Disclaimer: My Docker and my Traefik knowledge is weak. I have several times tried following the Traefik docs and I usually just get confused, possibly because I want to tackle more than the simplest of cases but also, I'm sure I am missing some fundamentals.
In my current setup, I can create a web-based (port 80) Docker service that Traefik v2 picks up, creates a LE cert, redirects from http:80 to https:443, and exposes. Below is my docker-compose.yml
for Traefik and also one for a sample service that works.
Let's say, however, that my web-based service really wants to run on a port other than 80. For instance, I want to run statping, which runs on port 8080. Is it possible, given the SSL setup that I currently have, to wire it up such that I can expose the entry point http://statping.MYTLD and rely on Traefik to: 1. redirect to https://statping.MYTLD, 2. obtain the certificate, and 3. expose my statping Docker container? Can Traefik handle the Acme http challenge even though the underlying service is not running on port 80? I figure it can, since my working sample isn't even exposing a port past the container level.
Note: I am most familiar with Docker Compose but perhaps for a service like statping, I need to figure out how to write my own DOCKERFILE so that I can cajole it into running on port 80 instead of port 8080?
Thanks for any insight!
Traefik docker-compose.yml
:
version: "3.3"
networks:
traefik:
external: true
services:
traefik:
image: "traefik:v2.3"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
# FOR TESTING.
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=craig@wereallconnected.ca"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
Sample service docker-compose.yml
:
version: "3.3"
networks:
traefik:
external: true
services:
whoami2:
image: "traefik/whoami"
container_name: "simple-service2"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami2.rule=Host(`whoami2.MYTLD`)"
- "traefik.http.routers.whoami2.entrypoints=websecure"
- "traefik.http.routers.whoami2.tls.certresolver=myresolver"
networks:
- traefik
restart: unless-stopped
Best Answer
From the traefik docs:
So if whoami was listening on 8080 and didn't expose exactly one port, you should specify the label: