Traefik version 2 only shows 404 or no website at all

Question

I try to set up Traefik in version 2 but I only get "404 Page not found" or DNS_PROBE_FINISHED_NXDOMAIN errors in my browser.

When I check the API endpoints for routers I can see that my two containers are enabled in Traefik and that the rules are correct.

curl http://localhost:8080/api/http/routers

[{"entryPoints":["web","secure"],"service":"gotify-gotify","rule":"Host(`sub2.example.org`)","tls":{"certResolver":"letsencrypt"},"status":"enabled","using":["secure","web"],"name":"gotify@docker","provider":"docker"},{"entryPoints":["web","secure"],"service":"nextcloud-cloud","rule":"Host(`sub.example.org`)","tls":{"certResolver":"letsencrypt"},"status":"enabled","using":["secure","web"],"name":"nextcloud@docker","provider":"docker"}]

But on "sub2" I get no website at all and on "sub" I get "404 page not found". I have set a DNS entry for "*" so all subdomains go to the same server.

I have set the following labels for the docker containers

labels:
traefik.enable: true
traefik.http.routers.nextcloud.rule: "Host(`sub.example.org`)"
traefik.http.routers.nextcloud.entrypoints: "web, secure"
traefik.http.routers.nextcloud.tls.certresolver: "letsencrypt"

And this is my Traefik configuration traefik.toml

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.secure]
    address = ":443"

[providers.docker]
  exposedByDefault = false
  network = "traefik"

[certificatesResolvers.letsencrypt.acme]
  email = "me@example.org"
  storage = "acme.json"
  [certificatesResolvers.letsencrypt.acme.httpChallenge]
    entryPoint = "web"

[api]
  insecure = true
  debug = true
  dashboard = false

Traefik itself is running as a docker container.

version: "3.7"

services:
  traefik:
    image: traefik:v2.0
    container_name: traefik
    restart: unless-stopped
    volumes:
    - "./traefik.toml:/etc/traefik/traefik.toml"
    - "./acme:/etc/traefik/acme"
    - "/var/run/docker.sock:/var/run/docker.sock"
    ports:
    - "80:80"
    - "127.0.0.1:8080:8080"
    - "443:443"
    networks:
    - traefik

networks:
  traefik:
    driver: bridge
    name: traefik

I use ufw to manage firewall rules and opened port 22, 80 and 443

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Answer 1

You can find a working example for traefik 2.2.1. Also, you can check full setup gist: https://gist.github.com/fatihyildizhan/8f124039a9bd3801f0caf3c01c3601fb

I prefer to use traefik.yml with version 2.0. It looks simple and many people are familiar with the YAML files.

[Traefik v2.0] - docker-compose.yml  with httpChallenge

    version: '3.7'

    services:
      traefik:
        image: traefik:v2.2.1
        container_name: traefik
        restart: unless-stopped
        security_opt:
          - no-new-privileges:true
        networks:
          - proxy
        ports:
          - 80:80
          - 443:443
        volumes:
          - /etc/localtime:/etc/localtime:ro
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - ./traefik.yml:/traefik.yml:ro
          - ./acme.json:/acme.json
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.traefik.entrypoints=http"
          - "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.com`)"
          - "traefik.http.middlewares.traefik-auth.basicauth.users=username:hashed-password"
          - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
          - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
          - "traefik.http.routers.traefik-secure.entrypoints=https"
          - "traefik.http.routers.traefik-secure.rule=Host(`traefik.your-domain.com`)"
          - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
          - "traefik.http.routers.traefik-secure.tls=true"
          - "traefik.http.routers.traefik-secure.tls.certresolver=http"
          - "traefik.http.routers.traefik-secure.service=api@internal"
          - "traefik.http.services.traefik.loadbalancer.server.port=8080"

    networks:
      proxy:
        external: true


    [Traefik v2.0] - traefik.yml with httpChallenge

    api:
      dashboard: true

    # Writing Logs to a File, in JSON
    log:
      level: DEBUG
      filePath: "log-file.log"
      format: json

    # Configuring a buffer of 100 lines
    accessLog:
      filePath: "log-access.log"
      bufferingSize: 100  

    entryPoints:
      http:
        address: ":80"
      https:
        address: ":443"

    providers:
      docker:
        endpoint: "unix:///var/run/docker.sock"
        exposedByDefault: false

    certificatesResolvers:
      http:
        acme:
          email: your-email.com
          storage: acme.json
          httpChallenge:
            entryPoint: http    


    [Traefik v2.0] - your-container docker-compose.yml

    version: '3.7'

    services:
        your-container-name:
          image: docker.pkg.github.com/username/repo-name/image-name:latest
          container_name: your-container-name
          restart: unless-stopped
          security_opt:
            - no-new-privileges:true
          networks:
            - proxy
          volumes:
            - /etc/localtime:/etc/localtime:ro
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - ./data:/data
          labels:
            - "traefik.enable=true"
            - "traefik.http.routers.your-container-name.entrypoints=http"
            - "traefik.http.routers.your-container-name.rule=Host(`your-container-name.your-domain.com`)"
            - "traefik.http.middlewares.your-container-name-https-redirect.redirectscheme.scheme=https"
            - "traefik.http.routers.your-container-name.middlewares=your-container-name-https-redirect"
            - "traefik.http.routers.your-container-name-secure.entrypoints=https"
            - "traefik.http.routers.your-container-name-secure.rule=Host(`your-container-name.your-domain.com`)"
            - "traefik.http.routers.your-container-name-secure.tls=true"
            - "traefik.http.routers.your-container-name-secure.tls.certresolver=http"
            - "traefik.http.routers.your-container-name-secure.service=your-container-name"
            - "traefik.http.services.your-container-name.loadbalancer.server.port=80"
            - "traefik.docker.network=proxy"

    networks:
      proxy:
        external: true

Answer 2

Several things could be causing this, some of which are:

1. You have SSL/TLS proxying enabled at your DNS level (e.g. CloudFlare) which will prevent http challenge completion.
2. You have a misconfigured storage path for the certificate resolver (probably not in this case but for other readers); check your Traefik container logs docker logs traefik for errors like

   level=error msg="The ACME resolver \"[resolver]\" is skipped from the resolvers 
   list because: unable to get ACME account: open /[path_to_storage]/acme.json: 
   no such file or directory
   level=error msg="the router [service]@docker uses a non-existent resolver: 
   [resolver]"
   

   If you see these errors, make sure the storage folder exists and/or the volume is mapped correctly from your host to the Traefik docker container (you may need to create it manually, Traefik won't do it for you, at least currently).
3. There is a technical issue with the service behind the proxy (e.g. Nginx, Apache, etc is misconfigured). Traefik will produce a generic 404 page not found for a series of errors that do not technically correspond to a real 404 error (e.g. 500, 501, maybe others) and this can be confusing.