Docker-compose with traefik, Cloudflare

jonathan1304 · April 26, 2023, 1:43pm

Hello, I’ve also having problems with Passbolt Traefik and Cloudflare. I’ve also seen the tutorial of Techno Tim and Christian Lempa but I can’t reach the passbolt login screen and I’m getting Bad Gateway error.

Here is my passbolt docker-compose.yaml:

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=cloudflare-email
      - CF_DNS_API_TOKEN=cloudflare-api-token
      # - CF_API_KEY=YOUR_API_KEY
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ubuntu/traefik/data/traefik.yaml:/traefik.yaml:ro
      - /home/ubuntu/traefik/data/acme.json:/acme.json
      - /home/ubuntu/traefik/data/config.yml:/config.yml:ro
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.entrypoints=web'
      - 'traefik.http.routers.traefik.rule=Host(`traefik-dashboard-internal.home.example.com`)'
      - 'traefik.http.middlewares.traefik-auth.basicauth.users=ubuntu:test'
      - 'traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https'
      - 'traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https'
      - 'traefik.http.routers.traefik.middlewares=traefik-https-redirect'
      - 'traefik.http.routers.traefik-secure.entrypoints=websecure'
      - 'traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard-internal.home.example.com`)'
      - 'traefik.http.routers.traefik-secure.middlewares=traefik-auth'
      - 'traefik.http.routers.traefik-secure.tls=true'
      - 'traefik.http.routers.traefik-secure.tls.certresolver=cloudflare'
      - 'traefik.http.routers.traefik-secure.tls.domains[0].main=home.example.com'
      - 'traefik.http.routers.traefik-secure.tls.domains[0].sans=*.home.example.com'
      - 'traefik.http.routers.traefik-secure.service=api@internal'

networks:
  proxy:
    external: true

I’m using the following traefik configurations:

traefik.yaml

api:
  dashboard: true
  debug: true
entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ':443'
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: mail@example.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - '1.1.1.1:53'
          - '1.0.0.1:53'

And here my traefik configuration file with the SslHeaders from passbolt and other services:

config.yml

http:
  #region routers
  routers:
    esxi1:
      entryPoints:
        - 'websecure'
      rule: 'Host(`esxi1.home.example.com`)'
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: esxi1
    vcenter:
      entryPoints:
        - 'websecure'
      rule: 'Host(`vcenter.home.example.com`)'
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: vcenter
    synology:
      entryPoints:
        - 'websecure'
      rule: 'Host(`synology.home.example.com`)'
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: synology
    plex:
      entryPoints:
        - 'websecure'
      rule: 'Host(`plex.home.example.com`)'
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: plex
    minio:
      entryPoints:
        - 'websecure'
      rule: 'Host(`minio.home.example.com`)'
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: minio
    # idrac:
    #   entryPoints:
    #     - 'websecure'
    #   rule: 'Host(`idrac.home.example.com`)'
    #   middlewares:
    #     - idrac
    #     - https-redirectscheme
    #   tls: {}
    #   service: idrac
    # idrac-console:
    #   entryPoints:
    #     - 'idrac' # REQUIRED for iDRAC virtual console: Create a new TCP entry point in traefik on port 5900
    #   rule: 'Host(`idrac.home.example.com`)'
    #   middlewares:
    #     - idrac
    #     - https-redirectscheme
    #   tls: {}
    #   service: idrac-console
  #endregion

  #region services
  services:
    esxi1:
      loadBalancer:
        servers:
          - url: 'https://10.1.10.16'
        passHostHeader: true
    vcenter:
      loadBalancer:
        servers:
          - url: 'https://10.1.10.21'
    synology:
      loadBalancer:
        servers:
          - url: 'https://10.1.10.12'
        passHostHeader: true
    plex:
      loadBalancer:
        servers:
          - url: 'https://10.1.10.105:32400'
        passHostHeader: true
    minio:
      loadBalancer:
        servers:
          - url: 'https://10.1.10.12:9000'
        passHostHeader: true
    # idrac:
    #   loadBalancer:
    #     servers:
    #       - url: 'https://10.1.10.14'
    #     passHostHeader: true
    # idrac-console:
    #   loadBalancer:
    #     servers:
    #       - url: 'https://10.1.10.14:5900'
    #     passHostHeader: true

