Open rlue opened 3 years ago
@rlue I don't think you are supposed to replace the web
's network with traefik network. Traefik network is supposed to be added.
I suggest to paste your docker-compose.yml
here so it would be easier to see what might be wrong.
I do add the traefik.enable: false
to all services that don't need traefik, otherwise you will see several unnecessary endpoints in traefik. This should be added to the traefik example in fact.
Thanks for your feedback.
I do add the traefik.enable: false to all services that don't need traefik, otherwise you will see several unnecessary endpoints in traefik. This should be added to the traefik example in fact.
Am I correct in understanding that the jicofo
service does not have to be exposed to the internet by traefik's reverse proxy, then?
I don't think you are supposed to replace the
web
's network with traefik network. Traefik network is supposed to be added.
Here's a direct excerpt from examples/traefik-v2/docker-compose.yml
on master:
networks:
# traefik: change the following line to your external docker network
web:
The docker-compose.yml file I am using is almost exactly the one provided in the repo, with the exceptions outlined in my original post. Here's the diff (most of the removals in the second section are covered by traefik's static configuration):
diff --git a/examples/traefik-v2/docker-compose.yml b/examples/traefik-v2/docker-compose.yml
index ad87480..b0e1dbd 100644
--- a/examples/traefik-v2/docker-compose.yml
+++ b/examples/traefik-v2/docker-compose.yml
@@ -37,19 +37,14 @@ services:
- ENABLE_RECORDING
networks:
# traefik: change the following line to your external docker network
- web:
+ mydomaincom_default:
meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
labels:
- traefik.http.middlewares.redirect.redirectscheme.scheme: https
- traefik.http.routers.app-http.entrypoints: web
- traefik.http.routers.app-http.middlewares: redirect
- traefik.http.routers.app-http.rule: 'Host(`your.host.name`)'
- traefik.http.routers.app.entrypoints: websecure
- traefik.http.routers.app.rule: 'Host(`your.host.name`)'
+ traefik.http.routers.app.rule: 'Host(`jitsi.mydomain.com`)'
traefik.http.routers.app.tls: 'true'
- traefik.http.routers.app.tls.certresolver: le
+ traefik.http.routers.app.tls.certresolver: letsencrypt
traefik.http.services.app.loadbalancer.server.port: 80
# XMPP server
@@ -139,6 +134,8 @@ services:
- prosody
networks:
meet.jitsi:
+ labels:
+ traefik.enable: false
# Video bridge
jvb:
@@ -175,5 +172,5 @@ services:
networks:
meet.jitsi:
# traefik: change the following line to your external docker network
- web:
+ mydomaincom_default:
external: true
And here's the complete Docker Compose file:
version: '3' services: # Frontend web: image: jitsi/web volumes: - ${CONFIG}/web:/config - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts environment: - ENABLE_AUTH - ENABLE_GUESTS - ENABLE_LETSENCRYPT - ENABLE_HTTP_REDIRECT - ENABLE_TRANSCRIPTIONS - DISABLE_HTTPS - JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN - LETSENCRYPT_EMAIL - PUBLIC_URL - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - ETHERPAD_URL_BASE - ETHERPAD_PUBLIC_URL - TZ - JIBRI_BREWERY_MUC - JIBRI_PENDING_TIMEOUT - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - JIBRI_RECORDER_USER - JIBRI_RECORDER_PASSWORD - ENABLE_RECORDING networks: # traefik: change the following line to your external docker network mydomaincom_default: meet.jitsi: aliases: - ${XMPP_DOMAIN} labels: traefik.http.routers.jellyfin.rule: 'Host(`jitsi.mydomain.com`)' traefik.http.routers.jellyfin.tls: 'true' traefik.http.routers.jellyfin.tls.certresolver: letsencrypt traefik.http.services.jellyfin.loadbalancer.server.port: 80 # XMPP server