Traefik: HTTPS access between applications does not work

1
votes

in our setup we use the latest traefik as reverse-proxy which has routes to a demo confluence and a keycloak server.

         traefik 
         |     |
confluence     keycloak

Each application has it's own docker-compose file and is started separately.

Traefik defines a virtual network, confluence and keycloak are also in this network. With the correct DNS settings it is possible for a user to access traefik, confluence and keycloak. It works as expected.

To use the keycloak web SSO system it is necessary the confluence system is able to access keycloak and vice versa using the FQDN and HTTPS using traefik. This does not work.

It is possible to connect to the services directly (we suppose that's due to the shared network), but if we i.e. connect to the keycloak container and do something like

curl -k https://confluence.our.domain -v

we can see a connection to the docker-host is done (the IP matches) but traefik seems not to do any routing.

If we connect to the keycloak container and do

curl -k -v -H 'Host: confluence.our.domain' https://traefik

the routing is done.

Any suggestions, what we are doing wrong or what we should check out?

Any help is appreciated, Christoph

2
dockertraefik
What IP do you get when you do ping confluence.our.domain in the machine where curl doesn't workTarun Lalwani
"ping: confluence.our.domain: Name or service not known" The Docker DNS settings seem not to be correct. Currently I try to find the correct place in the docker-compose.yml to set all used FQDNs as alias for the traefik container.flexguse
Try inserting a host entry with the FQDN with the traefic IP using extra_hosts in the compose fileTarun Lalwani
Thanks a lot for that hint! We added the extra hosts entries leading to the traefik reverse-proxy and now the routing works. Maybe it is a better idea to set the DNS server, but we are happy this solution works.flexguse

2 Answers

1
votes

For DNS based configuration that will work with all the containers talking to traefik, use the following network "alias" section in your compose.yml file::

version: '3.3'

networks:
  proxy:
    external:
      name: proxy

services:
  traefik:
    image: traefik:1.4
    networks:
    - proxy:
        aliases:
        - confluence.our.domain

The aliases can be a list and will apply to the DNS for everything on the "proxy" network in the above example.

1
votes

You should insert a host entry in the containers using extra_host key in your compose file. You want to create the FQDN pointing to your traefik reverse-proxy

This will make sure you use correct host name for the https to be valid and the routing to work

version: '3'
service:
  xyz:
    extra_host:
      - "confluence.our.domain:<traefikip>"
  ...