htpcbeginner / docker-traefik Goto Github PK

How would one go about configuration Sonarr/Radarr to use Jackett when using the OAUTH configuration? The indexer in Jackett comes back successful, but when using the TORZNAB link with API from Jackett in Sonarr or Radarr and it fails to authenticate
with the message "Unable to connect to indexer".

All of a sudden traefik isnt working when going to my top level domain i.e. example.com it gives a cert warning issue when you inspect the cert its common name is 'CN=TRAEFIK DEFAULT CERT' whereas all the subdomains which operate on the *.example.com are all fine and work through cloudflare. I have regenereated the acme json and it is still doing this. I dont understand why this is happening as it has been working until today.

Nice stack... Almost exactly what I had set up manually before but now in a convenient place and kept up to date by more people so perfect fit when I reinstalled my server. I have made some minor tweaks, added active directory and duo to authelia, added Syncrify, Nextcloud, made qbittorrent use gluetun etc.

But, one thing that doesn't seem to want to work is Let's Encrypt generation of wildcard certificate.
It seems to add TXT records fine to my cloudflare account but then I get nothing but errors and reach the rate limit. I have started using cloudflare edge certificate instead but I would really like to get Let's Encrypt working.

Is there any known issue with the version of the certbot used or something like that? (I know it has been in the past).

Error examples.

A bunch of these
traefik | 2020-06-22T21:55:45.765146452Z time="2020-06-22T21:55:45Z" level=error msg="Unable to obtain ACME certificate for domains "foo.io,.foo.io" : unable to generate a certificate for the domains [foo.io .foo.io]: error: one or more domains had a problem:\n[.foo.io] [.foo.io] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content "{\"result\":null,\"success\":false,\"errors\":[{\"code\":81057,\"message\":\"The record already exists.\"}],\"messages\":[]}"\n[liljeberg.io] [liljeberg.io] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content "{\"result\":null,\"success\":false,\"errors\":[{\"code\":81057,\"message\":\"The record already exists.\"}],\"messages\":[]}"\n" providerName=dns-cloudflare.acme

And some of these
traefik | 2020-06-23T20:26:04.602206139Z time="2020-06-23T20:26:04Z" level=error msg="Unable to obtain ACME certificate for domains "foo.io,*.foo.io" : unable to generate a certificate for the domains [foo.io .foo.io]: error: one or more domains had a problem:\n[.foo.io] failed to initiate challenge: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/68109260/DXWjoQ :: urn:ietf:params:acme:error:malformed :: Unable to update challenge :: authorization must be pending, url: \n[liljeberg.io] failed to initiate challenge: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/68109261/_etZhg :: urn:ietf:params:acme:error:malformed :: Unable to update challenge :: authorization must be pending, url: \n" providerName=dns-cloudflare.acme

I have tested both staging and production.

I'm trying to setup 3rd party apps with some of my services. E.g;

• LunaSea - Manage Sonarr, Lidarr, Radarr, NZBGet etc (iOS)
• NZB360 - Manage Sonarr, Lidarr, Radarr, NZBGet etc (Android)
• NZBClient - NZBGet app (iOS)
• Marvin - OPDS eBook and Magazine reader using the OPDS servers in Calibre-Web, Calibre and LazyLibrarian (iOS)
• rIPTV - IPTV player (iOS)

The problem, as pointed out by @htpcBeginner here is that none of these apps support oAuth. It would be great if they did and at least a few of the developers are looking into it (e.g. LunaSea) but the fact is, some may never support it. To overcome this we can use traefik.http.routers.containername-rtr.middlewares=chain-no-auth@file to set a container to use BasicAuth, then use http://username:[email protected]in the third party app. However, it's not ideal and the username and password may be visible in logs etc so not as secure.

My question is, using a stack like this with Traefik 2 and oAuth, is there a workaround that would allow 3rd party apps access to specific URLS or folders on the server, like /api or /opds etc? NGINX appears to have this feature. Something like;

location /sonarr {
    auth_request /auth-2;
    proxy_pass http://192.168.1.2:8989/sonarr;
    include conf.d/proxy-settings.conf;
    location /sonarr/api {
        auth_request off;
        proxy_pass http://192.168.1.2:8989/sonarr/api;
    }
}

but I'm not sure how you'd then allow access to the content that was linked, i.e a book from an OPDS server.

Other people seem to use Organizr to do this but I've not tried this so don't know how it works.

Anyway, sorry for the long post, but if anyone has a workaround to allow 3rd party app access using this stack, I'd appreciate any advice. Thanks.

Hi,

thanks for putting this great guide together, really appreciate all the effort.

I was trying to put my Synology DSM behind traefik and make it accessible from the outside.
To achieve this, I created a new toml file in the rules folder.

