Closed filcuk closed 1 year ago
Just double checking did you restart the container after updating the .env
file? Also try running php artisan optimize
in the docker CLI window. Laravel caches the .env
file to improve performance.
Also in the cli you can run php artisan about
to confirm your environment variables
I run php artisan optimize
:
INFO Caching the framework bootstrap files.
config ........................................................... 35ms DONE
routes .......................................................... 123ms DONE
Tested > Restarted > Tested again
Still the same issue unfortunately
* Just to clarify, I did restart between .env
changes previously
If you run php artisan about
do you see your new APP_URL
?
Confirmed. Not working also for me.
My docker-compose.yml:
version: '3.3'
services:
speedtest-tracker:
image: ghcr.io/alexjustesen/speedtest-tracker:v0.1.0-alpha7
container_name: speedtest-tracker
restart: unless-stopped
ports:
- 8008:80
environment:
TZ: Europe/Rome
PUID: 1000
PGID: 1000
DB_CONNECTION: mysql
DB_HOST: mariadb.axel.dom
DB_PORT: 3306
DB_DATABASE: speedtest_tracker
DB_USERNAME: xxxxxxx
DB_PASSWORD: xxxxxxx
volumes:
- /etc/localtime:/etc/localtime:ro
- $PWD/config:/config
Log at first start of the container:
Brought to you by serversideup.net
--------------------------------------------------------------------
To support Server Side Up projects visit:
https://serversideup.net/sponsor
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
π SSL_MODE has set to FULL, setting the web server to work in HTTPS only...
πββοΈ Checking for Laravel automations...
πββοΈ An SSL key was not detected, so I'll generate a self-signed SSL certificate pair for you...
π Linking the storage...
INFO The [public/storage] link has been connected to [storage/app/public].
π Configuring Speedtest Tracker...
β
Environment file exists
β
Environment file exists
π Creating symlinks to config and log files
β
App key exists
π Fixing app path file permissions
π° Building the cache...
.+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.+........+.+.....+.+.....+.........+.+..+.+..+.......+...........+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+......+...+......+......+..+...+....+...+...+............+..+....+..+.........+...+......+.+.........+..+....+........+.+............+..+......+......+.........+.+..................+..+...............................+...+..+.......+......+......+.........+..+.......+...........+.+...+...+...+..+............+...+.......+..+...+......+.+........+.+..+.........+.+..+.+.....+.......+.........+........+...+...+..........+.....+............+....+........+......+.......+..+.+.........+............+....................+.+.....+...+....+......+..+.......+..+......+.......+..+......+......................+......+.....+.+.....+......+...+....+...+..+..........+..................+..+.+..+.........+......+....+........+...+....+.....+....+............+.....+...+......+...+.......+...+...+.....+............+................+.....+.+......+..+.+.....+.......+..+......+......+...+......+.......+...............+.....+...+......+...+.+..+....+...+...............+........+...+....+............+...........+....+...+...........+.+...+..+....+.....+....+..+.+..+.......+.....+....+.....+.......+...............+.................+......+.+......+..+.......+...+..+......+.......+.....+.......+...+......+............+...+......+.....+...+.+.....+.....................+.+..................+..+............+.+.........+.....+.......+...+.....+...+....+...+.....+......+.[21-Oct-2022 11:56:09] NOTICE: fpm is running, pid 110
[21-Oct-2022 11:56:09] NOTICE: ready to handle connections
..[21-Oct-2022 11:56:09] NOTICE: systemd monitor interval set to 10000ms
......+.+.....+.+........+...+.........+....+..+...+....+...+.....+............................+......+.....+...............+....+..+............+.......+...+..................+..+...+....+........+.+.........+.....................+.....+.......+..+.+...........+.+..+......+....+...+........+.......+.........+...+........+...+.+...+.....+...+..........+...+.....+......+...+...+...+...............+....+..+.............+......+..+....+..............+.......+..+.+.....+.+......+...............+..............+.+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
π Migrating the database...
