What are /r/Traefik's favorite Products & Services?

From 3.5 billion Reddit comments

I've deleted my original reply in hopes you will get this notification. I have a gift. No longer will you need to open all your containers 25565 ports. Here is my docker compose file in case you need an example. I can safely say this router by itzg works just as you would want Traefik to work. Obviously change YOURDOMAIN.com to yours and make sure your server volumes are set correctly etc etc.

Hope you get this working like I have :)

The apiextensions.k8s.io/v1beta1 API version of CustomResourceDefinition is no longer served as of v1.22.

Migrate manifests and API clients to use the apiextensions.k8s.io/v1 API version, available since v1.16.

All existing persisted objects are accessible via the new API

https://kubernetes.io/docs/reference/using-api/deprecation-guide/

Probably you should do a helm repo update, as I have traefik installed with that chart.

I cannot access it, however it did trigger new errors on Traefik so we seem to be progressing!

This is the error triggered in `docker logs`:

​

level=error msg="Unable to obtain ACME certificate for domains \"monitor.local.dev\": unable to generate a certificate for the domains [monitor.local.dev]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/" providerName=lets-encrypt.acme routerName=api@file rule="Host(\monitor.local.dev`)"`

Thank you for you insights. My DNS provider is indeed Cloudflare. I'm using both my Cloudflare e-mail and API, Global Key.

I've taken it to read up on DNS challenge and how it works here.

https://letsencrypt.org/docs/challenge-types/#:~:text=DNS%2D01%20challenge,record%20under%20that%20domain%20name.&text=Then%20Let's%20Encrypt%20will%20query%20the%20DNS%20system%20for%20that%20record.

Looking at Cloudflare's DNS page I can see two txt _ACME_Challenges are created when I recreate Traefik. They are removed after 2 minutes or so. I didn't post the full log originally since it times out waiting for DNS propagation (2 minutes). In the middle it shows this.

traefik | 2020-07-11T19:38:00.972120566Z time="2020-07-11T19:38:00Z" level=debug msg="legolog: [INFO] [domain.house] acme: Trying to solve DNS-01" traefik | 2020-07-11T19:38:00.972206023Z time="2020-07-11T19:38:00Z" level=debug msg="legolog: [INFO] [domain.house] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53]" traefik | 2020-07-11T19:38:00.972293429Z time="2020-07-11T19:38:00Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]" traefik | 2020-07-11T19:38:01.023248427Z time="2020-07-11T19:38:01Z" level=debug msg="legolog: [INFO] [domain.house] acme: Waiting for DNS record propagat ion."

Do you think maybe I should go ask the Cloudflare forums perhaps?

Edit1: I did end up posting about this in Cloudflares forum. Maybe they know.

https://www.cloudflare.com/

I have the same setup as well for a home server, but with Cloudflare in front as a proxy. Works really well, and Cloudflares free tier is quite generous.

Depends really on your requirements however.

I wouldn't waste the time anyway.. The CPU usage for a small website is insane, can't imagine anyone using this in production, I would have to dedicate an entire node just for the ingress controller if using Traefik. Nginx is still superior IMO.

For a small setup you can go with jwilder nginx + letsencrypt companion, for k8s I recommend nginx controller from kubernetes.io + cert-manager from jetstack

You should be using the staging environment for testing, and then switch to the live one once you've worked your kinks out.

https://letsencrypt.org/docs/staging-environment/

Live has a duplicate cert limit of 5 per week. Staging has a dup limit of 30,000 per week.

To add on to this, Let's Encrypt has a staging environmentthat can be used to test your config. The staging environment has significantly higher rate limits.

See the let's encrypt rate limiting documentation. It allows 50 requests per week per domain.

It seems like your ACME configuration here is wrong, and that it failed 50 times.

I'd recommend working on fixing your ACME config with another domain (or subdomain) until you get it working, and then replicate the fixes to the configuration with the domain you wanted.

For example, if you are trying to provision a certificate for mywebsite.com, modify your configuration and generate certs for test.mywebsite.com. If you reach the limit again, simply change the subdomain again, until you figure out what's wrong with your configuration.

> Update: I don't know how or why, but changing the CNAME record to just an A record with the server's IP fixed the issue. Thank you so much for the help mate!