[http.routers]
  [http.routers.synology-rtr]
      entryPoints = ["https"]
      rule = "Host(`dsm.mydomain.com`)"
      service = "synology-svc"
      middlewares = ["chain-authelia"]
	  #middlewares = ["chain-no-auth"]
      [http.routers.synology-rtr.tls]
        certresolver = "dns-cloudflare"

[http.services]
  [http.services.synology-svc]
    [http.services.synology-svc.loadBalancer]
      passHostHeader = true
      [[http.services.synology-svc.loadBalancer.servers]]
        url = "http://myip:myhtmlport" # or whatever your external host's IP:port is

I can reach the dsm from inside the network via my IP and port.
From the outside, I can only get as far as the authelia auth but then end up in a loop, not being forwarded to the DSM.
I also tried no-auth to see if that causes the issue but it did not help.

Did anybody else try to solve this?

Thanks!

Traefik 2 .yml docker-compose file has this entry:

• --entrypoints.https.http.tls.options=tls-opts@file

but tls-opts file is not in /rules folder.

Thank you so much for sharing and building such beautiful docker-compose ever! :) So helpful.

I am unable to get SSL issued for real cloudflare hosted *.domain.ext SAN no matter what.. Wondering what went wrong and what I am missing..

my docker-compose.yml file:

version: "3.7"

########################### NETWORKS
# Create t2_proxy network
# docker network create t2_proxy
# Alternatively, you can specify the gateway and subnet to use
# docker network create --gateway 192.168.90.1 --subnet 192.168.90.0/24 t2_proxy
# Subnet range 192.168.0.0/16 covers 192.168.0.0 to 192.168.255.255

networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

########################### SERVICES
services:
  ############################# FRONTENDS

  # Traefik 2 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $USERDIR/docker/traefik2/acme/acme.json
  # chmod 600 $USERDIR/docker/traefik2/acme/acme.json
  # touch $USERDIR/docker/traefik2/traefik.log
  traefik:
    container_name: traefik
    image: traefik:chevrotin # the chevrotin tag refers to v2.2.x
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
      # - --api.insecure=true
      # - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      # - --entrypoints.https.http.middlewares=chain-authelia@file
      # Add dns-cloudflare as default certresolver for all services.
      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.254 # You can specify a static IP
    # networks:
    #   - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
      # https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - $USERDIR/docker/traefik2/rules:/rules # file provider directory
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $USERDIR/docker/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - $USERDIR/docker/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
      - $USERDIR/docker/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAIN1" # Pulls main cert for second domain
      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAIN1" # Pulls wildcard cert for second domain
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
#      - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
      - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # No Authentication

  # Google OAuth - Single Sign On using OAuth 2.0
  # https://hub.docker.com/r/thomseddon/traefik-forward-auth
  # https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
  oauth:
    container_name: oauth
    image: thomseddon/traefik-forward-auth:latest
    # image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi
    restart: unless-stopped
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    # Allow apps to bypass OAuth. Radarr example below will by pass OAuth if API key is present in the request (eg. from NZB360 mobile app).
    # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of hte apps later.
    # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
    command: --rule.whmcs.action=allow --rule.whmcs.rule="HeadersRegexp(`X-Forwarded-Uri`, `$WHMCS_API_KEY`)"
    environment:
      - CLIENT_ID=$GOOGLE_CLIENT_ID
      - CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      - WHITELIST=$MY_EMAIL
      - LOG_LEVEL=trace
      - LOG_FORMAT=text
      - LIFETIME=2592000 # 30 days
      - DEFAULT_ACTION=auth
      - DEFAULT_PROVIDER=google
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth-rtr.entrypoints=https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"

  # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
  authelia:
    container_name: authelia
    image: authelia/authelia:latest
    restart: always
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.253 # You can specify a static IP
    # ports:
    #   - "9091:9091"
    volumes:
      - ${USERDIR}/docker/authelia/authelia:/var/lib/authelia
      - ${USERDIR}/docker/authelia/configuration.yml:/etc/authelia/configuration.yml:ro
      - ${USERDIR}/docker/authelia/users_database.yml:/etc/authelia/users_database.yml
    environment:
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.authelia-rtr.entrypoints=https"
      - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)"
      - "traefik.http.routers.authelia-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
      ## HTTP Services
      - "traefik.http.routers.authelia-rtr.service=authelia-svc"
      - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"

  # Portainer - WebUI for Containers
  portainer:
    container_name: portainer
    image: portainer/portainer:latest
    restart: unless-stopped
    command: -H unix:///var/run/docker.sock
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    # ports:
    #   - "$PORTAINER_PORT:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/portainer/data:/data # Change to local directory if you want to save/transfer config locally
    environment:
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.portainer-rtr.entrypoints=https"
      - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
      - "traefik.http.routers.portainer-rtr.tls=true"
      ## Middlewares
      # - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" # No Authentication
      # - "traefik.http.routers.portainer-rtr.middlewares=chain-basic-auth@file" # Basic Authentication
      # - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" # Google OAuth 2.0
      - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" # Authelia
      ## HTTP Services
      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"