...+.........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+.....+....+.....+...+.......+......+.....+...+....+.....+...+...+....+...+...+.....+......+...+..........+.....+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+...............................+..+.......+..............+.+...........+.........+.........+.+......+...+..+...+.+.....+...+...+.......+......+.........+........+.............+..+....+.........+.........+...........+.+.....+....+...........+.............+...+...+.....+.......+..+..........+...............+........+...+...............+.......+...+..+...+.........+...+....+.....+....+.....+................+...+........+....+...........+..........+.........+......+...+.....+......+...................+.........+............+...........+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
β
All set, starting Speedtest Tracker container...
πͺ Starting the queue worker...
127.0.0.1 - - [21/Oct/2022:11:56:10 +0200] "GET /ping HTTP/1.1" 301 162 "-" "curl/7.81.0"
Tried connecting to https://docker2.axel.dom:8008
(used https because from what I understand now it's forced in the container), browser response: ERR_SSL_PROTOCOL_ERROR
.
Tried https://docker2.axel.dom:8008
response: ERR_CONNECTION_REFUSED
Log of the container after the two connection tests:
10.1.10.45 - - [21/Oct/2022:11:58:34 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03,~\x82@\xF7\xCB\xBB\xB0\xC4\x02F7\xC7\xBB@\x94\x1B\xD6\xAC\xC0G\xE6\xA5\x11\xA9u[Vh0\x91\xC7 \x9Eb\x87\xF3\xA1\x8D\xD6\x0F\x1E\x06\x00\xA6\xE0\x83"400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:34 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xEDB\x01\xAB\x82htu\xE6\xB4P\xEAa\xAA\xADH.N\x1FD3!\xA3]\x16\x07\x0C\xB5\xCB\x0E>} w\xD7\xF8\x5C\xEEtqw\xE7u\x03\xE3p\x9D\xA8C\xD3\x19\xC0b\xA9\xF4\xE0\xFF\xA7\xE9\xF9\x97.\xB6\xA1\xBA\x00\x22" 400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:34 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xAC\xC3\xA9E5\xC6\xCC,\xE2n\xDA,\x1BP\xBFqlW1\xDFF\xFFni\xC1m\xC4j\x9Em\xE3\xC3 \x81\x1D\x90D\x98C\xC5\x9Cf\xFD\x1C\xB4\xBA\xBBe\xD0j\xD6\xD6\xFE\x9DI\xDA\x85\x89\xAE\xB6K\xFF&\xC1E\x00\x22\xFA\xFA\x13\x01\x13\x02\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x91JJ\x00\x00\x00\x00\x00\x15\x00\x13\x00\x00\x10docker2.axel.dom\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:34 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03+\xB0\x04\x11\x5C\xAC\xE9^\xEC\xD7\xF5)=^x\xC3\xA8\xAF\xC0[U\xA9gi\xDA4 !*P\x97M \x00,L\x16\x89I\xBC\xE2\x86\xE3L\xC0f|rV\xB8\x8BP[\xC0T^\x82't\xFA_X\xD0[\x80\x00\x22::\x13\x01\x13\x02\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x91zz\x00\x00\x00\x00\x00\x15\x00\x13\x00\x00\x10docker2.axel.dom\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:36 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03H\xC5\x1D\x01K\x8DvI\x1A\xC6\xAE\xB8\xDB\xD1\xEC],\xE85~\x1F9\xD64\x08\xFC\x18\xDC\xDE\xA1\x18\xD2 i\x915y\xE9\x9E\x00Y\xAB\xA7\xA2\xEE\xF1\xE2c]\x03\xF2\xF2\xE1\xF5\x13Cc\xF6\xDF\xF6+\x7F\x90\xD4\xDA\x00\x22ZZ\x13\x01\x13\x02\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x91JJ\x00\x00\x00\x00\x00\x15\x00\x13\x00\x00\x10docker2.axel.dom\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:36 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x1D{N\x5CD\xB0ol\xE8[j\xD2\x87u\x9B\xC9\x0C\x81\xB2f\xE3z5\xE8\xE2\xF9_\xF3\xBB\xE1\xD6\x01 \xE4\x16:hV\xB2\x0Bl\xD3w\x83K\x89\xCAK\xD7\x15\x81x\x93R\x01\xD1}Zn" 400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:36 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03w\x1A'\xD1\x1E\xF5|\x09x\xC48\x5C\x8E\xBB\x13\xEB\x8C2\x07" 400 150 "-" "-"
10.1.10.45 - - [21/Oct/2022:11:58:36 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x0C\xAD\xD4\xABj\xB3Mr\xB2q\xDD\x03\x9A\xB4\xCD\xDD:i(=\x82\x14v" 400 150 "-" "-"
In browser network log, I'm getting 301 - moved permanently
if that helps
I have tried to change subdomain to make sure it's not traefik.
My compose:
speedtracker:
image: ghcr.io/alexjustesen/speedtest-tracker:latest
container_name: speedtracker
networks:
- t2_proxy
volumes:
- $DOCKERDIR/appdata/speedtracker:/config
environment:
- PUID=$PUID
- PGID=$PGID
labels:
# Traefik
- "traefik.enable=true"
- "traefik.http.routers.speedtracker-rtr.entrypoints=https"
- "traefik.http.routers.speedtracker-rtr.rule=Host(`speedtracker.$DOMAINNAME0`)"
- "traefik.http.routers.speedtracker-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.speedtracker-rtr.service=speedtracker-svc"
- "traefik.http.services.speedtracker-svc.loadbalancer.server.port=80"
@alexdelprete change your port mapping to use the ssl internal port 443
instead of 80
If you run
php artisan about
do you see your newAPP_URL
?
yes
Using port 443
through Traefik, I'm landing on:
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>
Container logs don't show anything new:
πͺ Starting the queue worker...
127.0.0.1 - - [21/Oct/2022:10:06:56 +0000] "GET /ping HTTP/1.1" 301 162 "-" "curl/7.81.0"
xxx.xxx.xxx.xxx- - [21/Oct/2022:10:07:02 +0000] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
xxx.xxx.xxx.xxx- - [21/Oct/2022:10:07:03 +0000] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
404
through localhost.
Another thing of note (maybe) is that I'm getting failure in checking the web server
intermittently:
π° Building the cache...
[21-Oct-2022 10:09:01] NOTICE: fpm is running, pid 108
[21-Oct-2022 10:09:01] NOTICE: ready to handle connections
[21-Oct-2022 10:09:01] NOTICE: systemd monitor interval set to 10000ms
π Migrating the database...
β There seems to be a failure in checking the web server + PHP-FPM. Here's the response:
β
All set, starting Speedtest Tracker container...
πͺ Starting the queue worker...
127.0.0.1 - - [21/Oct/2022:10:09:02 +0000] "GET /ping HTTP/1.1" 301 162 "-" "curl/7.81.0"
It sometimes happens and sometimes not with the same config.
@alexdelprete change your port mapping to use the ssl internal port
443
instead of80
Damn...that was so easy to fix, leftover from previous config. :)
Works through traefik, finally:
Question: in .env what should APP_URL be? I have APP_URL=http://localhost
now. Should I change it?
Using port
443
through Traefik, I'm landing on
I'm using this for Traefik, and it's working:
speedtest:
loadBalancer:
servers:
- url: "https://docker2.axel.dom:8008"
passHostHeader: true
@alexdelprete you mind taking a look at @filcuk Traefik issue above and seeing if anything stands out?
nvm lol
@alexdelprete you mind taking a look at @filcuk Traefik issue above and seeing if anything stands out?
Sure, I already answered...;)
Question: how do I start manually the first test?
We need a discord channel for the project...:)
I'm not running Traefik in my homelab so if you have a config you both think is worth sharing I'll add it to the docs.
We need a discord channel for the project...:)
We get past 200 stars, I'll make one.
I'm not running Traefik in my homelab so if you have a config you both think is worth sharing I'll add it to the docs.
It's not worth it, it's a very basic config like any standard http/https service.
I'd add a full docker-compose.yml example to the docs.
@alexjustesen Alex, users could get confused about .env and config.yml: I would clear out the fact that .env variables pertains to the container and can be managed at docker level through environment config, and that config.yml pertains to the app configuration (runtime).
Personally, I prefer to have all env variables in the compose file and not have an .env, but it's subjective obviously. Would be good to explain users that you can configure them in both places. :)
.env
is going to remain for all environmental configuration, config.yml
is getting removed in an upcoming release and moved to a settings page so everything can be managed from the UI.
I still can't get it to work, getting bad request
no matter what I try.
I'm running over 60 services via Traefik and I haven't seen this before, but @alexdelprete is running, so I'm flummoxed.