  #endregion

  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    idrac:
      headers:
        frameDeny: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    SslHeader:
      headers:
        FrameDeny: true
        AccessControlAllowMethods: 'GET,OPTIONS,PUT'
        AccessControlAllowOriginList:
          - origin-list-or-null
        AccessControlMaxAge: 100
        AddVaryHeader: true
        BrowserXssFilter: true
        ContentTypeNosniff: true
        ForceSTSHeader: true
        STSIncludeSubdomains: true
        STSPreload: true
        ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
        CustomFrameOptionsValue: SAMEORIGIN
        ReferrerPolicy: same-origin
        PermissionsPolicy: vibrate 'self'
        STSSeconds: 315360000

    # default-whitelist:
    # ipWhiteList:
    #   sourceRange:
    #   - "10.0.0.0/8"
    #   - "10.1.10.0/16"
    #   - "172.16.0.0/12"

    secured:
      chain:
        middlewares:
          # - default-whitelist
          - default-headers

I hope we can solve the issue together… but I don’t know how I can add this tls.yaml from passbolt docs:

tls.yaml

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      curvePreferences:
        - CurveP521
        - CurveP384
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

can I add them to the portainer labels?

I hope somebody can help us out to close issue.

thanks

Best regards
Jonathan

garrett · April 26, 2023, 2:55pm

We don’t have an official tutorial on this. @clayton I might have time tomorrow to go through it.

Until then, maybe someone will figure it out and post a better guide.

hackmann · April 26, 2023, 5:14pm

Hi, i am new here, and no expert.

But I have faced the same problem with passbolt/traefik.

I will tell what I did, it may help you.

First, try to change to http (http://name.com:13080) in traefik config.yml…

If that works with your current setup, that is good and i would suggest a second test.

Change the port number back to https (https://name.com:13443) in traefik config.yml.

I think, just a guess, you are using labels on passbolt docker-compose file and, at same time, using middlewares on config.yml on traefik. For what I could notice, I guess, that creates two routes to same destination, keeping a loop on https entrypoint.

So, I woult suggest a trial and error… just comment out in the traeffik config.yml file (i bet you have), in the middlewares passbolt section, the " - https-redirectscheme".

traeffik - config.yml - example:

http:
  #region routers
  routers:
    XXXXX: 
      entryPoints:
        - 'websecure'
      rule: 'Host(`passbolt.yourdomain.com`)'
      middlewares:
        - default-headers
        # - https-redirectscheme   ---> comment out here 
      tls: {}
      service: xxxxxx

What i am trying to say is that (at least worked for me) if you are already using labels to redirect on passbolt docker-compose file ( - ‘traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https’ and ‘traefik.http.routers.traefik.middlewares=traefik-https-redirect’), using middlewares to redirect again will give the “bad gateway”.

Try to see if that helps. You can revert back in a blink if goes wrong.

To be honest, I would comment out the entire route section on traefik config.yml file, since you have defined the setup by labels on passbolt docker-compose file already. I may be completely wrong about your setup or about the passbolt/traefik systematic. I am just guessing… and that worked for me.

Hope that helps.

cheerz!

ps. I have made some editions on this text to make myself clear, since I am from Brazil and english is not my best.

jonathan1304 · April 27, 2023, 2:06pm

I’m now getting this error in the passbolt logs.

