#Appwrite under Portainer + Traefik

Hey just curious, I understand traefik enough I believe to figure this out, but essentially I have to replace the traefik block, it autogenerates SSL certs for me, so I bet I can replace that too but I’m a bit lost if I should mount the storage and stuff still, or what I need to do fully

Has anyone set up Appwrite without the traefik in the docker-compose that can chime in?

Why do you want to replace traefik?

because Traefik already exists in my portainer

Traefik + Portainer gets portainer up and running, and I'd rather use a central traefik instance but

got this rn

services:
  appwrite:
    image: appwrite/appwrite:1.4.13
    container_name: appwrite
    <<: *x-logging
    restart: unless-stopped
    networks:
      - appwrite
      - traefik
    labels:
      - traefik.enable=true
      - traefik.docker.network=appwrite
      # http
      - traefik.http.routers.appwrite.rule=Host(`appwrite.qmpleterx.com`)
      - traefik.http.routers.appwrite.entrypoints=web
      - traefik.http.routers.appwrite.tls.certresolver=letsencryptresolver
      - traefik.http.services.appwrite.loadbalancer.server.port=80
      # https
      - traefik.http.routers.appwrite_https.rule=Host(`appwrite.qmpleterx.com`)
      - traefik.http.routers.appwrite_https.entrypoints=websecure
      - traefik.http.routers.appwrite_https.tls.certresolver=letsencryptresolver
      - traefik.http.services.appwrite_https.loadbalancer.server.port=443

says too many services

Never used portainer so no idea unfortunately 😓

it's just docker

but in a web interface

the issue is I use Traefik to route the portainer interface

@silent nimbus I don't know who to ping but I got this working in terms of appwrite runs by replacing all the Appwrite network spots with Traefik's external network, but it doesn't load the page and idk about SSL certs and stuff but

there really should be a guide on this

Docker Swarm + Appwrite should be prod and there's no guide other than a one click install

The thing is, I can't tell where the errors are because Traefik says Appwrite is fine, and Appwrite has no logs

okay so

2023-12-16T18:11:56Z DBG github.com/traefik/traefik/v3/pkg/server/service/proxy.go:116 > 502 Bad Gateway error="dial tcp 172.18.0.6:443: connect: connection refused"

almost got it

so

https://appwrite.qmpleterx.com/

404 page not found

appwrite docker-compose.yml

Traefik + Portainer docker-compose.yml

version: "3"

services:
  proxy:
    image: traefik:v3.0
    container_name: "traefik"
    networks:
      - traefik
    ports:
      - "80:80" # HTTP
      - "443:443" # HTTPS
      - "9500:8080"
      - "8080:80"
    volumes:
      - ./letsencrypt:/letsencrypt
      - ./users.u:/users/users.u
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped
    command:
      - "--log.level=DEBUG"
      # Docker configuration
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik"
      # Configure entrypoint
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      # SSL configuration
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencryptresolver.acme.email=zach@blackleafdigital.com"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
      # Global HTTP -> HTTPS
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      # Enable dashboard
      - "--api.dashboard=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencryptresolver"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=dashboard-auth"
      - "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/users/users.u"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.qmpleterx.com`)"
      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"

  portainer:
    image: portainer/portainer-ce
    container_name: "portainer"
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "traefik.http.routers.portainer.rule=Host(`portainer.qmpleterx.com`)"
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls.certresolver=letsencryptresolver"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/portaefik/portainer-data:/data
    restart: unless-stopped

networks:
  traefik:
    external:
      true

so

I got it to work at :180

Tht usually happens when you don't set correct domain in appwrite docker compose URL

and I got a few different things but I can't get it to work right

it's set via Cloudflare to my IP

Yes, but not in appwrite

yes in .env

I have the whole .env inside this

I basically ran it locally to get the right compose and .env and set it up for my domain

then copied it here, removed traefik from appwrite's compose, and put the appwrite services on the public network, which I may want to reduce to just the Appwrite service

And what about
_APP_DOMAIN_TARGET

same

Then that's the issue

The target should be localhost

the target should be localhost?

Yeah

on prod?

Yes

one sec

If I'm not wrong, it's basically the server IP you need to set a record to go

well I know this works the domain that way

either way

I need help understanding

these are my configs, my .env file works so I know that's not the issue, it's a standard setup Appwrite .env

if anyone has any tips please help lol

I think the issue is the one I told you, basically setting such env var

Also you will probably have issues with Cloudflare, but better resolving this issue previously and after that I will tell you how to solve the other thing 😅

All of my domains are through cloudflare and use the same target and domain

so no, that’s not it

The issue is that you will get cloudflare IP instead of user IP

Traefik autogenerates my SSL certs for my domains, but that shouldn’t be it either

I have cloudflare in front of all of my domains and it works fine

idk, I really am not that concerned about user IP’s right now I just want it to work

Yes, but for appwrite rate limits it will not work. You need to setup traefilk to trust appwrite

Okay well what would be awesome is if there was some sort of guide on how to do that without Appwrite’s traefik

Which is what I mean here

Appwrite’s self hosting docs are horrid compared to most using docker (in terms of docker options like swarm and using your own proxy vs traefik), which is fine, but I am proposing that the docs include examples on something basic like this, and swarm, because I know it works & I’m very close

Aren't you using traefik?