I'll get back to this issue when I figure it out, but thanks for your help so far
still can't get it to work, getting
bad request
no matter what I try.
Sometimes it's the simple things (like my port in the compose file above).
If you post the compose file and the .env / config.yml file I can try to help.
UPDATE: I saw you posted it, and this looks wrong, shouldn't it be 443?
- "traefik.http.services.speedtracker-svc.loadbalancer.server.port=80"
Thanks @alexdelprete, though I have updated the port since.
My compose:
speedtracker:
image: ghcr.io/alexjustesen/speedtest-tracker:latest
container_name: speedtracker
networks:
- t2_proxy
volumes:
- $DOCKERDIR/appdata/speedtracker:/config
environment:
- PUID=$PUID
- PGID=$PGID
labels:
# Traefik
- "traefik.enable=true"
- "traefik.http.routers.speedtracker-rtr.entrypoints=https"
- "traefik.http.routers.speedtracker-rtr.rule=Host(`speedtracker.$DOMAINNAME0`)"
- "traefik.http.routers.speedtracker-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.speedtracker-rtr.service=speedtracker-svc"
- "traefik.http.services.speedtracker-svc.loadbalancer.server.port=443"
The .env
is unchanged, though I've tested http://localhost
, https://localhost
as well as the actual host with rebooting and re-caching in between.
I've also removed all files in /config
, the container, and re-spun fresh.
I've set up a local-only container with the same result:
speedtracker2:
image: ghcr.io/alexjustesen/speedtest-tracker:latest
container_name: speedtracker2
restart: unless-stopped
networks:
- default
ports:
- "4430:443"
volumes:
- $DOCKERDIR/appdata/speedtracker-tmp:/config
environment:
- PUID=$PUID
- PGID=$PGID
The only change was from port 80
getting permanent redirect
to port 443
getting bad request
.
php artisan about
:
Environment ................................................................
Application Name ......................................... Speedtest Tracker
Laravel Version ..................................................... 9.36.4
PHP Version ......................................................... 8.1.11
Composer Version ..................................................... 2.4.2
Environment ..................................................... production
Debug Mode ............................................................. OFF
URL .............................................................. localhost
Maintenance Mode ....................................................... OFF
Cache ......................................................................
Config .............................................................. CACHED
Events .......................................................... NOT CACHED
Routes .............................................................. CACHED
Views ........................................................... NOT CACHED
Drivers ....................................................................
Broadcasting ........................................................... log
Cache ................................................................. file
Database ............................................................ sqlite
Logs ................................................................ stderr
Mail .................................................................. smtp
Queue ............................................................. database
Session ........................................................... database
Filament ...................................................................
Packages ................... filament, forms, notifications, support, tables
Version ........................................................... v2.16.35
Views ........................................................ NOT PUBLISHED
I'm at a loss
I'm at a loss
First thing I do in these cases, is making sure the docker container is working, bypassing traefik.
So in your case: in your compose file you are missing the ports section. Then in the local container you included it. I assume 4430 is the local port in the compose file, mapped to 443 in the container.
With the browser, if you point at https://docker.domain.dom:4430 what happens? This has to work, because it's not using traefik, you're goind direct to the container.
If this doesn't work, it's a container config issue, if it works, it's traefik config issue.
Let me know...
I've mentioned above I get the same result when bypassing Traefik, which is the container web server returning 400
:
I've set up a local-only container with the same result:
<html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx</center> </body> </html>
Which would eliminate Traefik as the cause.
Could this from my previous comment be relevant though:
β There seems to be a failure in checking the web server + PHP-FPM. Here's the response:
With that said, I'm just testing the new release. We can let this stew and see if more people turn up with the same issue.
Sorry, I didn't understand you made the same test I described. :)
Well, that error means the internal nginx is not redirecting internally to HTTPS. I don't have the error you noticed (check failure).
The local-container must work, traefik has nothing to do with the issue.
Are you sure the local-only variables you used in the compose file are ok? Try with explicit values first, just to debug...
Not a clue if this would be helpful but in the base image they reference traefik and allowing it to direct traffic to a self-signed cert: https://github.com/serversideup/docker-php/tree/dev#the-easiest-way-to-get-a-trusted-certificate
Sorry, I didn't understand you made the same test I described. :)
No worries!
