0

For development purposes I run a local Docker with three independent Moodle instances. These three instances should be able to communicate with each other. To do this, I use traefik as a reverse proxy. So far, this has all worked flawlessly. But now I wanted to add SSL to the Docker. At first glance, this also works flawlessly. But unfortunately the instances can only communicate with each other to a limited extent:

I.e. e.g. wget "https://moodle2.localhost/testfile.txt" returns the error:

wget: can't connect to remote host (127.0.0.1): Connection refused

whereas wget "moodle2.localhost/testfile.txt" or wget "webserver2/testfile.txt" works fine.

For development purposes I could live with it in a pinch. But it would be nice if I could test everything as it would work later on the production system.

Below is my docker-compose.yml and the traefik configurations:

Does anyone have any idea what I would need to change to also be able to communicate between containers via the https://xxx url.

version: "3.4"
services:
  webserver:
    image: "moodlehq/moodle-php-apache:${MOODLE_DOCKER_PHP_VERSION}"
    depends_on:
      - db
    volumes:
      - "${MOODLE_DOCKER_WWWROOT}:/var/www/html"
      - "${ASSETDIR}/web/apache2_faildumps.conf:/etc/apache2/conf-enabled/apache2_faildumps.conf"
    environment:
      MOODLE_DOCKER_DBTYPE: pgsql
      MOODLE_DOCKER_DBNAME: moodle
      MOODLE_DOCKER_DBUSER: moodle
      MOODLE_DOCKER_DBPASS: "m@0dl3ing"
      MOODLE_DOCKER_BROWSER: firefox
      MOODLE_DOCKER_WEB_HOST: "${MOODLE_DOCKER_WEB_HOST}"
      MOODLE_DOCKER_SSL_PROXY: 1
    networks:
      hubnet:
        ipv4_address: 192.168.0.11
    extra_hosts:
      - "db:192.168.0.14"
      - "webserver2:192.168.0.12"
      - "webserver3:192.168.0.13"
      - "moodle2.localhost:192.168.0.12"
      - "moodle3.localhost:192.168.0.13"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webserver.rule=Host(`moodle.localhost`)"
      - "traefik.http.routers.webserver.tls=true"
      - "traefik.backend.webserver"
  webserver2:
    image: "moodlehq/moodle-php-apache:${MOODLE_DOCKER_PHP_VERSION}"
    depends_on:
      - db
    volumes:
      - "${MOODLE_DOCKER_WWWROOT}:/var/www/html"
    environment:
      MOODLE_DOCKER_DBTYPE: mysqli
      MOODLE_DOCKER_DBNAME: moodle2
      MOODLE_DOCKER_DBUSER: moodle
      MOODLE_DOCKER_DBPASS: "m@0dl3ing"
      MOODLE_DOCKER_BROWSER: firefox
      MOODLE_DOCKER_WEB_HOST: "${MOODLE_DOCKER_WEB_HOST}"
      MOODLE_DOCKER_SSL_PROXY: 1
    networks:
     hubnet:
       ipv4_address: 192.168.0.12
    extra_hosts:
      - "db:192.168.0.14"
      - "webserver:192.168.0.11"
      - "webserver3:192.168.0.13"
      - "moodle.localhost:192.168.0.11"
      - "moodle3.localhost:192.168.0.13"
    build:
      context: ./
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webserver2.rule=Host(`moodle2.localhost`)"
      - "traefik.http.routers.webserver2.tls=true"
      - "traefik.backend.webserver2"
  webserver3:
    image: "moodlehq/moodle-php-apache:${MOODLE_DOCKER_PHP_VERSION}"
    depends_on:
      - db
    volumes:
      - "${MOODLE_DOCKER_WWWROOT}:/var/www/html"
    environment:
      MOODLE_DOCKER_DBTYPE: mysqli
      MOODLE_DOCKER_DBNAME: moodle3
      MOODLE_DOCKER_DBUSER: moodle
      MOODLE_DOCKER_DBPASS: "m@0dl3ing"
      MOODLE_DOCKER_BROWSER: firefox
      MOODLE_DOCKER_WEB_HOST: "${MOODLE_DOCKER_WEB_HOST}"
      MOODLE_DOCKER_SSL_PROXY: 1
    networks:
      hubnet:
        ipv4_address: 192.168.0.13
    extra_hosts:
      - "db:192.168.0.14"
      - "webserver:192.168.0.11"
      - "webserver2:192.168.0.12"
      - "moodle.localhost:192.168.0.11"
      - "moodle2.localhost:192.168.0.12"
    build:
      context: ./
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webserver3.rule=Host(`moodle3.localhost`)"
      - "traefik.http.routers.webserver3.tls=true"
      - "traefik.backend.webserver3"
  db:
    image: postgres:11
    environment:
      POSTGRES_USER: moodle
      POSTGRES_PASSWORD: "m@0dl3ing"
      POSTGRES_DB: moodle
    networks:
      hubnet:
        ipv4_address: 192.168.0.14
  exttests:
    image: moodlehq/moodle-exttests
  selenium:
    image: "selenium/standalone-firefox${MOODLE_DOCKER_SELENIUM_SUFFIX}:2.53.1"
    volumes:
      - "${MOODLE_DOCKER_WWWROOT}:/var/www/html:ro"
  dbpost:
    image: postgres:11
    environment:
      POSTGRES_USER: moodle
      POSTGRES_PASSWORD: "m@0dl3ing"
      POSTGRES_DB: moodle
    ports:
      - 5432:5432
  redis:
    image: redis:6
    networks:
      hubnet:
        ipv4_address: 192.168.0.15
  traefik:
    image: "traefik:v2.5"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/config/static.yml:/etc/traefik/traefik.yml:ro"
      - "./traefik/config/dynamic.yml:/etc/traefik/dynamic.yml:ro"
      - "./traefik/certs:/etc/certs:ro"
    network_mode: host
networks:
  hubnet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.0.0/24