  ############################# SMART HOME

  # Mosquitto - MQTT Broker
  # Create mosquitto.conf, passwd, mosquitto.log files  and set permissions to 775 user:docker
  # dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd
  mosquitto:
    image: eclipse-mosquitto:latest
    container_name: mosquitto
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "$MOSQUITTO_HTTP_PORT:1883" #http
      - "9001:9001" #websockets
      # - "$MOSQUITTO_HTTPS_PORT:8883" #https
    volumes:
      - ${USERDIR}/docker/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - ${USERDIR}/docker/mosquitto/config/passwd:/mosquitto/config/passwd
      - ${USERDIR}/docker/shared:/shared
    environment:
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}

  # MotionEye - Video Surveillance
  motioneye:
    image: ccrisan/motioneye:master-amd64
    container_name: motioneye
    restart: unless-stopped
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
      - "$MOTIONEYE_CAM1:8081"
      - "$MOTIONEYE_CAM2:8082"
      - "$MOTIONEYE_PORT:8765"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${USERDIR}/docker/shared:/shared
      - ${USERDIR}/docker/motioneye/etc:/etc/motioneye
      - ${USERDIR}/docker/motioneye/var:/var/lib/motioneye
    environment:
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.motioneye-rtr.entrypoints=https"
      - "traefik.http.routers.motioneye-rtr.rule=Host(`meye.$DOMAINNAME`)"
      - "traefik.http.routers.motioneye-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.motioneye-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.motioneye-rtr.service=motioneye-svc"
      - "traefik.http.services.motioneye-svc.loadbalancer.server.port=8765"

  ############################# DATABASE

  # MariaDB - MySQL Database
  mariadb:
    container_name: mariadb
#    image: linuxserver/mariadb:latest
    image: clearlinux/mariadb:latest
    command: "mysqld --character_set_server=utf8mb4 --collation_server=utf8mb4_unicode_ci --innodb_file_format=Barracuda --transaction-isolation=READ-COMMITTED --binlog-format=ROW"
    restart: always
    networks:
      # - default
      t2_proxy:
        ipv4_address: 192.168.90.250
        aliases:
          - authelia
          - mysql
          - mariadb
    security_opt:
      - no-new-privileges:true
#    ports:
#      - "3306:3306"
    volumes:
#      - ${USERDIR}/docker/mysql/scripts:/docker-entrypoint-initdb.d:ro
      - ${USERDIR}/docker/mariadb/mysql:/var/lib/mysql:rw  #Persistent storage
      - ${USERDIR}/docker/mariadb/custom_config:/etc/mysql/conf.d:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
      - MYSQL_DATABASE=${AUTHELIA_MYSQL_DB}
      - MYSQL_USER=${AUTHELIA_MYSQL_USER}
      - MYSQL_PASSWORD=${AUTHELIA_MYSQL_PASSWORD}
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "--silent", "-uroot", "-p${MYSQL_ROOT_PASSWORD}"]
      interval: 20s
      timeout: 10s
      retries: 10

# mysql db backup     
  db-backup:
    container_name: db-backup
    image: tiredofit/db-backup
    depends_on:
     - mariadb
    volumes:
      - ${USERDIR}/docker/mariadb/backups:/backup
      - /etc/localtime:/etc/localtime:ro
    environment:
      #- DB_SERVER=mariadb
      - DB_TYPE=mariadb
      - DB_HOST=mariadb
      - DB_USER=root
      - DB_PASS=${MYSQL_ROOT_PASSWORD}
      - DB_DUMP_FREQ=1440
      - DB_DUMP_BEGIN=+530
      #- DB_DUMP_TARGET=${USERDIR}/docker/mariadb/backups
      - DB_CLEANUP_TIME=8640
      - COMPRESSION=XZ
      - SPLIT_DB=TRUE
    networks:
      - t2_proxy
    restart: always

  # phpMyAdmin - Database management
  # Create a new user with admin privileges. Cannot login as MySQL root for some reason.
  phpmyadmin:
    image: phpmyadmin/phpmyadmin:latest
    container_name: phpmyadmin
    restart: unless-stopped
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    # ports:
    #   - "$PHPMYADMIN_PORT:80"
    # volumes:
    #   - ${USERDIR}/docker/phpmyadmin:/etc/phpmyadmin
    environment:
      - PMA_HOST=$DB_HOST
      - PMA_PORT=$DB_PORT
      - PMA_USER=root
      - PMA_PASSWORD=$MYSQL_ROOT_PASSWORD
#      - PMA_ARBITRARY=1
      - PMA_ABSOLUTE_URI=https://pma.$DOMAINNAME
      - MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
      - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME`)"
      - "traefik.http.routers.phpmyadmin-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-authelia@file"
      ## HTTP Services
      - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
      - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"