Not a clue if this would be helpful but in the base image they reference traefik and allowing it to direct traffic to a self-signed cert: https://github.com/serversideup/docker-php/tree/dev#the-easiest-way-to-get-a-trusted-certificate
Great tip, I've included env SSL_MODE=off
to let Traefik handle the TLS and changed port back to 80, now it works.
May be worth adding to the documentation issue?
Great tip, I've included env
SSL_MODE=off
to let Traefik handle the TLS and changed port back to 80, now it works. May be worth adding to the documentation issue?
Could you also try with SSL_MODE=mixed
please?
This doesn't explain why it's working for me with SSL_MODE=full
. Except for one thing: does your traefik config allow SSL with self-signed certificates? Do you have this in the static config?
serversTransport:
insecureSkipVerify: true
May be worth adding to the documentation issue?
I think this is a specific issue with your setup, because you can't even access the container bypassing traefik.
If Traefik is used, it has to be simply configured to accept self-signed certificates.
Could you also try with
SSL_MODE=mixed
please?
Can confirm mixed
mode works fine too.
I've switched back to default full
again to confirm the previous issue and it is present.
So mixed
and off
work fine, full
does not.
If Traefik is used, it has to be simply configured to accept self-signed certificates.
I have this insecureSkipVerify
currently disabled, I thought it may reduce security, but from what I'm just now reading, that doesn't seem to be the case.
Not really sure if there is any reason not to enable it.
So we found your specific problem: basically that setting regulates how Traefik should manage certificates on the backend side. If you set it to true, it will ignore the fact they're self-signed. On the public/frontend side, it will always use the public certificate. If you have it disabled, you won't be able to access backend services with self-signed certs.
The last mistery to solve is that you couldn't access the container directly with the browser with SSL_MODE=full. :)
The last mistery to solve is that you couldn't access the container directly with the browser with SSL_MODE=full. :)
I just re-spun a local container to test - that was user error, I was trying to access it on http://localip:4430
, whereas it needed https
Finally, we solved all the mysteries. :)
So I would suggest to use SSL_MODE=mixed
, and users can use 80 or 443 based on their specific setups. If behind a reverse-proxy, 443 must be used because of #34, and the reverse-proxy has to be configured to accept self-signed certificates.
Case closed. :)
I'm going to add to this because I just spent hours debugging this issue, trying everything posted here but nothing worked. What finally worked was adding the label - traefik.http.services.speedtest.loadbalancer.server.scheme=https
to the speedtest container in addition to - --serversTransport.insecureSkipVerify=true
in the traefik container as found here and now it finally works! This worked for me with SSL_MODE off, mixed or full (or commented out aka the default .env):
traefik:
command:
- --log.level=INFO # log levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --certificatesresolvers.letsencrypt.acme.tlschallenge=true
- --certificatesresolvers.letsencrypt.acme.email=***
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
- --serversTransport.insecureSkipVerify=true
speetest:
labels:
- traefik.enable=true
- traefik.http.routers.speedtest.rule=Host(`speedtest.${DOMAINNAME}`)
- traefik.http.routers.speedtest.tls=true
- traefik.http.routers.speedtest.tls.certresolver=letsencrypt
- traefik.http.services.speedtest.loadbalancer.server.port=443
- traefik.http.services.speedtest.loadbalancer.server.scheme=https
What finally worked was adding the label
- traefik.http.services.speedtest.loadbalancer.server.scheme=https
to the speedtest container
This tells Traefik to access the container using https schema. So that implies that if you configure SSL_MODE=off
in speedtest-tracker, it wouldn't work, because you have turned off HTTPS access in the container, and Traefik wouldn't be able to access it.
in addition to
- --serversTransport.insecureSkipVerify=true
in the traefik container as found here
This was recommended (in static config format, not labels, but it's the same setting) six posts above yours: https://github.com/alexjustesen/speedtest-tracker/issues/54#issuecomment-1287112077 and this is true for every service that uses self-signed certificates, not specific to ST.
