Traefik Docker broken

Ok, sorry, for some reason I was thinking there would be a docker-compose file somewhere, but I guess with unraid they have their own type of “template” which ultimately defines what to run on the CLI. So if your container is started but you can’t access it, check the logs and see if there’s anything interesting there.

If you can post whatever unraid uses to deploy the container on the CLI that would be helpful, and also the redacted traefik.toml config.

I’m aware of what unraid is but have not used it and so I’m not familiar with how it manages docker containers.

No problem. Let me figure out the easiest way to get the CLI output (it only shows in the GUI if you make an edit and spin the container back up, but it may show in the server logs). Then I’ll post the contents of the toml file. Bear with me, and I appreciate the assistance.

 ################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: https://github.com/containous/traefik/blob/v1.7/traefik.sample.toml
#
################################################################

################################################################
# Global configuration
################################################################
[global]
  checkNewVersion = false
  sendAnonymousUsage = false

################################################################
# Entrypoints configuration
################################################################

# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"
	
  [entryPoints.traefik]
    address = ":8080"
	
  [http.routers]
    [http.routers.encrypted]
	  rule = "Host(domain.com)"
	  service = "websafe"
	  [http.routers.encrypted.tls]
	    certResolver = "letsencrypt"
	  
	[http.routers.unencrypted]
	  rule = "Host(www.domain.com)"
	  service = "websafe"

  [http.middlewares]
    scheme = "https"
	  
  [certificatesResolvers.letsencrypt.acme]
    email = "emailaddress"
	storage = "/etc/traefik/acme/acme.json"
	[certificatesResolvers.letsencrypt.acme.dnsChallenge]
	  provider = "cloudflare"
	  
  [[acme.domains]]
    main = "*.domain.com"
	sans = "domain.com"  

################################################################
# Traefik logs configuration
################################################################

# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
[log]

  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level = "DEBUG"

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath = "/etc/traefik/log/traefik.log"

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  format = "common"

################################################################
# Access logs configuration
################################################################

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
[accessLog]

  # Sets the file path for the access log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath = "/etc/traefik/log/accessLog.txt"

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  format = "common"

################################################################
# API and dashboard configuration
################################################################

# Enable API and dashboard
[api]

  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  # entryPoints = "traefik"

  # Enabled Dashboard
  #
  # Optional
  # Default: true
  #
  dashboard = true

################################################################
# Ping configuration
################################################################

# Enable ping
[ping]

  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  entryPoint = "traefik"

################################################################
# Docker configuration backend
################################################################

# Enable Docker configuration backend
[providers.docker]

  # Docker server endpoint. Can be a tcp or a unix socket endpoint.
  #
  # Required
  # Default: "unix:///var/run/docker.sock"
  #
  # endpoint = "tcp://10.10.10.10:2375"
  endpoint = "unix:///var/run/docker.sock"

  # Default host rule.
  #
  # Optional
  # Default: "Host(`{{ normalize .Name }}`)"
  #
  defaultRule = "Host(`{{ normalize .Name }}.docker.localhost`)"

  # Expose containers by default in traefik
  #
  # Optional
  # Default: true
  #
  exposedByDefault = false
  
  # TLS setting for the connection to Docker. Accepts any certificate presented
  # by the server and any host name in that certificate.
  [providers.docker.tls]
    insecureSkipVerify = true