  ############################# REDIS

# Redis - Key-value Store
  redis:
    container_name: redis
    image: redis
    restart: always
    entrypoint: redis-server --appendonly yes
    networks:
      - t2_proxy
#    ports:
#      - "6379:6379"
    sysctls:
      net.core.somaxconn: '65535'
    volumes:
      - ${USERDIR}/docker/redis/data:/data #Persistent storage
      - /etc/localtime:/etc/localtime:ro
      #- ${USERDIR}/docker/redis/redis.conf:/usr/local/etc/redis/redis.conf

# Redis Commander - Redis Management Tool
  rediscommander:
    container_name: rediscommander
    image: rediscommander/redis-commander
    restart: always
    depends_on:
      - redis
    networks:
      - t2_proxy
#    ports:
#      - "8081:8081"
    environment:
      - REDIS_HOST=redis
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.rediscommander-rtr.entrypoints=https"
      - "traefik.http.routers.rediscommander-rtr.rule=Host(`rediscmd.$DOMAINNAME`)"
      - "traefik.http.routers.rediscommander-rtr.tls=true"
      ## Middlewares
#      - "traefik.http.routers.rediscommander-rtr.middlewares=chain-no-auth@file"
      - "traefik.http.routers.rediscommander-rtr.middlewares=chain-authelia@file" # Authelia
      ## HTTP Services
      - "traefik.http.routers.rediscommander-rtr.service=rediscommander-svc"
      - "traefik.http.services.rediscommander-svc.loadbalancer.server.port=8081"

File1: middlewares.toml

  [http.middlewares.middlewares-basic-auth]
    [http.middlewares.middlewares-basic-auth.basicAuth]
#      users = [
#        "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1",
#      ]
      realm = "Traefik2 Basic Auth"
      usersFile = "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml

[http.middlewares]
  [http.middlewares.middlewares-rate-limit]
    [http.middlewares.middlewares-rate-limit.rateLimit]
      average = 100
      burst = 50

# Available Header Options: 
#####https://github.com/unrolled/secure#available-options
#####https://docs.traefik.io/middlewares/headers/
# A great resource for these headers is your preferred browser's docs. Firefox: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
# https://developers.google.com/search/reference/robots_meta_tag
# https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
# CSP for VNC: https://github.com/cockpit-project/cockpit/pull/5932
# Check headers here, don't include OAuth when checking headers, otherwise you are checking google's headers: https://securityheaders.com
# or check them here: https://observatory.mozilla.org/

# CAUTION: Any headers defined in docker-compose (yml) will OVERWRITE ALL of the headers defined below.

  [http.middlewares.middlewares-secure-headers]
    [http.middlewares.middlewares-secure-headers.headers]
      accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
      accessControlMaxAge = 100
      hostsProxyHeaders = ["X-Forwarded-Host"]
      sslRedirect = true
      stsSeconds = 63072000
      stsIncludeSubdomains = true
      stsPreload = true
      forceSTSHeader = true
#      frameDeny = true #overwritten by customFrameOptionsValue
      customFrameOptionsValue = "allow-from https:sxxxxxxxx.com" #CSP takes care of this but may be needed for organizr. 
      contentTypeNosniff = true 
      browserXssFilter = true 
#      sslForceHost = true # add sslHost and all of the 
#      sslHost = "example.com"
      referrerPolicy = "same-origin" 
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
      featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 
      [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
        X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
        server = ""

  [http.middlewares.middlewares-oauth]
    [http.middlewares.middlewares-oauth.forwardAuth]
      address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
      trustForwardHeader = true
      authResponseHeaders = ["X-Forwarded-User"]

  [http.middlewares.middlewares-authelia]
    [http.middlewares.middlewares-authelia.forwardAuth]
      address = "http://authelia:9091/api/verify?rd=https://authelia.sxxxxxxxx.com"
      trustForwardHeader = true
      authResponseHeaders = ["Remote-User", "Remote-Groups"]

File2: middlewares-chains.toml

[http.middlewares]
  [http.middlewares.chain-no-auth]
    [http.middlewares.chain-no-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers"]

  [http.middlewares.chain-basic-auth]
    [http.middlewares.chain-basic-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth"]

  [http.middlewares.chain-oauth]
    [http.middlewares.chain-oauth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-oauth"]

  [http.middlewares.chain-authelia]
    [http.middlewares.chain-authelia.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-authelia"]

~/docker & ~/docker/traefik/rules/ directory

Cloudflare

Is there any way to get a bypass for the tautulli app I tried the same method as for sonarr radarr and sab but it doesnt like it.

Also is there any reason I should swap to mariadb and try again rather than sticking to the local db file for authelia?