What that person says in that post of 2019 is obvious (and confusing to traefik newbies):
insecureSkipVerify
tells Traefik that whenever it accesses an SSL service that has an insecure SSL certificate, it should ignore that issue and continue anyway. So that obviously applies ONLY to https services, not to all services.- traefik.http.services.speedtest.loadbalancer.server.scheme=https
at the container level instructs Traefik to access that service through https, and when it does it (if the container supports https) if the certificate is insecure, Traefik continues because of the insecureSkipVerify
setting.I have this in my static config:
serversTransport:
# Accept self-signed certificates for backend services
insecureSkipVerify: true
And my service definition for speedtest-tracker (configured with SSL_MODE=full) is this:
speedtest:
loadBalancer:
servers:
- url: "https://docker2.domain.name:8008"
passHostHeader: true
If I set SSL_MODE=off
in ST, Traefik can't access the service anymore, so when you say that your config works for any SSL_MODE
that can't be correct.
Since you use traefik labels at the service container level, you need to add this:
- traefik.http.services.speedtest.loadbalancer.server.scheme=https
only when you want Traefik to access that specific service via https
, and that depends on how you configure the service, in this case Speedtest-Tracker.
If I set SSL_MODE=off
and so I configure Traefik to use http
instead of https
for the service definition:
speedtest:
loadBalancer:
servers:
- url: "http://docker2.domain.name:8008"
passHostHeader: true
Traefik can still access ST, but when browsing ST, the browser complains because it's receiving mixed-content
(http urls mixed with https urls). So I advised @alexjustesen to use as a default SSL_MODE
configuration MIXED
, this way ST by default accepts both HTTP
and HTTPS
connections, and the user can adapt things based on his specific setup.
If I set SSL_MODE=off in ST, Traefik can't access the service anymore, so when you say that your config works for any SSL_MODE that can't be correct.
I swear to you that it works with SSL_MODE=off:
Daniel,
In your config below you're telling Traefik to access the container via port 443, with https. (btw, you have a spelling error in the name of the container, you missed a D).
speetest:
labels:
- traefik.enable=true
- traefik.http.routers.speedtest.rule=Host(`speedtest.${DOMAINNAME}`)
- traefik.http.routers.speedtest.tls=true
- traefik.http.routers.speedtest.tls.certresolver=letsencrypt
- traefik.http.services.speedtest.loadbalancer.server.port=443
- traefik.http.services.speedtest.loadbalancer.server.scheme=https
with SSL_MODE=off
the nginx configuration of speedtest-tracker does not even map/open port 443, so tell me: how does Traefik connect to a non-existing port? A miracle...:)
Try to access the container directly, bypassing Traefik, using this url (replace the domain): https://speedtest.yourlocaldomain.dom
If this local test works, it means SSL_MODE=off
is not in effect, that's why Traefik accesses it.
Another test: restart speedtest-tracker and then check docker log of the container, in the startup phase it tells you the SSL_MODE
setting, use this command: docker logs speedtest-tracker
This is my log, the first line after the userid tells you how SSL_MODE is configured.
--------------------------------------------------------------------
____ ____ _ _ _ _
/ ___| ___ _ ____ _____ _ __ / ___|(_) __| | ___ | | | |_ __
\___ \ / _ \ __\ \ / / _ \ __| \___ \| |/ _` |/ _ \ | | | | _ \
___) | __/ | \ V / __/ | ___) | | (_| | __/ | |_| | |_) |
|____/ \___|_| \_/ \___|_| |____/|_|\__,_|\___| \___/| .__/
|_|
Brought to you by serversideup.net
--------------------------------------------------------------------
To support Server Side Up projects visit:
https://serversideup.net/sponsor
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
π **SSL_MODE has set to FULL, setting the web server to work in HTTPS only...**
πββοΈ Checking for Laravel automations...
π Linking the storage...
INFO The [public/storage] link has been connected to [storage/app/public].
π Configuring Speedtest Tracker...
β
Environment file exists
π Creating symlinks to config and log files
β
App key exists
π Fixing app path file permissions
π° Building the cache...
[03-Dec-2022 04:43:07] NOTICE: fpm is running, pid 105
[03-Dec-2022 04:43:07] NOTICE: ready to handle connections
[03-Dec-2022 04:43:07] NOTICE: systemd monitor interval set to 10000ms
π Migrating the database...
β
All set, starting Speedtest Tracker container...
β° Starting the cron service...
