Having real difficulty using Portainer with Traefik 2

Hi. I’ve spent the entire day trying to configure Traefik 2 to forward traffic from several routes to internal services such as Portainer. I tried probably everything and still when requesting a route, I get Gateway Timeout at best.

Can someone point me in right direction?

This is the Traefik 2 docker-compose.yaml I use:

version: “3.3”
services:
traefik:
container_name: traefik
image: traefik:v2.0
command:
- --global.sendanonymoususage=false
- --log.level=debug
- --log.format=common
- --providers.docker
- --providers.docker.exposedbydefault=false
- --api
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --accesslog.format=common
- --accesslog.filepath=access.log
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.email=someone@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/acme.json
- --certificatesresolvers.letsencrypt.acme.tlschallenge=true
volumes:
- “/var/run/docker.sock:/var/run/docker.sock:ro”
- “./acme.json:/acme.json”
- “./log/access.log:/access.log”
ports:
- “80:80”
- “443:443”
labels:
- “traefik.enable=true”
- “traefik.http.routers.traefik.rule=Host(command.domain.com)”
- “traefik.http.routers.traefik.entrypoints=https”
- “traefik.http.routers.traefik.service=api@internal”
- “traefik.http.routers.traefik.tls=true”
- “traefik.http.routers.traefik.tls.certresolver=letsencrypt”
- “traefik.http.routers.http-catchall.entrypoints=http”
- “traefik.http.routers.http-catchall.middlewares=redirect-to-https”
- “traefik.http.routers.http-catchall.rule=hostregexp({host:.+})”
- “traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https”
- “traefik.http.routers.traefik.middlewares=admin”
- “traefik.http.middlewares.admin.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/”

Traefik dashboard loads nicely and it works but when I start service I want to access via command.domain.com/portainer (container listens on port 9000) it can’t be accessed. Portainer docker-compose.yaml I use:

version: “3.3”
services:
portainer:
container_name: portainer
image: portainer/portainer
volumes:
- “/var/run/docker.sock:/var/run/docker.sock”
- “./data:/data”
labels:
- “traefik.enable=true”
- “traefik.http.routers.portainer.entrypoints=http”
- “traefik.http.routers.portainer.rule=Host(command.domain.com) && Path(/portainer)”
- “traefik.http.middlewares.portainer-redirect.redirectscheme.scheme=https”
- “traefik.http.middlewares.portainer-redirect.redirectscheme.permanent=true”
- “traefik.http.routers.portainer.middlewares=portainer-redirect”
- “traefik.http.routers.portainer-ssl.entrypoints=https”
- “traefik.http.routers.portainer-ssl.rule=Host(command.domain.com) && Path(/portainer)”
- “traefik.http.routers.portainer-ssl.tls=true”
- “traefik.http.routers.portainer-ssl.tls.certresolver=letsencrypt”
- “traefik.http.routers.portainer-ssl.service=portainer-ssl”
- “traefik.http.services.portainer-ssl.loadbalancer.server.port=9000”
restart: always

I’m sure I’m doing something wrong but for the love of god can’t figure out what is it. Do anyone know?

From what I understood and see, there’s no need to declare networks and ports in yamls. Is that true, am I missing something?

Thanks a ton in advance!

Did you get this working?
I’m having exactly the same problems.
I’m trying to use a KV, (as of Traefik v2.2) to get the ssl certs and config storage dynamic but I’m also facing unstable results or errors.
I tried both Consul and REDIS but it’s real hard with the changes from Traefik v1.7 > v2.x, so many breaking changes.

I would like to exchange ideas and config with somebody so we can help eachother out on this?

I spent a lot of time to get portainer working with my traefik installation, I use a combination of edge gateways and built in depending on where the portainer ui container is installed. I am also using tcp routers in traefik for a lot of the agent communication back to the ui

traefik

version: '3.7'

services:
  traefik:
    image: traefik:v2.1.6
    environment:
        - TRAEFIK_PROVIDERS_DOCKER=true
        - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
        - TRAEFIK_PROVIDERS_DOCKER_SWARMMODE=true
        - TRAEFIK_PROVIDERS_DOCKER_WATCH=true
        - TRAEFIK_API_INSECURE=true
        - TRAEFIK_API=true
        - TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
        - TRAEFIK_ENTRYPOINTS_PORTAINER-TCP_ADDRESS=:9000
        - TRAEFIK_ENTRYPOINTS_PORTAINER-TCP-TUNNEL_ADDRESS=:8000
        - TRAEFIK_ENTRYPOINTS_INTERNAL_ADDRESS=:8888
        - TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS=:443
        - TRAEFIK_METRICS_PROMETHEUS=true
        - TRAEFIK_PING=true
        - TRAEFIK_PING_ENTRYPOINT=internal
        - TRAEFIK_LOG_LEVEL=INFO
        - TRAEFIK_ACCESSLOG=true
        - TRAEFIK_ACCESSLOG_FORMAT=json
    ports:
      - 80:80
      - 8000:8000
      - 9000:9000
      - 8888:8888
      - 443:443
    labels:
      - use-traefik=true
    deploy:
      replicas: 3
      update_config:
        parallelism: 1
      placement:
        constraints:
          - node.role == manager
        preferences:
          - spread: node.id
      restart_policy:
        condition: any
        delay: 10s
        window: 120s
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.tags=traefik-public
        #Middlewares
        - traefik.http.middlewares.compress_response.compress=true
        - traefik.http.middlewares.request_retry.retry.attempts=2
        - traefik.http.middlewares.http-redirect.redirectscheme.scheme=https
        #Routers
        #NoSSL
        - traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)
        - traefik.http.routers.api.service=api@internal
        - traefik.http.routers.api.entrypoints=internal
        - traefik.http.services.api.loadbalancer.server.port=8080
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - default
      - traefik-public
      - portainer-agent

