Installation under traefik v2

[tomaswarynyca]

Could you provide a docker compose using meli under traefik? It would be very helpful and would be an annex to the documentation.

[gempain]

While we do have examples of how to deploy behind a reverse proxy, Traefik isn't in there yet. The main reason is that if you don't use our getmeli/meli Docker image, the SSL configuration is up to you, and we don't yet support this type of installation (sub branches are an issue at the moment). If you get it to work with Traefik, we would love if you can show your setup so others can benefit from it. You are also welcome to improve the documentation as you see fit.

[prologic]

Has anyone gotten meli to work behind Traefik? Looks like normal site urls work just fine, get's a certificate from Letsencrypt, but branch/pull-request previews don't work.

[prologic]

I figured out how to make branch/pull-request preview/deployments work with Meli behind Treafik. The trick is to add an addition set of domains in your labels like this:

        - "traefik.http.routers.meli.tls.domains[0].main=meli.mydomain.tld"
        - "traefik.http.routers.meli.tls.domains[0].sans=*.meli.mydomain.tld"
        - "traefik.http.routers.meli.tls.domains[1].main=test.mydomain.tld"
        - "traefik.http.routers.meli.tls.domains[1].sans=*.test.mydomain.tld"

Unfortunately this is a manual step, so somehow we have to figure out a way for Meli <- Traefik to talk to each other and reconfigure Trafik slightly for new sites.

[gempain]

@prologic glad you found a way to at least make it work. Having to do it manually is definitely not practical. The advantage of letting Caddy manage the certificates is that meli can communicate with its API and whitelist domains one after the other. Implementing a bridge with Traefik is doable. One way to do it would be to dynamically update Meli's container labels dynamically. The downside is you'd have to give meli access to the container which IMO feels a bit unsafe, and I'm not even sure you can actually provide access to a single container. I think the only option is to bind the docker socket to the container which gives it access to all the containers running on your machine, which is not recommended IMO unless you're Traefik.

[prologic]

What about supporting web hooks that could be used to do the work required for updating an ingress load balancer such as Traefik here? Meli would trigger a webhook on the creation of a new site or deletion of an existing site. We could defer that logic to the infrastructure operator to write the webhook.

Would this be acceptable?

[prologic]

I know Meli already has Webhooks but these are specific to sites. You'd need to provide instance-wide webhooks for things like "new user", "delete user", "new site", "delete site" events that an operator can "hook" into.

[gempain]

The docs does not list all webhooks available but if you look here you'll see that there are webhooks for site_added, site_updated and site_deleted with all the information regarding a site that you would need.

[prologic]

How does one set those up on an instnace level?

[eddiebeazer]

@prologic do you mind sharing your traefik configuration. I tried to do what you tried and I couldn't get any preview branches to work. My best guess is because certs aren't generated. My interim solution has been to make a preview and main site for each site and deploy accordingly

[prologic]

@prologic do you mind sharing your traefik configuration. I tried to do what you tried and I couldn't get any preview branches to work. My best guess is because certs aren't generated. My interim solution has been to make a preview and main site for each site and deploy accordingly

Basically whenever I know there's going to be a new site managed by Meli, I go in and add an additional pair of TLS labels to my Traefik instance, which get picked up automatically. As I also use Cloudflae, I also have to request edge certificates and add additional CNAME wildcards there too. It's a bit of a manual process, but that's what I have to do.