Thanks in advance

I managed to sort of figure out Traefik 2.0+ from docker-compose-t2.yml, but the official Tutorial that this repo references has still not been updated for Traefik 2.0+. Said tutorial mentions

December 16, 2019: We have published a first draft of the Docker Media Server setup with Traefik 2.1. Many of the apps work, but at this point, there are still things that need to be optimized/fixed. Please check our Docker-Traefik repo for relevant files. A separate guide for Traefik 2 will be published in the coming days.

3+ Months later and no updated tutorial. :( Will a revised one come out soon?

I noticed when trying to use your traefik 2 docker-compose file with cloudflare for a wildcard certificate, it would also try to generate a certificate for the service.example.com subdomain name(s).
It would appear in the acme.json and also I noticed TXT records would show up in the cloudflare DNS portal for the subdomains.

As per this guide the following line should be removed from each of the services to force them to use the wildcard cert.
- "traefik.http.routers.service.tls.certresolver=cloudflare"

https://medium.com/@containeroo/traefik-2-0-wildcard-lets-encrypt-certificates-1658370adc68

I'm not sure if this will cause other side effects, i'm quite new to all this :)
But at first glance it appears to work correctly with the removed line

Hi all,

I wanted to point out a discovery I had while setting up transmission-vpn with traefik.
Turns out that transmission takes a while before the container broadcasts it's in a healthy state.
A consequence of this is that Traefik will not register the route for transmission.

My suggestion would be to add the following to transmission's docker-compose config:

healthcheck:
  start_period: "10s"
  interval: "5s"

You can find more details here:
transmission issue #771

This is the reference I used to add the health-check interval and start-period:
Adding HEALTHCHECK to docker-compose

Hi!

What are you using for shared persistent storage between docker swarm nodes for the docker-compose-t1-swarm.yml services?

The reason I ask is that you specify a $USERHOME directory but do not specify a specific node constraint for sonarr/radarr/tautulli services so I assume $USERHOME is a network share and the containers can run on any node with access to shared storage? If so, do you not get constantly corrupted sonarr/radarr/tautulli databases given they use sqlite which does not work well at all with network shares (see Sonarr Issue #1886)

I have other txt records (for spf and dkim) for my domain and the docker-compose throws an error on the LE saying the records already exist. also traefik doesn't like my hashed password in the /etc/environment file and won't let me access the dashboard.

I used the guide https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker

RADARR_API_KEY, SONAR_API_KEY etc. are currently only mentioned in the compose file. Without corresponding entry in .env, or .env.example here, Traefik seems to route all traffic to one of the bypass routers. The host rule causes a match due to the blank env var for all domains as the rule doesn't specify against what domain to run the check.

Would it be worth adding a note to the compose file requiring it first to be run with bypass disabled to gather the API keys and entries in .env.example for the keys.

Hello guys,

First, thank you very much for all this work, I have been following it since the beginning, it saved me a lot of work.

Note: I don't know if my problem is related to this project, but any help is welcome.

I was using version 1 from the beginning and it was working really well. This week, I decided to upgrade to version 2 to take advantage of all the new features and because I needed to do a new installation from the beginning.

I followed all the steps described in the articles:

• Docker Media Server with Traefik 2 Reverse Proxy
• Cloudflare Settings for Traefik Docker: DDNS, CNAMEs, & Tweaks

and I used the files docker-compose-t2.yml, .env.example as a reference.

To be honest, I didn't change anything in the file, just removed what I don't use.

The services I use are:

• traefik
• portainer
• heimdall
• transmission-vpn
• jackett
• radarr
• sonarr
• plexms
• bazarr
• dozzle
• ouroboros
• certdumper
• cf-ddns
• cf-companion

Everything worked as expected.

But when I Enable Cloudflare on Site as described in the article, I can no longer access the services: bazarr.example.com, heimdall.example.com, etc.example.com.

My Cloudflare records:

If I Pause Cloudflare on Site everything works again.

Does anyone have any idea what I did wrong?

So, my biggest want for dockerizing my environment is to use your incredibly detailed setup and be able to translate it into a swarm environment. (Think raspberry pi’s and what not).

Swarm being a bit more complicated and figuring out how best to inter-link the different services securely seems to be my big wall I’m hitting in figuring this out.

Is there any chance you guys could start including swarm stuff in these projects, not just for me but for anyone else out there that I’m sure are looking for the same thing.

Sorry, once again another "issue" that is not an actual issue but rather more of a question.

I recently got a VPN account and after setting it up I saw that it could autostart at boot time and auto-restart if the VPN ever went down.

Since all these containers are running on a dedicated headless server, does that mean now that I can get away from having to have two different docker-composes one for non-VPN and another for VPNed containers? Will it be bad if everything is running through VPN?

Also if indeed I have to run SOME of them only in non-VPN mode, still it is not clear to me how I can run them unVPNed, if all traffic from the server is going through the VPN already.

I bet there is something that I do not see, or misunderstood and I'm trying to figure out what/where....

Thanks for a very useful repo, nonetheless...