Exception: Connection to Mysql could not be established: SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: Temporary failure in name resolution

In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 133]

Any ideas why this is happening due to my docker-compose.yaml?

version: '3.9'
name: passbolt
services:
  db:
    image: mariadb:10.3
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=true
      - MYSQL_DATABASE=$MYSQL_DATABASE
      - MYSQL_USER=$MYSQL_USER
      - MYSQL_PASSWORD=$MYSQL_PASSWORD
    volumes:
      - /home/ubuntu/passbolt/data/mysql:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    networks:
      - proxy
    depends_on:
      - db
    env_file:
      - .env
    environment:
      - APP_FULL_BASE_URL=$APP_FULL_BASE_URL
      - DATASOURCES_DEFAULT_HOST=$DATASOURCES_DEFAULT_HOST
      - DATASOURCES_DEFAULT_USERNAME=$DATASOURCES_DEFAULT_USERNAME
      - DATASOURCES_DEFAULT_PASSWORD=$DATASOURCES_DEFAULT_PASSWORD
      - DATASOURCES_DEFAULT_DATABASE=$DATASOURCES_DEFAULT_DATABASE
      - EMAIL_TRANSPORT_DEFAULT_HOST=$EMAIL_TRANSPORT_DEFAULT_HOST
      - EMAIL_TRANSPORT_DEFAULT_PORT=$EMAIL_TRANSPORT_DEFAULT_PORT
      - EMAIL_TRANSPORT_DEFAULT_USERNAME=$EMAIL_TRANSPORT_DEFAULT_USERNAME
      - EMAIL_TRANSPORT_DEFAULT_PASSWORD=$EMAIL_TRANSPORT_DEFAULT_PASSWORD
      - EMAIL_TRANSPORT_DEFAULT_TLS=$EMAIL_TRANSPORT_DEFAULT_TLS
      - EMAIL_DEFAULT_FROM=$EMAIL_DEFAULT_FROM
    volumes:
      - /home/ubuntu/passbolt/data:/etc/passbolt/gpg
      - /home/ubuntu/passbolt/data:/etc/passbolt/jwt
    command:
      [
        '/usr/bin/wait-for.sh',
        '-t',
        '0',
        'db:3306',
        '--',
        '/docker-entrypoint.sh',
      ]
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.passbolt.entrypoints=http'
      - 'traefik.http.routers.passbolt.rule=Host(`passbolt.example.com`)'
      - 'traefik.http.middlewares.passbolt-https-redirect.redirectscheme.scheme=https'
      - 'traefik.http.routers.passbolt.middlewares=passbolt-https-redirect'
      - 'traefik.http.routers.passbolt-secure.entrypoints=https'
      - 'traefik.http.routers.passbolt-secure.rule=Host(`passbolt..example.com`)'
      - 'traefik.http.routers.passbolt-secure.tls=true'
      - 'traefik.http.routers.passbolt-secure.service=passbolt'
      - 'traefik.docker.network=proxy'
      - 'traefik.http.routers.passbolt-http.middlewares=SslHeader@file'
      - 'traefik.http.routers.passbolt-https.middlewares=SslHeader@file'

networks:
  proxy:
    external: true

garrett · April 27, 2023, 4:14pm

@jonathan1304 What error are you referring to?

jonathan1304 · April 27, 2023, 4:39pm

Sorry, my mistake. I forgot the error message above.

Now its there.

hackmann · April 27, 2023, 5:07pm

Hi, i will try to help…
I will make some comments on your file, ok?

version: '3.9'
name: passbolt
services:
  db:
    image: mariadb:10.3
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=true
      - MYSQL_DATABASE=$MYSQL_DATABASE
      - MYSQL_USER=$MYSQL_USER
      - MYSQL_PASSWORD=$MYSQL_PASSWORD
    volumes:
     # - /home/ubuntu/passbolt/data/mysql:/var/lib/mysql  # I had all kinds of trouble trying to change this.... so, try leaving as :
      - database_volume:/var/lib/mysql #default settings