And here is the CLI output from the GUI:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='traefik' --net='bridge' -e TZ="America/New_York" -e HOST_OS="Unraid" -e 'CF_API_KEY'='redacted' -e 'CF_API_EMAIL'='emailaddresshere' -l 'traefik.enable'='true' -l 'traefik.backend'='traefik' -l 'traefik.frontend.rule'='Host:domain.com' -l 'traefik.frontend.headers.SSLHost'='domain.com' -l 'traefik.frontend.auth.basic.usersFile'='/shared/.htpasswd' -l 'traefik.docker.network'='bridge' -l 'traefik.frontend.headers.SSLRedirect'='true' -l 'traefik.frontend.headers.STSSeconds'='315360000' -l 'traefik.frontend.headers.browserXSSFilter'='true' -l 'traefik.frontend.headers.contentTypeNosniff'='true' -l 'traefik.frontend.headers.forceSTSHeader'='true' -l 'traefik.frontend.headers.STSIncludeSubdomains'='true' -l 'traefik.frontend.headers.STSPreload'='true' -l 'traefik.frontend.headers.frameDeny'='true' -l 'traefik.port'='8080' -p '443:443/tcp' -p '8080:8080/tcp' -v '/mnt/user/appdata/traefik':'/etc/traefik':'rw' -v '/mnt/user/appdata/traefik/shared':'/shared':'rw' -v '/var/run/docker.sock':'/var/run/docker.sock':'ro' 'traefik'

So the docker command on the CLI is passing a bunch of v1.x configuration options (you can tell by the traefik.frontend and traefik.backend options). Those are all different now, so you would need to update all of those parameters.

Do you know where that configuration comes from? Is that what the unraid XML template includes maybe?

Correct. All of the frontend.headers options were in the template (provided by containious).

Ok I found the template you’re referring to, by benderstwin on github: https://github.com/benderstwin/docker-templates/blob/master/Bender-traefik.xml
Problem confirmed: benderstwin is declaring traefik:latest (now pointing to v2.0) but using v1.7 labels so that’s why you can’t get it working. If you can edit that template, the quick fix is to change the Repository tag to traefik:v1.7

Just to clarify, the template is not provided by containous, it was written by benderstwin (props to benderstwin btw for providing the template!).

I opened an issue on the github repo:

Oh, that could be my mistake - I did try using both of the templates available (one was containous, the other was Ben’s.)

My toml file is from containious:

https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml

Would it not be easier to just remove the labels? Those are set up on the container and in the GUI it’s a simple matter to just click Remove on each of the bad ones.

Probably. I’m not sure if any of them are necessary assuming you configure everything you need in the toml file. I would just recommend going through each one and looking at the documentation to make sure. Anything that uses frontend or backend in the label you can remove.

1 Like

I’m going to start with trying that. Hopefully that will do the trick. If not, I am about ready to give up and just settle for SSH into the box from the outside world.

Okay, I officially give up. Traefik 2.0 is just not for me. I’m reverting back to 1.7, using my old config and calling it a day. I just do not have the patience to learn an entirely new system that is actually more difficult to use than the last version with no added benefit to me. Maybe enterprise users can see the benefit, because containious definitely is pushing paid support options now, but that’s not for me. This is just so I can set up reverse proxying on my home lab. I thought it was cooler than nginx, but now it’s just unwieldy. :frowning: I do appreciate your assistance.

I get it. I spent a good amount of time learning 2.0 (luckily I wasn’t in a panic due to a broken system), but I did run into plenty of trouble and had to ask some questions on their forum before I could get anything working at all.
There’s not much benefit if you’re using only basic functionality, but for me it’s a matter of being able to get new updates and potentially use the more advanced features that are available with 2.0 that 1.7 couldn’t do.
I also use nginx in my home lab, and for a setup that doesn’t change often traefik really isn’t a big advantage as their specialty is dynamic routing whenever the underlying services change.

1 Like

Exactly that. The system was up and running just fine for months with no issue (other than some minor things like Let’s Encrypt not auto-renewing, but I fixed that one).

The good news is that the guide I had originally used here:

updated since 1.6 when I first started using Traefik. He also recommended staying away from 2.0 for now. I got most everything back up except for my webserver, but that’s a task for another day. Nothing was actually on the webserver. Haha.

Maybe one day I’ll come back to traefik 2.0, but the documentation needs to improve greatly. It’s too difficult for me to piece together all the different things from the small snippets they have now. And not a lot of explanation of what each field/configuration item does.

FYI someone just submitted a pull request for that unraid template so that should be integrated in soon.

1 Like

Oh nice! Thanks for the heads up!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.