Hello,

Would it be possible to add a section in on how to use the free origin SSL certs available from cloudflare rather than using let's encrypt please

Hi I have been trying to make use of your docker-compose file with only four containers (traefik, google Oauth, Portainer and MariaDB). The containers start correctly but I get "404 page not found" when introducing the subdomains URLs. The Google Oauth redirect correctly to traefik but land on 404.
The traefik logs indicate that the file rules for middlewares are not found:
time="2020-04-05T23:58:03Z" level=error msg="middleware \"middlewares-oauth@file\" does not exist" routerName=portainer-rtr@docker entryPointName=https time="2020-04-05T23:58:03Z" level=warning msg="accessControlAllowOrigin is deprecated, please use accessControlAllowOriginList instead." entryPointName=https routerName=traefik-rtr@docker middlewareName=traefik-headers@docker middlewareType=Headers time="2020-04-05T23:58:03Z" level=error msg="middleware \"middlewares-oauth@file\" does not exist" entryPointName=https routerName=oauth-rtr@docker time="2020-04-06T00:03:03Z" level=error msg="service \"portainer-svc\" error: unable to find the IP address for the container \"/portainer\": the server is ignored" providerName=docker container=portainer-docker-b50515542aa926cf78b0c5123fbcde2d42e9f2624d2a8ab118780ef24bdbdbcc time="2020-04-06T00:03:03Z" level=warning msg="accessControlAllowOrigin is deprecated, please use accessControlAllowOriginList instead." routerName=traefik-rtr@docker middlewareName=traefik-headers@docker middlewareType=Headers entryPointName=https time="2020-04-06T00:03:03Z" level=error msg="middleware \"middlewares-oauth@file\" does not exist" entryPointName=https routerName=oauth-rtr@docker time="2020-04-06T00:03:06Z" level=warning msg="accessControlAllowOrigin is deprecated, please use accessControlAllowOriginList instead." middlewareName=traefik-headers@docker middlewareType=Headers entryPointName=https routerName=traefik-rtr@docker time="2020-04-06T00:03:06Z" level=error msg="middleware \"middlewares-oauth@file\" does not exist" entryPointName=https routerName=oauth-rtr@docker time="2020-04-06T00:03:06Z" level=error msg="middleware \"middlewares-oauth@file\" does not exist" entryPointName=https routerName=portainer-rtr@docker

I am having some trouble getting nextcloud to work. I tried the TCP passthrough that your website suggested but I always get a privacy warning when trying to access nextcloud. NET::ERR_CERT_AUTHORITY_INVALID
It doesn't let me bypass this error because the site uses HSTS. Also, I am using Seth's traefik labels and am using the cloudflare companion and have proxied CNAME records.
When I click on the certificate it is just the linuxserver certificate. How can I fix this?

I saw that you commented out;

network_mode: container:transmission-vpn for Jackett and qBittorrent

I was wondering what the reason was? I ask because I still use it but I have an issue where Jackett will stop working after a certain amount of time. I also get the following errors in my traefik log;

today at 2:36 PM time="2020-04-14T13:36:02Z" level=warning msg="Could not find network named 't2_proxy' for container '/jackett'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." serviceName=jackett-svc providerName=docker container=jackett-media-server-af1b3a73318b2dd451eee0fa6256d796fdb689444512e35dd7189a62d21bab60

Did you ever experience this issue when you were using network_mode?

Thanks.

I love this monster docker-compose, it's awesome to check out, and it's using my software, Statping to monitor services. There's a couple updates since @htpcBeginner first added Statping.

1. Docker image has changed, use statping/statping now, rather than hunterlong/statping.
2. Automatically add all services with Bulk Import! Would be awesome to see!

Bulk Import Services

I'd definitely do a PR if you'd allow it, pretty simple changes. Basically, the service.yml bulk import file would look like:

x-check60seconds: &check60seconds
  check_interval: 60
  timeout: 15
  allow_notifications: true
  expected_status: 200
  notify_after: 0
  notify_all_changes: true
  public: true
  redirect: true

services:

  - name: traefik
    type: tcp
    domain: traefik
    <<: *check60seconds

  - name: portainer
    type: tcp
    domain: portainer
    port: 9000
    <<: *check60seconds

  - name: organizr
    type: tcp
    domain: organizr
    port: 80
    <<: *check60seconds

Let me know if you think I could submit a PR for this. 💃

I noticed you have xTeVe in docker-compose-t2-obsolete.yml. When you were using it, did you ever get round the No websocket connection to xTeVe could be established browser error when connecting to xteve.domain.com/web. It works if you got to IP:PORT/web.

All I could find was to add;

traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto = https

but I can't work out how to format it to fit in the Traefik v2 rules/middlewares.toml file or if it will even help.

Link (https://community.containo.us/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732)

They are now using "linuxserver/nzbhydra2" for the current updates. The old location is no longer being updated.