Traefic static config:

global:
  sendAnonymousUsage: false

api:
  dashboard: true
  insecure: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

  file:
    filename: /etc/traefik/dynamic.yml
    watch: true

log:
  level: INFO
  format: common

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"

Traefic dynamic config

http:
  routers:
    traefik:
      rule: "Host(`traefik.localhost`)"
      tls:
        domains:
          - main: "moodle.localhost"
          - main: "moodle3.localhost"
          - main: "moodle2.localhost"
tls:
  certificates:
    - certFile: "/etc/certs/local-cert.pem"
      keyFile: "/etc/certs/local-key.pem"
MPe
  • 430
  • 6
  • 23

1 Answers1

0

If you want HTTPS to work not only between the user and Traefik (reverse proxy), but also between the containers, you must include the following labels in your containers (in your case webserver1, 2 and 3):

  • traefik.http.services.webserverX.loadbalancer.server.port=443"
  • traefik.http.services.webserverX.loadbalancer.server.scheme=https"
  • traefik.http.routers.webserverX.service=webserverX

It also means, that Traefik must have valid SSL certificates to access webserverX.

Replace the X with the corresponding number (1, 2 or 3). The first line tells Traefik the target port to route to. The second line tells Traefik to use HTTPS - you might also want to add redirectSchema middleware here to redirect all HTTPS requests to HTTPS. The third line assigns the service to the router.

Since I am using dedicated networks and self-signed certificatea, I do not need the communication between a service and Traefik be encrypted, which is why I usually set the HTTP-port (e.g. 80 or 8080 - depending on the application) as the target port. Note: the server.port port is the port of the actual application (within the container), not your host. You also do not have to forward that port anywhere (e.g. no ports: - ... statement necessary).

Igor
  • 1,582
  • 6
  • 19
  • 49