networks:
  traefik-public:
    external: true
  portainer-agent:
    external: true

portainer with local cluster agent

version: '3.7'

services:
    agent:
        image: portainer/agent:latest
        environment:
            - AGENT_SECRET=****
            - CAP_HOST_MANAGEMENT=1
            - EDGE_INSECURE_POLL=1
        volumes:
            - /var/lib/docker/volumes:/var/lib/docker/volumes:rw
            - /var/run/docker.sock:/var/run/docker.sock:rw
            - /:/host
            - portainer-agent-data:/data
        networks:
            portainer-agent:
                aliases:
                    - portainer-agent
        deploy:
            mode: global
    portainer:
        image: portainer/portainer:1.23.2
        volumes:
            - portainer-data:/data
        command: -H tcp://tasks.portainer-agent:9001 --tlsskipverify --ssl --sslcert /run/secrets/portainer-cert --sslkey /run/secrets/portainer-key
        environment:
            - AGENT_SECRET=****
        secrets:
            - portainer-cert
            - portainer-key
        networks:
            - portainer-agent
        deploy:
            replicas: 1
            placement:
                constraints:
                    - node.id == ****
                preferences:
                    - spread: node.id
            update_config:
                parallelism: 1
                delay: 10s
            restart_policy:
                condition: any
                delay: 10s
                max_attempts: 3
            labels:
                - traefik.enable=true
                - traefik.docker.network=portainer-agent
                - traefik.tags=traefik-public
                # Portainer NoSSL Redirect
                - traefik.http.routers.portainer-nossl.rule=Host(`portainer.${DOMAIN}`)
                - traefik.http.services.portainer-nossl.loadbalancer.server.port=9000
                - traefik.http.routers.portainer-nossl.entryPoints=web
                - traefik.http.routers.portainer-nossl.middlewares=http-redirect
                #Portainer SSL Using TLS Passthrough
                - traefik.tcp.routers.portainer-ssl.rule=HostSNI(`portainer.${DOMAIN}`)
                - traefik.tcp.routers.portainer-ssl.tls.passthrough=true
                - traefik.tcp.routers.portainer-ssl.entryPoints=websecure
                - traefik.tcp.routers.portainer-ssl.service=portainer-ssl
                - traefik.tcp.services.portainer-ssl.loadbalancer.server.port=9000
                - traefik.tcp.routers.portainer-tcp.rule=HostSNI(`*`)
                - traefik.tcp.routers.portainer-tcp.entryPoints=portainer-tcp
                - traefik.tcp.routers.portainer-tcp.service=portainer-tcp
                - traefik.tcp.services.portainer-tcp.loadbalancer.server.port=9000
                - traefik.tcp.routers.portainer-tcp-tunnel.rule=HostSNI(`*`)
                - traefik.tcp.routers.portainer-tcp-tunnel.entryPoints=portainer-tcp-tunnel
                - traefik.tcp.routers.portainer-tcp-tunnel.service=portainer-tcp-tunnel
                - traefik.tcp.services.portainer-tcp-tunnel.loadbalancer.server.port=8000

networks:
    portainer-agent:
        external: true

volumes:
    portainer-data:
    portainer-agent-data:

secrets:
    portainer-cert:
        external: true
    portainer-key:
        external: true

portainer edge agent

version: '3.7'

services:
  agent:
    image: portainer/agent:latest
    environment:
      - AGENT_CLUSTER_ADDR=tasks.portainer-edge-agent
      - EDGE=1
      - EDGE_ID=***
      - EDGE_KEY=***
    networks:
      portainer-agent:
        aliases:
          - portainer-edge-agent
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes:rw
      - /var/run/docker.sock:/var/run/docker.sock:rw
      - /:/host
      - portainer-agent-data:/data

networks:
  portainer-agent:
    external: true

volumes:
  portainer-agent-data:

I hope this helps!