Access titra url through traefik reverse proxy

[alricsans]

Hello,

First of all thanks a lot for your work on titra.

I had a look at similar issues already reported here (#21, #135, #106), so I believe there is something wrong with my ROOT_URL variable.

My goal is to reach titra via traefik global https redirection (url : https://titra.example.local).

When I use ROOT_URL=http://192.168.1.23:3000 (the actual IP and port), I can reach it using http://192.168.1.23:3000 but this doesn't go through traefik and is thus in http only.

When I use ROOT_URL=https://titra.example.local I get a Gateway Timeout.

My docker-compose.yml file looks like this :

version: "3.3"

services:
  traefik:
    build: ./traefik
    container_name: "traefik"
    command:
      # enable dashboarding
      - "--api.dashboard=true"
      - "--providers.docker=true"
      # only enabled containers should be exposed
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/etc/traefik/dynamic/"
      # entrypoints exposed
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      # Global http to https redirection
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      # Enabling logs in file
      - "--log.filePath=/traefik/traefik.log"
      - "--log.format=json"
      - "--log.level=DEBUG"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - traefik-network
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./traefik/certs-traefik.yaml:/etc/traefik/dynamic/traefik.yaml
      - ./traefik/certs:/etc/ssl/certs/
      - ./traefik/data:/traefik/
    labels: 
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard-http.entrypoints=web"
      - "traefik.http.routers.dashboard-http.rule=Host(`traefik.example.local`)"
      - "traefik.http.routers.dashboard-http.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.local`)"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.service=api@internal"

   titra:
    image: kromit/titra
    container_name: titra
    depends_on:
      - mongodb
    environment:
      - ROOT_URL=https://titra.example.local
      - MONGO_URL=mongodb://mongodb/titra?directConnection=true
      - PORT=3000
    ports:
      - 3000:3000
    restart: unless-stopped
    networks:
      - traefik-network
      - titra-back
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.titra.rule=Host(`titra.example.local`)"
      - "traefik.http.routers.titra.entrypoints=websecure"
      - "traefik.http.routers.titra.tls=true"
      - "traefik.docker.network=traefik-network"
      - "traefik.http.services.titra.loadbalancer.server.port=3000"

  mongodb:
    image: mongo:4.4.27
    container_name: titra_db
    restart: unless-stopped
    environment:
      - MONGO_DB=titra
    volumes:
      - ./titra/db:/data/db
    networks:
      - titra-back

I already have several other containers reached using those traefik labels, and the logs of traefik are normal.

Do you spot any error in my docker-compose config ? Is https://titra.example.local the right entry for ROOT_URL ?

Thanks a lot,

[faburem]

Hi, we are also using traefik as reverse proxy for both the public app.titra.io instance and our internal hosted services. The ROOT_URL is definitely correct and also all other entries look very similar to our setup (always hard to compare apples to apples unfortunately). The only thing I could spot is that we also have this line for ssl certificate generation using letsencrypt: - traefik.http.routers.titra.tls.certresolver=le .. but I guess you are using self-signed certificates and that is working somehow different in traefik.

The fact that titra is reachable through the IP at least confirms that the setup is working, I think the culprit is somewhere in your traefik configuration.

Some other slight differences I could spot in our traefik configuration:

• we are not mapping the ports explicitly to the host (e.g. just ports: - 3000) and only expose them for traefik this way
• we are not defining the entrypoints=websecure for our containers (maybe that is creating some kind of redirect loop?)

I hope any of the information above helps you to troubleshoot the issue! Sorry for not being able to help more, Fabian

[alricsans]

Thanks a lot @faburem for your answer.

You are right I use self signed certificates. I tried the slight differences you mentionned with ports and entrypoint but that did not resolve the problem.

But I saw from the very beginning that Gateway timeout were often caused by docker network problems, so if anyone has the same problem, the fix was to add a name to the docker network.

networks:
  traefik-network:
    name: traefik-network
    driver: bridge
  titra-back:
    driver: bridge

I don't have a deep understanding of what happens under the hood but that fixed my problem (containers not on the same network from traefik's perspective I guess).

Thanks again for your time and work on this project.