Can I server the Rancher Server through a hosted Traefik container?
Question
I have a single dedicated server where I have installed a Rancher server and a Rancher client and is used to host some dockerized services.
I have succesfully installed Traefik and it is configured with the Rancher API backend, and it reverse proxies my services, hosting them behind HTTPS and everything is working fine.
But I still access my Rancher server through htttp://12.34.56.78:8080. I would like to also put the Rancher server behind Traefik with https enabled too.
I tried starting the Rancher server with:
sudo docker run -d \
-v /data/rancher/server/data:/var/lib/mysql \
--restart=unless-stopped \
-p 8080:8080 \
-l traefik.frontend.rule=Host:rancher.mydomainname.com \
-l traefik.enable=true \
-l traefik.backend=rancher \
-l traefik.default.protocol=http \
-l traefik.port=8080 \
rancher/server:v1.6.12
(the same way I configured all my other services) but it is not picked up by Traefik because (I think) the Rancher Server does NOT appear in the Rancher API requests that Traefik is monitoring (since Rancher server is started outside Rancher and not hosted by it).
Coming from Rancher Active Proxy , this is something that it was supported by that tool
If my reasoning is correct, that Traefik cannot "pick up" the Rancher server that way, an alternative solution I was thinking was that maybe I would have to create a separate [file] section solely for the Rancher server and add it to the Traefik .toml file...
Is this the correct approach to achieve what I want, or is there some better way of doing this...?
Thanks!
2 answers
solution1
0 2017-12-09 12:26:48
Partially, answering my question...
Creating a separate static rancherserver.toml file:
[backends]
[backends.rancherserver]
[backends.rancherserver.servers.server1]
url = "http://12.34.56.78:8080"
weight = 10
[frontends]
[frontends.rancherserver]
backend = "rancherserver"
passHostHeader = true
entrypoints = ["https"]
[frontends.rancherserver.routes.onlyone]
rule = "Host:rancher.mydomain.com"
(where 12.34.56.78 is the real physical IP address ofthe physical server) seems that solves my problem, able to access the Rancher server at htttps://rancher.mydomain.com (with automatic forward from http to https)
BUT for some reason, I'm still able to access the Rancher server from htttp://12.34.56.78:8080 (note, this is not https) although the physical server has firewalled all ports (ufw on Ubuntu) except 80 and 433 (and some others):
me@server:~$ sudo ufw status verbose
[sudo] password for me:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
443 ALLOW IN Anywhere
80 ALLOW IN Anywhere
1143 ALLOW IN Anywhere
1110 ALLOW IN Anywhere
Anywhere on docker0 ALLOW IN Anywhere
22 (v6) DENY IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
1143 (v6) ALLOW IN Anywhere (v6)
1110 (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) on docker0 ALLOW IN Anywhere (v6)
So, I still think I'm misusing Traefik somewhow and allowing the 8080 port to leak trough my Traefik configuration... :(
solution2
0 2019-04-25 21:07:27
I'm almost 2 years late to the party, but I just started rancher with traefik with a [docker] backend.
The docker-compose file for rancher:
version: '3'
services:
web:
image: rancher/rancher:latest
labels:
traefik.enable: true
traefik.backend: rancher
traefik.frontend.entryPoints: http,https
traefik.frontend.passHostHeader: true
traefik.frontend.rule: "Host:rancher.mydomain.com"
traefik.backend.port: 80
traefik.port: 80
restart: unless-stopped
Maybe it's useful for anyone stumbling on this question.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.