fix: Remove redundant ACME challenge router in Traefik configuration

- Remove explicit ACME challenge router that had no service defined - Traefik handles ACME challenges automatically when httpChallenge.entryPoint is set - The router was interfering with automatic challenge handling - Fixes 'Cannot retrieve the ACME challenge' errors in Traefik logs
2025-11-08 18:46:01 +01:00
parent af98069eba
commit 3d233e8b2c
2 changed files with 39 additions and 50 deletions
--- a/deployment/stacks/traefik/docker-compose.yml
+++ b/deployment/stacks/traefik/docker-compose.yml
@@ -5,16 +5,23 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
-    # Use host network mode to correctly identify client IPs from WireGuard
-    # Without this, Traefik sees Docker bridge IPs instead of real client IPs (10.8.0.x)
-    network_mode: host
-    # When using host network mode, we don't bind ports in docker-compose
-    # Traefik listens directly on host ports 80 and 443
-    # ports:
-    #   - "80:80"
-    #   - "443:443"
+    # Use bridge network mode for reliable service discovery
+    # Service discovery works correctly with Docker labels in bridge mode
+    ports:
+      - "80:80"
+      - "443:443"
+      - "2222:2222"  # Gitea SSH
+    networks:
+      - traefik-public
    environment:
      - TZ=Europe/Berlin
+    command:
+      # Load static configuration file
+      - "--configFile=/traefik.yml"
+      # Increase timeouts for slow backends like Gitea
+      - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=300s"
+      - "--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=300s"
+      - "--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=360s"
    volumes:
      # Docker socket for service discovery
      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -30,47 +37,29 @@ services:
      # Enable Traefik for itself
      - "traefik.enable=true"

-      # Dashboard - VPN-only access (WireGuard network required)
-      # Accessible only from WireGuard VPN network (10.8.0.0/24)
+      # Dashboard - BasicAuth protected
      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.michaelschiemer.de`)"
      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
      - "traefik.http.routers.traefik-dashboard.tls=true"
      - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-dashboard.service=api@internal"
-      # VPN-only + BasicAuth protection (order: vpn-only first, then BasicAuth)
-      - "traefik.http.routers.traefik-dashboard.middlewares=vpn-only@file,traefik-auth"
+      - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"

-      # BasicAuth for dashboard (user: admin, password: generate with htpasswd)
-      # htpasswd -nb admin your_password
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$8kj9d7lj$$r.x5jhLVPLuCDLvJ6x0Hd0"
+      # BasicAuth for dashboard
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$Of2wG3O5$$y8X1vEoIp9vpvx64mIalk/"

-      # Allow ACME challenges without redirect (higher priority)
-      - "traefik.http.routers.acme-challenge.rule=PathPrefix(`/.well-known/acme-challenge`)"
-      - "traefik.http.routers.acme-challenge.entrypoints=web"
-      - "traefik.http.routers.acme-challenge.priority=200"
+      # Note: ACME challenges are handled automatically by Traefik
+      # when httpChallenge.entryPoint: web is set in traefik.yml
+      # No explicit router needed - Traefik handles /.well-known/acme-challenge automatically
      
      # Global redirect to HTTPS (lower priority, matches everything else)
+      # ACME challenges are excluded from redirect automatically by Traefik
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.routers.http-catchall.priority=1"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
-
-      # Security headers middleware
-      - "traefik.http.middlewares.security-headers.headers.frameDeny=true"
-      - "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
-      - "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
-      - "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
-      - "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
-      - "traefik.http.middlewares.security-headers.headers.stsPreload=true"
-
-      # Compression middleware
-      - "traefik.http.middlewares.compression.compress=true"
-
-      # Rate limiting middleware (100 requests per second)
-      - "traefik.http.middlewares.rate-limit.ratelimit.average=100"
-      - "traefik.http.middlewares.rate-limit.ratelimit.burst=50"
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
@@ -78,5 +67,6 @@ services:
      retries: 3
      start_period: 10s

-# Note: network_mode: host is used, so we don't define networks here
-# Traefik still discovers services via Docker labels using the Docker socket
+networks:
+  traefik-public:
+    external: true