Rest-server with traefik

ozboss · March 15, 2021, 8:29pm

I’m trying to setup the rest-server with traefik.
Here is my compose file:

version: '2'

services:
  rest-server:
    container_name: rest-server
    image: restic/rest-server:latest
    restart: unless-stopped
    volumes:
      - /data/remote/restic:/data
    environment:
      - OPTIONS=--debug --no-auth
    labels:
      - traefik.enable=true
      - traefik.http.routers.rest-server.rule=Host(`restic.myurl.com`)
      - traefik.http.routers.rest-server.tls.certresolver=lecrypt
      - traefik.http.routers.rest-server.service=rest-server
      - traefik.http.services.rest-server.loadbalancer.server.port=8000

Unfortunately I’m not able to create a repo. I tried following commands on a remote machine:

restic -r rest:https://restic.myurl.com/test_repo/ init

results in:

Fatal: server response unexpected: 504 Gateway Timeout (504)

and

restic -r rest:https://restic.myurl.com:8000/test_repo/ init

Results in:

Post "https://restic.myurl.com:8000/test_repo/?create=true": dial tcp [<myserverip>]:8000: i/o timeout

I know my “certresolver” (lecrypt) is working correctly, as I’m using it for other services and it also does not fail to create a certificate for “https://restic.myurl.com”.

nununo · March 19, 2021, 1:48am

Aren’t you missing a Traefik entrypoint? Here’s mine which is working fine:

version: '3.4'

networks:
  traefik:
    external:
      name: traefik

# In Synology, the permissions must be `R/W`, `No mapping`, `Yes`, `Allowed`, `Allowed`.
# [https://www.ixsystems.com/community/threads/deluge-starts-downloading-and-then-after-5-sec-stops.76162/#post-529638
volumes:
  nas:
    driver_opts:
      type: "nfs"
      o: "addr=10.0.0.10,nolock,soft,rw"
      device: ":/volume1/restic"

# Restic-server: https://github.com/restic/rest-server/blob/master/examples/compose-with-grafana/docker-compose.yml
services:
  restic:
    image: restic/rest-server:0.10.0
    container_name: restic
    restart: "no"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Lisbon
      - OPTIONS=--no-auth --prometheus
    volumes:
      - nas:/data
    networks:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.services.restic.loadbalancer.server.port=8000
      - traefik.http.routers.restic.rule=Host(`backup-server.mydomain.com`)
      - traefik.http.routers.restic.entrypoints=web
      - traefik.http.routers.restic.tls=false

And remember that in the Traefik configuration you must also define the entrypoint:

[entryPoints]
  [entryPoints.web]
  address = ":80"

(...)

And in the Traefik docker-compose file you must assign the chosen port:

  traefik:
    image: "traefik:2.3.0"
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
(...)

I hope this helps.

ozboss · March 19, 2021, 6:53am

Thanks @nununo for the hint.

I configured my entrypoints globally in the static config.
You would only set the entrypoints for a router if you would want to limit them to a particular set of entrypoints for this router (see docs).
All my other services work fine like that.

Any reason you do not redirect to https or is it just for the minimal example?
I also have a global config that redirects all http traffic to https.

nununo · March 22, 2021, 1:56pm

Ah, thanks for the details on entrypoints. I didn’t know that so I always make them explicit.

Did you manage to make yours work? Mine is working fine.

As for why I’m not using TLS… the answer is: I will. It’s in my ToDo list The service is internal to my LAN so not a big deal but, still, I have an internal CA and make a point of using TLS on all my internal services. Anyway, thanks for bringing that to my attention.

ozboss · March 27, 2021, 9:50am

@nununo well if you just use it internal then ofc its no problem, but then why do you use traefik at all?

Its always the same with traefik… I forget one litte config and it takes me way to long to figure out whats missing
I should really make a checklist.
This time I forgot to set the external network, so thx @nununo you helped me out after all
The weird thing was that I was still getting responses to the restic domain in the traefik debug log, so I thought it was working alright.

nununo · March 27, 2021, 1:33pm

Ho @ozboss,

Glad you found your problem!

Well, I have a local CA and I issue (internal) certificates for all my local servers. I use Traefik for 2 reasons:

as a reverse proxy to assign a different subdomain to each service, even when they are hosted under the same IP;
to automatically apply the internal TLS certificates to each of those certificates.

I do this because:

With internal certificates I avoid all those browser warnings;
The multiple subdomains allow me to use default port 443 for most of the services instead of using a shared FQDN and use an obscure port numbers for each service;
It’s an opportunity to learn how to use yet another amazing tool;