prosody: image: jitsi/prosody expose: - '5222' - '5347' - '5280' volumes: - ${CONFIG}/prosody:/config environment: - AUTH_TYPE - ENABLE_AUTH - ENABLE_GUESTS - GLOBAL_MODULES - GLOBAL_CONFIG - LDAP_URL - LDAP_BASE - LDAP_BINDDN - LDAP_BINDPW - LDAP_FILTER - LDAP_AUTH_METHOD - LDAP_VERSION - LDAP_USE_TLS - LDAP_TLS_CIPHERS - LDAP_TLS_CHECK_PEER - LDAP_TLS_CACERT_FILE - LDAP_TLS_CACERT_DIR - LDAP_START_TLS - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_MODULES - XMPP_MUC_MODULES - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER - JICOFO_AUTH_PASSWORD - JVB_AUTH_USER - JVB_AUTH_PASSWORD - JIGASI_XMPP_USER - JIGASI_XMPP_PASSWORD - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - JIBRI_RECORDER_USER - JIBRI_RECORDER_PASSWORD - JWT_APP_ID - JWT_APP_SECRET - JWT_ACCEPTED_ISSUERS - JWT_ACCEPTED_AUDIENCES - JWT_ASAP_KEYSERVER - JWT_ALLOW_EMPTY - JWT_AUTH_TYPE - JWT_TOKEN_AUTH_MODULE - LOG_LEVEL - TZ networks: meet.jitsi: aliases: - ${XMPP_SERVER} # Focus component jicofo: image: jitsi/jicofo volumes: - ${CONFIG}/jicofo:/config environment: - ENABLE_AUTH - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER - JICOFO_AUTH_PASSWORD - JICOFO_RESERVATION_REST_BASE_URL - JVB_BREWERY_MUC - JIGASI_BREWERY_MUC - JIBRI_BREWERY_MUC - JIBRI_PENDING_TIMEOUT - TZ depends_on: - prosody networks: meet.jitsi: labels: traefik.enable: false # Video bridge jvb: image: jitsi/jvb ports: - '${JVB_PORT}:${JVB_PORT}/udp' - '${JVB_TCP_MAPPED_PORT}:${JVB_TCP_PORT}' volumes: - ${CONFIG}/jvb:/config environment: - DOCKER_HOST_ADDRESS - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - JVB_AUTH_USER - JVB_AUTH_PASSWORD - JVB_BREWERY_MUC - JVB_PORT - JVB_TCP_HARVESTER_DISABLED - JVB_TCP_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS - TZ depends_on: - prosody networks: meet.jitsi: labels: traefik.udp.routers.jvb.entrypoints: video traefik.udp.routers.jvb.service: jvb traefik.udp.services.jvb.loadbalancer.server.port: 10000 # Custom network so all services can communicate using a FQDN networks: meet.jitsi: # traefik: change the following line to your external docker network mydomaincom_default: external: true
Again, it seems that the biggest issue is that the jvb
service specifies an entrypoint called "video" which is never defined anywhere. I've looked all over, but haven't managed to find a definition or sample configuration anywhere. If anyone knows what @ruby232 intended here, I'd really appreciate it.
Sorry, I figured this out—you need the following block in your traefik.toml
:
[entryPoints]
[entryPoints.video]
address = ":10000/udp"
Will submit a PR later.
Thanks for your feedback.
I'm not an expert in this at all so take what I say with a grain of salt...
I do add the traefik.enable: false to all services that don't need traefik, otherwise you will see several unnecessary endpoints in traefik. This should be added to the traefik example in fact.
Am I correct in understanding that the
jicofo
service does not have to be exposed to the internet by traefik's reverse proxy, then?Yes, I have it disabled. I have
prosody
disabled as well. Since they do not need connections outside then why allow them in traefik.
I was creating a PR for the above changes but see your good work with port 10000 - I was sure that this port needed more than is in the example but now can just follow your solution.
I don't think you are supposed to replace the
web
's network with traefik network. Traefik network is supposed to be added.Here's a direct excerpt from
examples/traefik-v2/docker-compose.yml
on master:networks: # traefik: change the following line to your external docker network web:
Sorry - I was thinking that you replaced the network in the default compose file. So ignore what I said.
