Docker portainer-ce behind reverse-proxy can not accessed

[Laul0]

Bug description

With the previous version 1.24 based on the Docker install, it was possible to use a reverse-proxy to access to portainer.

Here, the compose file used and just remplaced portainer/portainer by portainer/portainer-ce:

version: '3.7'

services:
  portainer:
    image: portainer/portainer-ce
    # command: -H unix:///var/run/docker.sock
    ports:
      - "9000"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - type: bind
        source: /path/to/portainer-ce
        target: /data
    environment:
      - VIRTUAL_HOST=portainer.mydomaine.com
    restart: always
    privileged: true

jwilder/nginx-proxy is used as reverse-proxy

Expected behavior
Use the same compose file and configuration to use a reverse-proxy

Steps to reproduce the issue:

1. Copy compose file
2. Run docker jwilder/nginx-proxy
3. Run portainer-ce
4. Error 502

Technical details:

• Portainer version: CE 2.0.0
• Docker version (managed by Portainer):
• Platform (windows/linux): Linux
• Command used to start Portainer: see compose file
• Browser: EDGE/CHROME

Additional context
nope

[zhdenny]

I pretty much did same thing.....and hit the 502 error wall. Not quite sure what happened

[billy34]

same thing using traefik (1.7.26) but for me a 404

  ### Portainer : Docker management interface
  # + trick to redirect /portainer to /portainer/
  # + replacePath to serve /portainer as /

  portainer:
    image: portainer/portainer-ce:2.0.0-alpine
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./portainer:/data
    labels:
      - "traefik.tags=admin"
      - "traefik.enable=true"
      - "traefik.backend=portainer"
      - "traefik.frontend.redirect.regex=^(.*)/portainer$$"
      - "traefik.frontend.redirect.replacement=$$1/portainer/"
      - "traefik.frontend.rule=Host:bsef-calcul.cirad.fr;PathPrefix:/portainer;ReplacePathRegex: ^/portainer/(.*) /$$1"

Strange thing in log (listening on :8000 and starting on :9000 ?)

│   2020/09/02 14:33:32 server: Reverse tunnelling enabled                                                                   
│   2020/09/02 14:33:32 server: Fingerprint 07:90:24:55:bf:81:cd:bf:e7:e3:c0:f9:16:2e:13:a5                                  
│   2020/09/02 14:33:32 server: Listening on 0.0.0.0:8000...                                                                 
│   2020/09/02 14:33:32 Starting Portainer 2.0.0 on :9000

[sylvaindd]

Same here with Traefik 2.2.8, it was working fine before updating to 2.0.
I now have this in the container logs:

g_portainer | 2020/09/02 16:27:00 Migrating database from version 24 to 25.
g_portainer | 2020/09/02 16:27:00 server: Reverse tunnelling enabled
g_portainer | 2020/09/02 16:27:00 server: Fingerprint 03:33:d2:fa:ca:d2:24:16:6b:58:7a:58:d8:66:d1:2f
g_portainer | 2020/09/02 16:27:00 server: Listening on 0.0.0.0:8000...
g_portainer | 2020/09/02 16:27:00 Starting Portainer 2.0.0 on :9000
g_portainer | 2020/09/02 16:27:00 [DEBUG] [chisel, monitoring] [check_interval_seconds: 10.000000] [message: starting tunnel management process]
g_portainer | 2020/09/02 16:27:43 [WARN] [message: unable to find resource identifier property in resource object] [identifier_attribute: Id]
g_portainer | 2020/09/02 16:27:43 proxy error: http: read on closed response body
g_portainer | 2020/09/02 16:28:43 [WARN] [message: unable to find resource identifier property in resource object] [identifier_attribute: Id]
g_portainer | 2020/09/02 16:28:43 proxy error: http: read on closed response body
g_portainer | 2020/09/02 16:29:43 [WARN] [message: unable to find resource identifier property in resource object] [identifier_attribute: Id]
g_portainer | 2020/09/02 16:29:43 proxy error: http: read on closed response body
g_portainer | 2020/09/02 16:30:43 [WARN] [message: unable to find resource identifier property in resource object] [identifier_attribute: Id]
g_portainer | 2020/09/02 16:30:43 proxy error: http: read on closed response body
g_portainer | 2020/09/02 16:31:43 [WARN] [message: unable to find resource identifier property in resource object] [identifier_attribute: Id]
g_portainer | 2020/09/02 16:31:43 proxy error: http: read on closed response body

I can still access it through exposed port.

[Laul0]

@billy34 the port 9000 and 8000 are correct.
The reverse proxy can redirect the request from the 80 to 9000.

All information are provided into the documentation: https://www.portainer.io/installation/

Note: Port 9000 is the general port used by Portainer for the UI access. Port 8000 is used exclusively by the EDGE agent for the reverse tunnel function. If you do not plan to use the edge agent, you do not need to expose port 8000

[sylvaindd]

Fixed it by adding port 9000 to the loadbalancer :
- "traefik.http.services.portainer.loadbalancer.server.port=9000"

I'm guessing that in the previous Dockerfile only 9000 was exposed and now 8000 is exposed as well so Traefik doesn't pick the "right" one.

[ncresswell]

Yes thats correct, we have now correctly fixed the expose of both Ports in the dockerfile

[ghost]

I have updated the release notes to specify this as a breaking change for proxy users: https://github.com/portainer/portainer/releases/tag/2.0.0

I feel that this issue can now be closed, as it is not necessarily a portainer issue but rather a matter of proxy configuration :)

[Laul0]

Yes, I found the solution too with jwilder/nginx-proxy

Define port to 80 and add VIRTUAL_PORT env at 9000.

[billy34]

Following your advices I added a traefik.port=9000 label to my portainer service and it works like a charm (for traefik 1.7.x series).

Thank you all