I'm working with a machine with only port 443 open. I have multiple services on this machine and I am using traefik as a port forwarding system. Currently, I can operate and run my Mesh instance flawlessly (even websockets are working behind traefik!). However, I am trying to run Mender behind this as well. The issue is that Mender also uses traefik. It seems to me that the service Mender is running all well and good. I can create a user and login and such. However, I can't access it over the port 443, which is what I want to do.
Here is my docker-compose.yml for traefik now:
version: '3'
services:
traefik:
image: traefik:v2.8
restart: always
container_name: traefik
ports:
- '80:80' # http
- '443:443' # https
- '8080:8080' #dashboard port
command:
## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
- --providers.docker=true # Set docker as the provider for traefik
- --providers.docker.exposedbydefault=false # You need to whitelist containers that will be exposed to traefik
- --providers.file.filename=/dynamic.yml # Referring to the https upgrade file
- --providers.docker.network=web # Use the docker network web for communication between traefik and containser
## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
- --entrypoints.web.address=:80 # Define an entrypoint for port :80 named web (this can be whatever)
## Certificate Settings (Let's Encrypt) - https://docs.traefik.io/https/acme/#configuration-examples ##
- --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
- --certificatesresolvers.mytlschallenge.acme.email=xxxxxx@xxxxxxxxxx.com
- --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
- --entrypoints.websecure.address=:443
#- --entrypoints.web-secured.address=:443
- "--api.insecure=true" # This enables the dashboard without any authentication
- "--api.dashboard=true"
- "--log.level=DEBUG"
#- --entrypoints.http.address=:80
volumes:
- ./letsencrypt:/letsencrypt # Volume for certs (TLS)
- /var/run/docker.sock:/var/run/docker.sock # Volume for docker admin
- ./dynamic.yml:/dynamic.yml # Volume for dynamic conf file, **ref: line 14
networks:
- web # Tell the container that it has access to this network
labels:
# enable traefik for this services
- traefik.enable=true
# Define the port inside of the Docker service to use
- traefik.web.services.traefik-dashboard.loadbalancer.server.port=8080
# Make Traefik use this domain in HTTP
- traefik.web.routers.traefik-dashboard-http.entrypoints=web
- traefik.web.routers.traefik-dashboard-http.rule=Host(`dashboard.localhost`)
# make traefik use this network
- traefik.docker.network=web
#- traefik.http.routers.mender-old.rule=Host(`mender.localhost`)
#- traefik.http.services.mender-old.loadbalancer.server.port=8084
networks:
web:
external: true
Here is my compose file for Mender, which is quite complicated. The main service is mender-api-gateway which is using traefik:
version: '2.1'
services:
#
# mender-iot-manager
#
mender-iot-manager:
image: mendersoftware/iot-manager:mender-3.4.0
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
labels:
mender.healthcheck.path: "/api/internal/v1/iot-manager/health"
#
# mender-deployments
#
mender-deployments:
image: mendersoftware/deployments:mender-3.4.0
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
labels:
mender.healthcheck.path: "/api/internal/v1/deployments/health"
#
# mender-gui
#
mender-gui:
image: mendersoftware/gui:mender-3.4.0
extends:
file: common.yml
service: mender-base
networks:
- mender
environment:
- GATEWAY_IP
- INTEGRATION_VERSION
- MENDER_ARTIFACT_VERSION
- MENDER_VERSION
- MENDER_DEB_PACKAGE_VERSION
- HAVE_DEVICECONNECT=1
- HAVE_DEVICECONFIG=1
#
# mender-api-gateway
#
mender-api-gateway:
image: traefik:v2.8
ports:
- "8082:8082"
- "8080:8080"
- "8084:8084"
extends:
file: common.yml
service: mender-base
# Enables the web UI and tells Traefik to listen to docker
command:
- --accesslog=true
- --entrypoints.http.address=:8082
- --entrypoints.http.http.redirections.entryPoint.scheme=https
- --entrypoints.http.http.redirections.entryPoint.to=https
- --entrypoints.https.address=:8084
- --entryPoints.https.transport.respondingTimeouts.idleTimeout=7200
- --entryPoints.https.transport.respondingTimeouts.readTimeout=7200
- --entryPoints.https.transport.respondingTimeouts.writeTimeout=7200
- --providers.file.directory=/etc/traefik/config
- --api.insecure=true
- --api.dashboard=true
- --log.level=DEBUG
# Enable ACME (Let's Encrypt): automatic SSL.
- "[email protected]"
- "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
# Global redirect to https
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
labels:
- "traefik.enable=true"
- "traefik.http.routers.mender-api-gateway-web.rule=Host(`mender.xxx.xxx.xxx`)"
- "traefik.http.routers.mender-api-gateway-web.entrypoints=http"
- "traefik.http.routers.mender-api-gateway-secure.rule=Host(`mender.xxx.xxx.xxx`)"
- "traefik.http.routers.mender-api-gateway-secure.entrypoints=https"
- "traefik.http.routers.mender-api-gateway-secure.tls.certresolver=mytlschallenge"
- "traefik.http.services.mender-api-gateway.loadbalancer.server.port=8084"
- "traefik.docker.network=web"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
# Dynamic configuration files
- ./config/traefik/traefik.yaml:/etc/traefik/config/traefik.yaml:ro
- ./config/traefik/traefik.middlewares.yaml:/etc/traefik/config/traefik.middlewares.yaml:ro
networks:
- mender
- web
# critical - otherwise nginx may not detect
# these servers and exits with 'upstream server not found'
depends_on:
- mender-device-auth
- mender-gui
- mender-useradm
- mender-inventory
#
# mender-device-auth
#
mender-device-auth:
image: mendersoftware/deviceauth:mender-3.4.0
environment:
DEVICEAUTH_ORCHESTRATOR_ADDR: http://mender-workflows-server:8080/
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
- mender-workflows-server
labels:
mender.healthcheck.path: "/api/internal/v1/devauth/health"
#
# mender-inventory
#
mender-inventory:
image: mendersoftware/inventory:mender-3.4.0
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
labels:
mender.healthcheck.path: "/api/internal/v1/inventory/health"
#
# mender-useradm
#
mender-useradm:
image: mendersoftware/useradm:mender-3.4.0
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
labels:
mender.healthcheck.path: "/api/internal/v1/useradm/health"
#
# mender-workflows-server
#
mender-workflows-server:
image: mendersoftware/workflows:mender-3.4.0
environment:
WORKFLOWS_MONGO_URL: mongodb://mender-mongo:27017
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
- mender-nats
labels:
mender.healthcheck.path: "/health"
#
# mender-workflows-worker
#
mender-workflows-worker:
image: mendersoftware/workflows-worker:mender-3.4.0
command: worker --excluded-workflows generate_artifact
environment:
WORKFLOWS_MONGO_URL: mongodb://mender-mongo:27017
DEVICECONNECT_ADDR: "mender-deviceconnect:8080"
HAVE_DEVICECONNECT: 1
HAVE_DEVICECONFIG: 1
DEVICECONFIG_ADDR: "mender-deviceconfig:8080"
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
- mender-nats
#
# mender-create-artifact-worker
#
mender-create-artifact-worker:
image: mendersoftware/create-artifact-worker:mender-3.4.0
extends:
file: common.yml
service: mender-base
environment:
- WORKFLOWS_MONGO_URL=mongodb://mender-mongo:27017
- CREATE_ARTIFACT_GATEWAY_URL=https://mender-api-gateway
- CREATE_ARTIFACT_DEPLOYMENTS_URL=http://mender-deployments:8080
networks:
- mender
depends_on:
- mender-mongo
- mender-nats
#
# mender-deviceconnect
#
mender-deviceconnect:
image: mendersoftware/deviceconnect:mender-3.4.0
command: server --automigrate
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
- mender-nats
environment:
DEVICECONNECT_MONGO_URL: "mongodb://mender-mongo"
DEVICECONNECT_NATS_URI: "nats://mender-nats:4222"
labels:
mender.healthcheck.path: "/api/internal/v1/deviceconnect/health"
#
# mender-deviceconfig
#
mender-deviceconfig:
image: mendersoftware/deviceconfig:mender-3.4.0
extends:
file: common.yml
service: mender-base
networks:
- mender
depends_on:
- mender-mongo
command: server --automigrate
labels:
mender.healthcheck.path: "/api/internal/v1/deviceconfig/health"
mender-mongo:
image: mongo:4.4
extends:
file: common.yml
service: mender-base
networks:
mender:
aliases:
- mongo-tenantadm
- mongo-deployments
- mongo-device-auth
- mongo-inventory
- mongo-useradm
- mongo-workflows
mender-nats:
image: nats:2.6-alpine
command: -js
networks:
- mender
networks:
mender: null
web:
external: true
Besides the fact that Lets Encrypt ssl verification does not work at all, I can only access the service over the port which I specify (8084). I need it to work from 443. I have several other configuration files as well and I'm sure having a traefik.yml file for configurations would be better. I am just really stuck on getting the page to load over 443 now. The other service, mesh is able to fine.
I tried to make Mender be able to be accessed over port 443 and I cannot figure out what I am doing wrong.