The docker-compose.yml file I am using is almost exactly the one provided in the repo, with the exceptions outlined in my original post. Here's the diff (most of the removals in the second section are covered by traefik's static configuration):
diff --git a/examples/traefik-v2/docker-compose.yml b/examples/traefik-v2/docker-compose.yml index ad87480..b0e1dbd 100644 --- a/examples/traefik-v2/docker-compose.yml +++ b/examples/traefik-v2/docker-compose.yml @@ -37,19 +37,14 @@ services: - ENABLE_RECORDING networks: # traefik: change the following line to your external docker network - web: + mydomaincom_default: meet.jitsi: aliases: - ${XMPP_DOMAIN} labels: - traefik.http.middlewares.redirect.redirectscheme.scheme: https - traefik.http.routers.app-http.entrypoints: web - traefik.http.routers.app-http.middlewares: redirect - traefik.http.routers.app-http.rule: 'Host(`your.host.name`)' - traefik.http.routers.app.entrypoints: websecure - traefik.http.routers.app.rule: 'Host(`your.host.name`)' + traefik.http.routers.app.rule: 'Host(`jitsi.mydomain.com`)' traefik.http.routers.app.tls: 'true' - traefik.http.routers.app.tls.certresolver: le + traefik.http.routers.app.tls.certresolver: letsencrypt traefik.http.services.app.loadbalancer.server.port: 80 # XMPP server @@ -139,6 +134,8 @@ services: - prosody networks: meet.jitsi: + labels: + traefik.enable: false # Video bridge jvb: @@ -175,5 +172,5 @@ services: networks: meet.jitsi: # traefik: change the following line to your external docker network - web: + mydomaincom_default: external: true
And here's the complete Docker Compose file:
docker-compose.yml Again, it seems that the biggest issue is that the
jvb
service specifies an entrypoint called "video" which is never defined anywhere. I've looked all over, but haven't managed to find a definition or sample configuration anywhere. If anyone knows what @ruby232 intended here, I'd really appreciate it.
Agreed. My setup (similar to traefik v1 example) does work without it but I was always sure it isn't working 100% correctly. I never had the time to look into fixing it and I guess I can just copy-paste now. So thank you!
FYI: A working example based on traefik:v2.2.8
. Using tls-challenge
for letsencrypt cert.
version: '3.8'
services:
traefik:
image: "traefik:v2.2.8"
hostname: "traefik"
labels:
- "traefik.enable=false" # set it to `true` if you want traefik dashboard. If set to `false` then traefik won't consider below config
- "traefik.docker.network=proxy"
- "traefik.http.routers.api.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
## Middlewares
- "traefik.http.middlewares.auth.basicauth.users=alpha:$$1$$SEjVHN0z$$Apa3.iHJAW2dbAi6OuwDe/"
### host header
#- "traefik.http.middlewares.hosthdr.headers.stsseconds=31536000"
#- "traefik.http.middlewares.hosthdr.headers.stsincludesubdomains=true"
#- "traefik.http.middlewares.hosthdr.headers.stspreload=true"
# enable https for api/dashboard
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.domains[0].main=traefik.example.com"
# dummy port
- "traefik.http.services.dummyservice.loadbalancer.server.port=1111" # In swarm mode, traefik requires a dummy Port
command:
- --api=true
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=false
- --providers.docker.exposedbydefault=false
- --log.level=INFO #DEBUG
- --accesslog=false
- --entryPoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entryPoints.websecure.address=:443
# comment below line in production
- --certificatesResolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesResolvers.letsencrypt.acme.tlsChallenge=true
- --certificatesresolvers.letsencrypt.acme.email=myemail@gmail.com
- --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./letsencrypt:/letsencrypt"
networks:
- proxy
networks:
proxy:
external: true
name: proxy
Add below config under web
service in docker-compose.yml
file.
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.jitsi-secure.entrypoints=websecure"
- "traefik.http.routers.jitsi-secure.rule=Host(`meet.example.com`)"
## LetsEncrypt
- "traefik.http.routers.jitsi-secure.tls=true"
- "traefik.http.routers.jitsi-secure.tls.certresolver=letsencrypt"
- "traefik.http.routers.jitsi-secure.tls.domains[0].main=meet.example.com"
## Service
- "traefik.http.routers.jitsi-secure.service=jitsi" #here service name is jitsi
- "traefik.http.services.jitsi.loadbalancer.server.port=80"
networks:
proxy: # traefik network created externally
jitsi: # jitsi network
aliases:
- meet.example.com # change this accordingly
I'm trying to launch this service using the
examples/traefik-v2/docker-compose.yml
file. I made the following changes before running:web
with traefik's docker network (traefik_default
)traefik.http.routers.app.rule
label on "web" service to match my own hostnameAfter completing these steps, I ran these commands and saw these error messages:
It appears that there are two problems:
docker-compose.yml
references a "video" traefik entrypoint that I don't have defined—but I don't see any definition of this entrypoint in the docs.traefik.enable: false
label to that service?)@ruby232, I notice you committed this file at the end of March. Any insight on these questions?