Can I ask why you went back to the codercom container for VSCode and obsoleted the linuxserver one? Was it because the Linuxserver one chowns the contents of whatever volume you mount which is sometimes not what you want, say for instance if you mounted your /configs folder?

Just curious because other than the chown behaviour the linuxserver one seems slightly easier to run and easier to setup ssh keys.

As rTorrent is the most lightweight option of all torrent clients, please provide the instructions to get this in the compose.yml running it behind Traefik and VPN.

So I am trying to setup my media server, with Home-Assistant. I've passed myself on what is currently on the repo. However, following this approach the container cannot see my devices.

If I use the network_mode: host, then Traefik can't forward the container to the exterior.

  # Home Assistant Core - Home Automation
  homeassistant:
    container_name: homeassistant
    restart: unless-stopped
    image: homeassistant/home-assistant:stable
    networks:
      - t2_proxy
    devices:
      - /dev/ttyUSB0:/dev/ttyUSB0
      - /dev/ttyUSB1:/dev/ttyUSB1
      - /dev/ttyACM0:/dev/ttyACM0
    ports:
      - target: 8123
        published: $HOMEASSISTANT_PORT
        protocol: tcp
        mode: host
    privileged: true
    volumes:
      - ${USERDIR}/docker/homeassistant/config:/config
      - /etc/localtime:/etc/localtime:ro
      - ${USERDIR}/docker/shared:/shared
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.homeassistant-rtr.entrypoints=https"
      - "traefik.http.routers.homeassistant-rtr.rule=Host(`home.$DOMAINNAME`)"
      ## Middlewares
      - "traefik.http.routers.homeassistant-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.homeassistant-rtr.service=homeassistant-svc"
      - "traefik.http.services.homeassistant-svc.loadbalancer.server.port=8123"

Has anyone faced this issue? How did you solve it?

Hi guys,

I'm pretty sure this is an ID10T issue, but I've previously used Nginx, so not quite sure where to diagnose here!

First time setting up Traefik v2, and got a Dashboard 404 error.

I've tried curl https://192.168.0.6:8080/api/http/routers and get: 404 page not found

Here's my config: https://pastebin.com/KUpSPVAk

Inspect response: https://pastebin.com/MwYaDPik

Here are the logs I currently have: https://pastebin.com/nR9cEzm1

I'm also getting 404 on https:// traefik. modem7. com.

I'm also seeing acme.json is still empty.

Any help for this muppet would certainly be appreciated!

Thank you

Any chance you could do a quick update of the readme for getting things up and running with traefix2?

Example: In the docker compose file there is a reference to a t2_proxy network however there is no information on how it is setup?

Thanks for all your work on this project!

This config file allows you to host the mariadb/mysql container on the docker machine and access it with Guacamole.

guac.yml.txt

The linuxserver docker image I used before I was able to get Nvidia hardware transcoding working. But what are the settings needed to get that working with the setup in this stack?

When trying to access for example jackett.mydomain.com while not being logged in, I am redirected to:

https://authelia.example.com/?rd=https%3A%2F%2Fjackett.mydomain.com%2FUI%2FDashboard

Instead of the Authelia Authentication Site

Does anyone have a solution for that?

I have setup the compose yml, config file and user file as per authelias instructions and your examples but im getting

time="2020-06-17T11:40:51+01:00" level=error msg="Unable to find config file: /config/configuration.yml"
time="2020-06-17T11:40:51+01:00" level=error msg="Generating config file: /config/configuration.yml"
time="2020-06-17T11:40:51+01:00" level=error msg="Generated configuration at: /config/configuration.yml"

I am using the eaxact compose you are using to map them and I have checked the path manually and it shoudl be fine but it cant see it even ran chmod 777 and alters the file perms

Do you have any guides on how to get this setup so they all work together I have fathomed most of it out but seem to be having issues with calibre and calibre web and would like to know in particular how you have configured it.

Website for the tutorial is returning a 404 error.

Missing from the traefik2 article or from the Readme is whether or not the proposed setup is working with Cloudflare DNS entries in Proxy or DNS-only mode.

No longer in development.

See

https://github.com/pyouroboros/ouroboros

Have you looked into bypassing OAuth for the OPDS server in Calibre Web and LazyLibrarian so you can download eBooks and Magazines etc using 3rd party apps? I'm currently doing it with;

- "traefik.http.routers.calibre-web-opds-rtr.rule=Host(`calibre-web.$DOMAINNAME`) && PathPrefix(`/opds`)"

- "traefik.http.routers.lazylibrarian-rtr-opds.rule=Host(`lazylibrarian.$DOMAINNAME`) && PathPrefix(`/opds`,`/cache`)"

I wondered if you knew a better way?

The reason for allowing /cache in LazyLibrarian is so book covers show. This does mean the /cache folder has no authentication, not even the basic auth provided in /opds. You'd have to guess the url of a .jpg to actually see anything and even then it's just book covers but it's not ideal.

