Run Rancher Behind Traefik in Docker Compose

I have an existing docker-compose that I’m happy with. What I want to do is add Rancher as yet another service behind a Traefik load balancer to route all traffic from example.com/rancher -> rancher container. I can’t find how to do this since most of the Traefik related queries end up focusing on Traefik as an ingress controller.

Using the docker-compose version from below, not only does Rancher fail start, but my Let’s Encrypt configuration gets hosed causing Traefik to go back to its self-signed cert.

What am I missing?

Thanks.

  rancher:
    image: rancher/rancher:latest
    container_name: rancher
    restart: unless-stopped
    labels:
      - "traefik.enable: true"
      - "traefik.frontend.entryPoints: http,https"
      - "traefik.frontend.redirect.entryPoint: https"
      - "traefik.frontend.redirect.permanent: 'true'"
      - "traefik.frontend.passHostHeader: 'true'"
      - "traefik.frontend.headers.customRequestHeaders: Host:*||X-Forwarded-Proto:https||X-Forwarded-Port:443||X-Forwarded-Host:******"
      - "traefik.protocol: http"
      - "traefik.port: 80"
      - "traefik.backend: rancher"
      - "traefik.frontend.rule=Host:example.com;PathPrefix:/rancher"
    expose:
      - 80
      - 443
    networks:
      - web

I don’t know what’s wrong specifically with the traefik config but rancher itself can’t be breaking traefik. I presume if you inject something invalid into the config then the whole file (containing other stuff like your letsencrypt config) fails to parse.

What you’re trying to do will not work anyway, rancher needs to be run on its own (sub)domain and does not support a sub-path. Security-wise this would be a bad idea to do in the first place, but it doesn’t work because the UI is static JS and won’t know where to route a request which doesn’t match anything it’s expecting.

1 Like

Thank you for the response. I didn’t know that there was no way to change the URL portion of Rancher.

Why would it be a bad idea from a security perspective?

Because everything else on the same domain can read and write cookies, manipulate local storage, make arbitrary requests (which are not cross-origin because the origin is the same), directly communicate with other open windows, etc for all the other apps the same domain.

Those can break things accidentally (e.g. two apps both want a cookie called token), expand a compromise of one app into a compromise of all, or allow a trusted owner of one app to steal information from another (e.g. the owner of your-company.com/webmail deploys a version that sends all rancher auth tokens to himself).

You may not realistically care if it’s for your house or something, but separate applications should be deployed to separate origins (subdomains).

1 Like
labels:
  # Dynamic configuration with Docker Labels
  # Ref: https://docs.traefik.io/reference/dynamic-configuration/docker/
  - "traefik.enable=true"
  - "traefik.docker.network=traefik"
  - "traefik.http.middlewares.rancher-behind-proxy.headers.customrequestheaders.X-Forwarded-Proto=https"
  - "traefik.http.routers.rancher.entrypoints=web"
  - "traefik.http.routers.rancher.rule=Host(`rancher.example.com`)"
  - "traefik.http.routers.rancher.service=rancher"
  - "traefik.http.routers.rancher.middlewares=rancher-behind-proxy"
  - "traefik.http.services.rancher.loadbalancer.server.port=80