Glad you can solve it! Now that you mentioned it, I've also actually only use A Records whenever I'm setting this up, so I've never actually thought about it or faced any issue there. Did a quick search, the only mentioning of A records is only in this part of the Traefik docs. Here is the quote from the link, especially the bold part:

You can set SANs (alternative domains) for each main domain. **Every domain must have A/AAAA records pointing to Traefik.** Each domain & SAN will lead to a certificate request.

Perhaps that's the reason. Just curious, CNAME should be only used to point to another right? Does Cloudflare not prevent you from typing IP address when entering CNAME record? Would be a good info to know if I ever use Cloudflare or someone else does haha.

> Any way I can buy you a beer/coffee (or other substance of choice)?

I've been thinking how to move forward with my blog/guides and I have several materials/topics I want to start fleshing out. Since you kindly asked, I just created a buymeacoffee page here. I honestly am still exploring are there better ways (don't want to end up putting the donation requirement too high), but this seems to be a decent start from what I researched at the moment. If you have or heard better reviews on other platforms, I will be eager to know as well!

Thanks for the tips. I am trying to get Crafty Controller running. It is a Minecraft server web control panel running. It works fine without traefik, and it tries to connect to 8000, but is not going over https.

After quite a lot of googling, I found a similar issues on traefik forums. Still working out how to resolve it though.

0.3 in that case means you averaged 0.3 requests per second over the minute prior to the point it's plotted on your graph. The prometheus docs explain the caveats and differences between rate() and other functions like irate().

I'm not that saavy about grafana, but I'm guessing it's mostly a permissions issue. I run grafana with the same user id as my host, which isn't necessarily best practice for docker but I haven't dug deeper yet.

Assuming you don't have grafana data, or you've moved it to a backup folder, try this:

mkdir -p $DOCKERDIR/grafana/var (so folder has $PUID permissions)

grafana: image: grafana/grafana:latest container_name: grafana restart: unless-stopped networks: - traefik_proxy - default security_opt: - no-new-privileges:true # ports: # - "3000:3000" user: "$PUID:$GUID" volumes: - $DOCKERDIR/grafana/var:/var/lib/grafana labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.grafana-rtr.entrypoints=https" - "traefik.http.routers.grafana-rtr.rule=Host(grafana.$DOMAINNAME)" ## Middlewares - "traefik.http.routers.grafana-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.grafana-rtr.service=grafana-svc" - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"

 

If you're looking to get more into grafana's user id stuff this link might help.

Hmmmm, had not thought about using a Pi.

Would something like Raspberry Pi 4 8gb work?

Regardless, something new to research 😬

Thanks

> Are you saying my dns provider needs to be updated to point to my NordVPN up address? > > Yes traefik works without nord on but once nord turns on it it stops. My containers are working behind nord but not traefik.

I'm sayin this is not really a traefik issue. This is relevant to Docker, OpenVPN, IPTables and it should be investigated as such. It's very much out of scope for the sub and there's not really enough information to assist you with your issue.

I'd suggest reading about how Docker networking works with Iptables as well as what happens when a VPN connects and changes route tables and forwarding.

Are you saying my dns provider needs to be updated to point to my NordVPN up address?

Yes traefik works without nord on but once nord turns on it it stops. My containers are working behind nord but not traefik.

If you suspect this has anything to do with iptables, as in it is not providing access, you might try turning it off or actually check which *tables you actually use. They changed it so often, I lost the overview of that.

Can you elaborate a bit on what exactly you did? Please give some precise examples, because perhaps we might be not on the same page. Do you want to route ALL traffic through Nord? Or only outgoing? This part is unclear.

Just recently I read somewhere that you need to take certain measures to be able to access services reversely through a generic "VPN" (glorified proxy) provider. For example, some providers let you open ports (you mentioned that) but also let you pay for dedicated IP addresses. Doesn't that mean, that in your situation, once your server has a global VPN running, you need to connect to the VPN server's IP address? Which in turn would mean that you wouldn't be able to connect through the usual domain, as it is mapped to the wrong IP address at the time of being connected to NordVPN.

Finally, forget LAN behaviour. That's a special case, so don't compare connecting over local IP with connecting over public IP. There is some additional exceptional behaviour going on regarding this.