The config for jackett, qbittorrent and others are missing from the docker-compose files.

I'm running the t2 version and the services are reachable and working through oauth but the certs aren't being created (except for pihole and hassio). I'm not getting any errors in the traefik log so I don't think they're even being requested. Is there any further info I can provide that might help me resolve this? Thanks.

Hey!

Thanks for your work, everything works like a charm except Guacamole & Guacd. I can't figure out how to set it up correctly.

I setup guacamole & guard but, can't establish ssh connection.

Im getting this error: ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: java.net.ConnectException: Connection refused (Connection refused)

or this one:

[http-nio-8080-exec-10] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: Connection timed out.

Can't figure it out.
Thanks for your help.

I had to start with a thank you, so much effort put into this.
I compared and filtered against my own $(docker ps --format "{{ .Image }}" | sort)
Here's the things probably relevant and worth mentionning:

• amir20/dozzle (I checked logarr to make sure if I should keep it)
• darathor/fail2ban:0.11 (fail2ban-docker & fail2ban-input)
• codercom/code-server:v2 (lot of issues to get running at first)
• jellyfin/jellyfin:latest (successor to emby)
• linuxserver/muximux:latest (a nice way to put all those services in one place)
• linuxserver/smokeping:latest (is quite easy to reconfigure)
• lobre/traefik-home (this one for traefik v1, otherwise simple-traefik-dashboard for v2)
• omertu/googlehomekodi (works through ifttt, know one similar for plex but not using it)
• oznu/homebridge:latest (through a plugin, sync with gh is much simpler than ha)
• vincentbernat/dashkiosk:latest (although some functions should be possible with ha, this can also make other screens act as receivers)

BR. Matthieu

PS: almost forgot, npm install -g rekcod and we usually need labels so :

cat << EOF > /tmp/di
docker inspect $1 | grep traefik
docker inspect $1 | rekcod
docker inspect $1 | grep traefik > $PWD/$1_rekcod.md ; docker inspect $1 | rekcod >> $PWD/$1_rekcod.md
echo "info also parsed to "
echo ${PWD}/$1"_rekcod.md"
EOF
chmod +x /tmp/di && sudo mv /tmp/di /usr/local/bin/

I converted my Traefik from 1.7 to 2.1 yesterday, I have forward authentication (oauth) working for all my docker services. I cannot get two routers working for the same service.

I want the default router to catch all - and a second router to catch /api/.. requests - the first with forward auth, the second with basic auth to enable 3rd party app API connection.

I have posted my code here below:
https://stackoverflow.com/questions/59828909/traefik-2-0-forward-authentication-and-basic-auth-for-same-service-depending-o

Could you provide some more details on how you set up the config and password files for MQTT?

Great guide, but there is an issue with traefik 2 oauth authentication by-pass.
The app-toml.example files (hassio and pihole) have the following line:

middlewares = ["chain-no-auth"]

should be:

middlewares = ["chain-oauth"]

Hi. Thank you for putting this work together, helping out.
I've just found "Authelia" another open-source authentication and authorization server, which works with Traefik, Nginx, etc.
Maybe it could be of some use, comes with installer scripts etc.
Have you checked it out?

With Authelia enabled Traefik logs error:

level=error msg="service "authelia-svc" error: unable to find the IP address for the container "/authelia": the server is ignored" container=authelia-docker-3f24a3b8732bf2b77fbe2acd8240fc029e28483eac03aa9d0ff91fd83abbfb37 providerName=docker

Any Solutions?

Sorry, this is not really an "issue" per say, but rather a request.

What would be your suggestion for backing up/restoring this server...?

Not as much as the potential media files (that might add up to some TBs, and they ought to be residing to separate partitions or NASes anyways) but the ~/docker folder that contains ALL the individual app settings and configurations.

Hi,

First off, thank you for all your work on your docker guides. This is what got me started on using docker and docker-compose. It really improved my home server in a great way.

I tried merging your docker-compose-vpn service configuration inside of my main docker-compose file.

However, unless transmission-vpn is already running when building, you will get an error like this one:

ERROR: Service 'XXX' uses the network stack of container 'transmission-vpn' which does not exist.

The issue can be solved by switching from:

network_mode: container:transmission-vpn

to:

network_mode: service:transmission-vpn

Hope this helps :)

Didn't do a pull request for this one, I can if you want. I'm going though now and disabling all my ports on my stack and just using the routes though traefik and all was working till I hit bazarr. They don't send the api call with the X-Api-Key. I fixed my stack by changing the bypass lines from

- "traefik.http.routers.sonarr-rtr-bypass.rule=Headers(`X-Api-Key`, `$SONARR_API_KEY`)"

to

- "traefik.http.routers.sonarr-rtr-bypass.rule=Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`, `$SONARR_API_KEY`)"

That way its still locking out the url unless they have the right key, did this for sonrr and radarr and now everything is hunkydory.