Connection refused?
kikearciniegas opened this issue · comments
Hi, just trying to set up Boreale with Traffik,
What I think should happen
When I try to access the public domain traefik.mydomain.tld, traefik will forward the auth process to boreale, which in place will show a login page, and if credentials are correct, answer back with the authorization, so traefik will show me the dashboard.
What is actually happening
When accessing traefik.mydomain.tld, I get a 500 error from Traefik on my browser and when checking traefik logs, I see a "Connection refuse" error from Boreale. Nothing from Boreale's log though.
Here the log (from traefik):
time="2021-02-26T12:16:23-05:00" level=debug msg="Error calling https://boreale:5252. Cause: Get \"https://boreale:5252\": dial tcp 172.18.0.6:5252: connect: connection refused" middlewareType=ForwardedAuthType middlewareName=boreale@file
I have tried with the IP and name of the container, same result either way.
Boreale has been set with all defaults, except for the required env vars. I have also created one user using the CLI commands available. It seems to be working fine as nothing is visible in the logs.
This is my Boreale docker-compose file:
version: "3"
services
boreale:
image: lewazo/boreale
container_name: boreale
ports:
- "5252:4000"
env_file:
- ${DOCKER_DIR}/boreale/data/.env
volumes:
- ${DOCKER_DIR}/boreale/data:/opt/app/data
restart: unless-stopped
This is my Traefik docker-compose file:
version: "3"
services
traefik:
image: traefik
container_name: traefik
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
environment:
- TZ=${TIME_ZONE}
- DOCKER_HOST=${DOCKER_TCP_SOCK}
ports:
- "80:80"
- "443:443"
volumes:
- ${DOCKER_DIR}/traefik/data/traefik.log:/traefik.log
- ${DOCKER_DIR}/traefik/data/traefik.yaml:/traefik.yaml:ro
- ${DOCKER_DIR}/traefik/data/acme/acme.json:/acme.json
- ${DOCKER_DIR}/traefik/data/rules:/rules:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME0}`)"
- "traefik.http.routers.traefik-secure.middlewares=boreale@file"
# - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWD_HASH"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAINNAME0}`)"
# - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
restart: always
Here the static rules set:
api:
dashboard: true
log:
filePath: "traefik.log"
level: DEBUG
format: json
accessLog:
filePath: "access.log"
bufferingSize: 100
format: json
filters:
statusCodes:
- "400-499"
retryAttempts: true
minDuration: "10ms"
entryPoints:
http:
address: :80
https:
address: :443
providers:
docker:
# endpoint: "unix:///var/run/docker.sock"
endpoint: "tcp://docker-socket-proxy:2375"
network: "t2_proxy"
exposedByDefault: false
watch: true
file:
directory: "/rules"
watch: true
certificatesResolvers:
http:
acme:
email: email@example.com
storage: "acme.json"
httpChallenge:
entryPoint: http
This is the dynamic rule file:
I have tried with the IP and name of the container, same result either way.
http:
middlewares:
boreale:
forwardAuth:
address: "https://boreale:5252"
tls:
insecureSkipVerify: true
Any help would be greatly appreciated, surely I am missing some small detail.
Sure I'll be happy to help.
So if your traefik and boreale are in a different docker-compose.yml then you most likely won't be able to use the boreale hostname inside your traefik config, since docker-compose could not put the two containers in the same virtual network.
Your approach using the IP is most likely good, except that you should not use the container's IP address, but your host's.
So if your two containers are created on a host machine with the address 192.168.0.25, then in Traefik's config you would have to put
http:
middlewares:
boreale:
forwardAuth:
address: "https://192.168.0.25:5252"
tls:
insecureSkipVerify: true
The reasoning behind this is that by specifying
ports:
- "5252:4000"
Inside the traefik's compose file, you effectively bind your host's 5252 port to the container. So http://192.168.0.25:5252 would point to boreale.
Thank you for the quick reply.. I'll give it a go!
Moved everything into the same network and docker-compose file. Fixed the host IP address, and now when visiting traefik.mydomain.tld, I get the Boreale's login page, input user an password, then instead of redirecting to the traefik dashboard, a message is displayed on top of the page...: https://ibb.co/HGwfVYN
Almost there...
That's good, there's should be an error in the boreale console in that case. Is there more information there?
Yes, sorry about that... It seems to be a mistake on my part with the SECRET_KEY_BASE... fixing and testing
today at 15:04 20:04:05.251 [error] #PID<0.1160.0> running Boreale.Router (connection #PID<0.1149.0>, stream id 5) terminated
today at 15:04 Server: 1921.168.0.25:5252 (https)
today at 15:04 Request: GET /
today at 15:04 ** (exit) an exception was raised:
today at 15:04 ** (ArgumentError) cookie store expects conn.secret_key_base to be at least 64 bytes
That did it... thank you for the time! It is working now... Will keep testing with other services.
That's great! Glad you figured it out 👍