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    networks:
      - proxy
    depends_on:
      - db
    #env_file: #i do not use this and .env file is working normally, so try to comment out
     # - .env
    environment:
      - APP_FULL_BASE_URL=$APP_FULL_BASE_URL # try not to use variable here : https://xxxx.domain.com
      - DATASOURCES_DEFAULT_HOST=$DATASOURCES_DEFAULT_HOST # # try not to use variable here : db
      - DATASOURCES_DEFAULT_USERNAME=$DATASOURCES_DEFAULT_USERNAME
      - DATASOURCES_DEFAULT_PASSWORD=$DATASOURCES_DEFAULT_PASSWORD
      - DATASOURCES_DEFAULT_DATABASE=$DATASOURCES_DEFAULT_DATABASE
      - EMAIL_TRANSPORT_DEFAULT_HOST=$EMAIL_TRANSPORT_DEFAULT_HOST  # try not to use variable here : if you are using gmail try: ssl://smtp.gmail.com
      - EMAIL_TRANSPORT_DEFAULT_PORT=$EMAIL_TRANSPORT_DEFAULT_PORT # # try not to use variable here : 465
      - EMAIL_TRANSPORT_DEFAULT_USERNAME=$EMAIL_TRANSPORT_DEFAULT_USERNAME
      - EMAIL_TRANSPORT_DEFAULT_PASSWORD=$EMAIL_TRANSPORT_DEFAULT_PASSWORD
     # - EMAIL_TRANSPORT_DEFAULT_TLS=$EMAIL_TRANSPORT_DEFAULT_TLS  # try not to use variable here :null
      - EMAIL_TRANSPORT_DEFAULT_TLS=null
      - EMAIL_DEFAULT_FROM=$EMAIL_DEFAULT_FROM:  # try not to use variable here : your real email@gmail.com
    volumes:
      #- /home/ubuntu/passbolt/data:/etc/passbolt/gpg #had problems changing location here
      #- /home/ubuntu/passbolt/data:/etc/passbolt/jwt #had problems changing location here
   
#add this:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt

     command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
 
#command:
#     [
#      '/usr/bin/wait-for.sh',
#     '-t',
#    '0',
#3   'db:3306',
 #     #  '--',
       # '/docker-entrypoint.sh',
      #]


    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.passbolt.entrypoints=http'
      - 'traefik.http.routers.passbolt.rule=Host(`passbolt.example.com`)'
      - 'traefik.http.middlewares.passbolt-https-redirect.redirectscheme.scheme=https'
      - 'traefik.http.routers.passbolt.middlewares=passbolt-https-redirect'
      - 'traefik.http.routers.passbolt-secure.entrypoints=https'
      - 'traefik.http.routers.passbolt-secure.rule=Host(`passbolt..example.com`)' # there are two dots here in domain
      - 'traefik.http.routers.passbolt-secure.tls=true'
      - 'traefik.http.routers.passbolt-secure.service=passbolt'
      - 'traefik.docker.network=proxy'
      - 'traefik.http.routers.passbolt-http.middlewares=SslHeader@file'
      - 'traefik.http.routers.passbolt-https.middlewares=SslHeader@file'

#add this:

volumes:
  database_volume: {}
  gpg_volume: {}
  jwt_volume: {}

networks:
  proxy:
    external: true

Some notes:

I tried do all by variables like you did, and did not work. I think I read on passbolt documentation about allowed variables. So i left those I saw on documentation that was allowed.
Trying to change the passbolt volume directory location just gave me headeaches, did not work. Only worked with default location: “- database_volume:/var/lib/mysql”.
do not forget the “add this” part at end of file, after “labels” and before networks:
I assume you dont have a database yet with password. So, delete the passbolt and database containers, and passbolt / database volumes to start a clean install. Remember, every time you delete the passbolt and database volumes you will destroy all data… Since you are installing, better to start with a fresh install always until it works. It will avoid a lot of new problems.

See if that helps. Did work for me.

garrett · April 28, 2023, 8:38pm

Let me break it off into a new thread it’s a good point @hackmann