Yes

the thing is traefik in Appwrite is built into the docker compose and there’s no guide on using for instance a shared docker environment where traefik is already there, or using Nginx Proxy Manager or something

so I replaced a lot of things but Traefik also proxies ports 9501:8080 and 8080:80, and then it’s like okay well what services are those?

Cause technically I need to expose those ports for the services but

I threw them all on the Traefik network instead and exposed Appwrite on two ports and then proxied those

Either way, my entire config is above

Appwrite also defines things inside the Traefik command, and has its own certificate generation, which also doesn’t make a ton of sense to me because Traefik does that automatically

I think that was done in order to allow custom domains. etc

Yeah Traefik just generates an SSL cert if it doesn’t have one for a domain it covers

Do you know who handles the dockerization and stuff of Appwrite?

I would recommend leaving Appwrite's traefik

I wrote this for running Appwrite behind NPM: https://medium.com/@stnguyen90/how-to-run-appwrite-behind-nginx-19348ed34243

Uhh there are a lot of things wrong in your appwrite labels

Like why - traefik.http.routers.appwrite.tls.certresolver=letsencryptresolver ? I think http doesnt have a tls

hence the s in https

The double load balancer on port 80 and 443 is also concerning

But when I do that Traefik conflicts with my instance

So should I run all the proxies from Appwrite’s Traefik?

Lemme check

I’ll try when I get home

Adding and removing things for testing

that’s all those are, I couldn’t tell what was wrong so I was just trying different things

Hmm...I guess I've never put traefik in front...can't you set it up like any other reverse proxy?

Well right now I use Traefik 3 beta for my portainer, and basically all I wanted to do was set it up so one Traefik instance controls the entire docker server

so I have Traefik 3 on my portainer for the UI

Then that allows me to manage Appwrite’s docker-compose and env variables with a UI, but the issue is Appwrite is not written as a guide for self hosting flexibly, just the commands for start and upgrade, what would be nice is if Appwrite was optionally decoupled from Traefik to be a more modular installation

It also would allow me to add backups, which imo is necessary for prod (auto scripts and the whole thing not just the DB)

my main issue with having it built in is that I can’t just drop it somewhere and setup the proxy, I get why it’s like that (the install script and such and more control over the environment by default) but yeah, it’s really unclear to me which ports and stuff need to be proxied and stuff

Ive put nginx proxy manager in front of Appwrite and just run the traffic through Appwrite's traefik

@storm arrow hey

so I still can't get this to work, and I need it for prod, is there anything I can do to borrow you for 15 minutes?

Currently getting a gateway timeout

I'm free right now if you need help

VC?

sure

not sure if there's a VC here, can I call ya?

sure

Zach please post your results here if you're able to solve it. I also need to have a central traefik container on my server for other services including appwrite but I've not been able to get it to work so far. Ideally, I don't want to modify appwrite's docker-compose but still have a central traefik instance redirecting the required requests to appwrite's traefik.

will do of course

in VC right now trying to solve it

you'll know as soon as I do

Here are some resources I found when I was actively working on it (haven't for sometime due to work) maybe it may help:
by Binyamin
https://github.com/byawitz/appwrite-funcover/blob/main/docker-compose.yml#L699
https://book.appread.io/

https://community.traefik.io/t/run-traefik-behind-traefik-reverse-proxy/4044/5

@stray falcon @storm arrow DONE it works -- here's my docker-compose, traefik is the public network used by all

traefik is the exposed network basically

ah, good to hear! I was about to contact you again to ask if you still needed help

Awesome! I'll try it out. Thanks

@storm arrow do you want me to update the Self Hosted docs with this info?

if you don't mind submitting a PR, sure!

@storm arrow also totally #1179117588790386728 -- if you could provide any clarification here as to if we're on the right path there

I'm gonna look through the code

Yes, I'll try and post some context in there when I get a chance

thank you ❤️

Hi, please am currently trying to setup appwrite with portainer but I cant find any info on it, please how did you solve yours @crude flint

I'll make a video, it's too long to type hahaha, give me a couple hours

thanks, so much

Hello @crude flint how did you defined the domain name ? You did not used : traefik.http.routers.appwrite_api.rule=Host(appwrite.example.com) ?

Idk why I still have self signed certificates on my domain, can someone help me plz ?

maybe I have something wrong in the .env ?

I made a video

I thought I posted it here

https://www.youtube.com/watch?v=VCCVm_LenYU

Thanks !!!

@crude flint are the functions working for you ? the domains are not working, can you help ?

What does that mean exactly?