πͺ Starting the queue worker...
127.0.0.1 - - [03/Dec/2022:04:43:08 +0100] "GET /ping HTTP/1.1" 301 162 "-" "curl/7.81.0"
You're right, the SSL_MODE was still set to FULL, in fact none of the variables from the .env under /config were set inside the container (checked with echo). I copied the .env to my project root so it gets read by docker-compose and now the variables are being set. Now my configuration works only with SSL_MODE full or mixed. With SSL_MODE=off I get "Bad Gateway".
I still need - traefik.http.services.speedtest.loadbalancer.server.scheme=https
otherwise I get the error 400 "plain HTTP send to HTPPS", I guess that's because I set up traefik to redirect all http request to the https entrypoint.
Is the /config/.env supposed to be read on container startup or do we have to copy it to the host so it gets read by docker-compose?
Heads up, v0.5.0
changed the SSL_MODE
to "mixed" so you can now reference ports 80
and 443
when mapping to the container.
Is the /config/.env supposed to be read on container startup or do we have to copy it to the host so it gets read by docker-compose?
In general, you can use env variables in the docker compose environment section directly.
But in this case, there's something not clear on your setup: .env file is read by the app in the /config folder, so you need to map a docker volume to that. That's where the .env file is created and then you can edit it.
Did you use the example compose file from the docs? Show me your full docker-compose file, I think you have some issues there.
Heads up,
v0.5.0
changed theSSL_MODE
to "mixed" so you can now reference ports80
and443
when mapping to the container.
Wise choice...;)
This is my compose file, none of the variables in the .env file under ${DATADIR}/speedtest/app
are set inside the container.
version: '3.3'
services:
speedtest:
image: 'ghcr.io/alexjustesen/speedtest-tracker:latest'
container_name: speedtest
restart: unless-stopped
networks: ["traefik"]
depends_on: ["speedtest-db"]
ports:
- ${SPEEDTEST_PORT}:443
environment:
TZ: "${TIMEZONE}"
PUID: "1000"
PGID: "1000"
DB_CONNECTION: "mysql"
DB_HOST: "speedtest-db"
DB_PORT: "3306"
DB_DATABASE: "speedtest_tracker"
DB_USERNAME: "speedy"
DB_PASSWORD: "password"
volumes:
- ${DATADIR}/speedtest/app:/config
labels:
traefik.enable: "true"
traefik.http.routers.speedtest.rule: "Host(`speedtest.${DOMAINNAME}`)"
traefik.http.routers.speedtest.tls: "true"
traefik.http.routers.speedtest.tls.certresolver: "letsencrypt"
traefik.http.services.speedtest.loadbalancer.server.port: "443"
traefik.http.services.speedtest.loadbalancer.server.scheme: "https"
speedtest-db:
image: mariadb:10
container_name: speedtest-db
restart: unless-stopped
networks: ["traefik"]
environment:
MARIADB_DATABASE: "speedtest_tracker"
MARIADB_USER: "speedy"
MARIADB_PASSWORD: "password"
MARIADB_RANDOM_ROOT_PASSWORD: "true"
volumes:
- ${DATADIR}/speedtest/db:/var/lib/mysql
networks:
traefik:
name: traefik
external: true
${DATADIR}/speedtest/app
You have the .env file in that folder, on the docker host side? If you edit it and restart ST, it doesn't read the changes?
Anyway, I'm usng env variables in the environment section of the compose file, SSL_MODE included, and it works perfectly, actually I prefer it too, without editing another file. I prefer having as much as possible in docker-compose, in general.
@alexjustesen I confirm what Daniel says: is the .env
file under /config
read by the app at startup or not? I tried modifying some variables and restarted the container but it didn't pick-up the changes.
Variables set in docker-compose work fine, and actually I do prefer to use that to modify the config.
It is but it's cached at the moment, if you change the env vars I suggest running php artisan optimize
to reset the cached config vars
It is but it's cached at the moment
so on restart it doesn't read it because cache has priority? does the cache expire?
luckily I prefer docker-compose env vars...
I've just updated to the latest release. I'm getting the above error in browser, this is via Traefik. No info in the console. Container log follows:
I've tested it through a localhost too, updating the
.env
accordingly in each case, and got a404
: