Bravery Family

Tag: Traefik

  • Renew LetsEncrypt in Traefik

    I’d setup Traefik to use LetsEncrypt, but due to the scarey words around rate limits etc, I felt it sensible to use the staging LetsEncrypt servers, rather than the production ones – basically I wasn’t sure how many changes I’d have to make as it has been a while since I played with any of this in anger. I assumed that Traefik would renew the certificates with LetsEncrypt when I needed production ones.

    I surprisingly got this working quite straightforwardly – I had more issues with getting Apache and WordPress (mainly Apache) playing nicely with everything.

    However, the staging certificates result in a warning which I didn’t want any longer than necessary. Since it now was working, I altered my certificate resolver in Traefik to point to the production LetsEncrypt server. I then performed a bounce to pick up the changes, expecting to see a new certificate and no more errors.

    Anxious pause…

    I waited a bit (pressing F5) and was disappointed to see that it hadn’t changed. Same certificate was in use, and I could see in the log that no attempt had been made to fetch a new certificate.

    Frantic prodding ensued as I attempted to work out what I had done wrong. Nothing was the answer. The problem, such as it is, is that Traefik already has a certificate that it can use. Traefik doesn’t feel it needs to change it the certificate.

    Solution?

    A quick google later found me a couple of links:

    Whilst the last link on the face of it initially seemed less relevant (it related to fixing a security flaw), on reading it gave the simplest answer for my situation.

    In my situation, it looked like I could simply delete the storage acme.json file. No certificates needed to be kept – I could just start again from scratch.

    I stopped Traefik, moved acme.json out of the way (belts and braces right), and then restarted it.

    Traefik Renew from LetsEncypt!

    Hey, Presto! I could see in the log file the lack of certificate being identified and Traefik calls to renew certificates from the production LetsEncrypt server.

    Padlock look right, everything is gravy! Let’s move on to the next thing.

  • Traefik Log Rotation

    An explanation of how to set up Traefik Log Rotation. This covers both the access log AND the traefik log.

    I initially setup simple log rotation using the standard logrotate package i have installed for everything else. I implemented this by following this page (there are others about) but this covered my scenario the best (as I have traefik running natively, not in a container.

    The main change I made was in the directory (mine is /var/log/traefik/) and then the files (I have an access.log and a traefik.log, so I altered the pattern to be *.log. I also added size – more on that in a minute.

    This resulted in a file /etc/logrotate.d/traefik below:

    <directory location>/*.log {
  compress
  create 0640 <user> <group>
  daily
  delaycompress
  missingok
  notifempty
  rotate 5
  size 10M

  postrotate
    kill -USR1 `pgrep traefik`
  endscript
}

    However, I began to spot that it did not working as anticipated.

    • access.log wouldn’t rotate
    • traefik.log rotated but still wrote to the rotated our file

    It turns out access.log not rotating was because I misunderstood what size would do. It’s not an either/or with the daily setting – size supersedes daily if it is in the file. Simply removing size made access.log rotate as expect.

    However, traefik.log still won’t rotate on a USR1 – which seems contrary to their own documentation (link).

    I decided that something weird must be going on, so I dug about a bit. If you check the code in git (link) you’ll see that the code specifically mentions rotation of the access log, and their tests also only check the access log.

    This means that USR1 signal only rotates the access log. That was annoying.

    I wondered if I was missing something, so I went in search of rotate in git (link) and found something that whilst documented at source level seems to be missing in the Traefik log documentation (link).

    It turns out that Traefik can do some quite clever stuff with rotating its own log if you configure it right.

    log:
  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level: <whatever level you want>

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath: <directory location>/<file>.log

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  #format: json
  maxSize:    5
  maxBackups: 50
  maxAge:     10
  compress:   true

    This will rotate at 5Mb, compress the old copies, and keep for 10 days and keep a maximum of 50 files. There are other options in the document – I have not used them.

    This then means I can make the logrotate configuration focus just on the access log:

    <directory location>/access.log {
  compress
  create 0640 <user> <group>
  daily
  delaycompress
  missingok
  notifempty
  rotate 5

  postrotate
    kill -USR1 `pgrep traefik`
  endscript
}

    Combining these two pieces of information (access log rotation and traefik log rotation) together gives me a functional solution.

    -rw-r----- 1 traefik traefik   706383 Sep 15 13:46 access.log
-rw-r----- 1 traefik traefik  2071725 Sep 14 23:59 access.log.1
-rw-r----- 1 traefik traefik   101616 Sep 13 23:59 access.log.2.gz
-rw-r----- 1 traefik traefik    43272 Sep 12 23:59 access.log.3.gz
-rw-rw-r-- 1 traefik traefik   574683 Sep 12 12:29 access.log.4.gz
-rw-r----- 1 traefik traefik       23 Sep 10 02:11 traefik-2023-09-10T01-11-42.862.log.gz
-rw-r----- 1 traefik traefik    62635 Sep 12 20:48 traefik-2023-09-12T19-48-36.125.log.gz
-rw-r----- 1 traefik traefik    45843 Sep 12 23:48 traefik-2023-09-12T22-48-51.210.log.gz
-rw-r----- 1 traefik traefik    47196 Sep 13 02:50 traefik-2023-09-13T01-50-47.804.log.gz
-rw-r----- 1 traefik traefik    46280 Sep 13 05:51 traefik-2023-09-13T04-51-02.691.log.gz
-rw-r----- 1 traefik traefik    59591 Sep 13 08:44 traefik-2023-09-13T07-44-32.782.log.gz
-rw-r----- 1 traefik traefik    51714 Sep 13 11:35 traefik-2023-09-13T10-35-02.705.log.gz
-rw-r----- 1 traefik traefik    62231 Sep 13 14:31 traefik-2023-09-13T13-31-29.208.log.gz
-rw-r----- 1 traefik traefik    47698 Sep 13 17:30 traefik-2023-09-13T16-30-44.233.log.gz
-rw-r----- 1 traefik traefik   114460 Sep 13 20:00 traefik-2023-09-13T19-00-49.560.log.gz
-rw-r----- 1 traefik traefik    88101 Sep 13 22:45 traefik-2023-09-13T21-45-27.953.log.gz
-rw-r----- 1 traefik traefik    45687 Sep 14 01:48 traefik-2023-09-14T00-48-21.418.log.gz
-rw-r----- 1 traefik traefik    48091 Sep 14 04:48 traefik-2023-09-14T03-48-36.486.log.gz
-rw-r----- 1 traefik traefik    45339 Sep 14 07:49 traefik-2023-09-14T06-49-32.199.log.gz
-rw-r----- 1 traefik traefik    58615 Sep 14 10:29 traefik-2023-09-14T09-29-32.183.log.gz
-rw-r----- 1 traefik traefik    50523 Sep 14 13:24 traefik-2023-09-14T12-24-47.288.log.gz
-rw-r----- 1 traefik traefik   111852 Sep 14 15:48 traefik-2023-09-14T14-48-17.251.log.gz
-rw-r----- 1 traefik traefik   102566 Sep 14 18:19 traefik-2023-09-14T17-19-54.417.log.gz
-rw-r----- 1 traefik traefik    49430 Sep 14 21:08 traefik-2023-09-14T20-08-39.426.log.gz
-rw-r----- 1 traefik traefik    52971 Sep 14 23:53 traefik-2023-09-14T22-53-09.416.log.gz
-rw-r----- 1 traefik traefik    48757 Sep 15 02:45 traefik-2023-09-15T01-45-41.245.log.gz
-rw-r----- 1 traefik traefik    47160 Sep 15 05:37 traefik-2023-09-15T04-37-56.255.log.gz
-rw-r----- 1 traefik traefik    48261 Sep 15 08:29 traefik-2023-09-15T07-29-56.249.log.gz
-rw-r----- 1 traefik traefik    48879 Sep 15 11:18 traefik-2023-09-15T10-18-41.241.log.gz
-rw-r----- 1 traefik traefik  4548970 Sep 15 13:46 traefik.log