CERT"
(https://i.stack.imgur.com/9GVKi.png)
How can I do so that traefik does not manage the trasa certificate?
thank you very much in advance,
Dimox
When traefik manages the certificate, the trasa container does not have the key so there is an error... When the trasa container manages the certificate, the traefik container returns a default certificate and not the trasa one...
You can define what Traefik will use as the default certificate by defining a TLSStore as seen here.