HTTPS setup with Traefik and Let’s Encrypt for DCM4CHE ARC without port in URL

[Bernard]

Hello DCM4CHE groups,

I’m trying to get DCM4CHE ARC running with docker compose over HTTPS with Traefik and Let’s Encrypt, and my goal is to have it accessible with a nice clean URL — no port number showing (like https://arc.mydomaine.net instead of https:// arc.mydomaine.net  :8443). ( The use of the DELETE operation of your API requires a certificate.)

Has anyone done this before? Would you be willing to share your Traefik setup or Docker labels? Also, any tips or gotchas you ran into would be super helpful!

I’m sharing my Traefik and Docker Compose configuration.  
Does anyone have any idea why this configuration is returning a "gateway timeout"?  

I’d really appreciate any advice or ideas you might have.
Completely stuck right now — thanks in advance for any guidance!

Best regards,
Bernard
PHP Developer / DICOM Integrator

[Bernard]

Hi,

I’m looking for someone who can work for me (paid) to help set up a DCM4CHEE configuration behind a Traefik reverse proxy.

My goal is to serve DCM4CHEE securely with a Let’s Encrypt certificate at pacs.myDomain.net.
I have to admit I’m desperately stuck on this :-D 

Below is my latest docker-compose configuration, including the Traefik labels, based on the discussion in https://groups.google.com/g/dcm4che/c/S7e2BPQoams .

Thanks in advance for any assistance or offers or partnership proposals!

Best regards

[Darfito Danurdoro]

hai sorry for the bad english, i already tried to wrap my dcm4chee  HTTPS with Traefik and Let’s Encrypt. you must make some file first the ingress then the clusterissuer. because iam from indonesia. iam using this reference  for my implementation. https://kb.biznetgio.com/id_ID/neo-kubernetes/cara-install-ssl-lets-encrypt-pada-ingress-kubernetes-menggunakan-traefik-dan-cert-manager

hope it help.

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dcm4che/edb298ca-e6b7-4ae6-b875-b1d1d9a22661n%40googlegroups.com.

[Bernard]

After extensive testing, I arrived at a configuration that works using an "SSL Termination" architecture = using HTTP on the loadbalancer (optimized internal communication) and letting Traefik manage the SSL.

Advantages of this approach:
1. **Internal Communication**: The load balancer communicates via HTTP with the ARC container because:
- Communication takes place within the Docker network
- No need for internal SSL/TLS encryption
- Optimized performance (no SSL overhead)
2. **SSL Termination**: Traefik manages SSL termination:
- Automatic Let's Encrypt certificates
- End-to-end encryption for external clients
- Centralized SSL configuration

Here is my final docker-compose.yml

services:

ldap:

image: dcm4che/slapd-dcm4chee:2.6.8-34.0

restart: always

logging:

driver: json-file

options:

max-size: "10m"

ports:

- "389:389"

- "636:636"

environment:

STORAGE_DIR: /storage/fs1

volumes:

- /var/local/dcm4chee-arc/ldap:/var/lib/openldap/openldap-data

- /var/local/dcm4chee-arc/slapd.d:/etc/openldap/slapd.d

networks:

- web

mariadb:

image: mariadb:10.11.4

restart: always

logging:

driver: json-file

options:

max-size: "10m"

ports:

- "3306:3306"

environment:

MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}

MYSQL_DATABASE: keycloak

MYSQL_USER: keycloak

MYSQL_PASSWORD: ${MYSQL_PASSWORD}

volumes:

- /etc/localtime:/etc/localtime:ro

- /etc/timezone:/etc/timezone:ro

- /var/local/dcm4chee-arc/mysql:/var/lib/mysql

networks:

- web

keycloak:

image: dcm4che/keycloak:26.0.6

restart: always

logging:

driver: json-file

options:

max-size: "10m"

ports:

- "8080:8080"

- "8843:8843"

environment:

KC_HTTP_ENABLED: true

KC_HTTPS_PORT: 8843

KC_PROXY: passthrough

KC_HOSTNAME: https://keycloak.myDomaine.net

KC_HOSTNAME_PORT: 443

KC_HOSTNAME_BACKCHANNEL_DYNAMIC: 'true'

KC_BOOTSTRAP_ADMIN_USERNAME: admin

KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_ADMIN_PASSWORD}

KC_DB: mariadb

KC_DB_URL_DATABASE: keycloak

KC_DB_URL_HOST: mariadb

KC_DB_USERNAME: keycloak

KC_DB_PASSWORD: ${KC_DB_PASSWORD}

KC_LOG: file

ARCHIVE_HOST: pacs.myDomaine.net

KEYCLOAK_WAIT_FOR: ldap:389 mariadb:3306

depends_on:

- ldap

- mariadb

volumes:

- /etc/localtime:/etc/localtime:ro

- /etc/timezone:/etc/timezone:ro

- /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data

labels:

- traefik.enable=true

- traefik.http.routers.keycloak.rule=Host(`keycloak.myDomaine.net`)

- traefik.http.routers.keycloak.entrypoints=secure

- traefik.http.routers.keycloak.service=keycloak-service

- traefik.http.routers.keycloak.tls=true

- traefik.http.routers.keycloak.tls.certresolver=letsencrypt

- traefik.http.services.keycloak-service.loadbalancer.server.port=8080

- traefik.http.services.keycloak-service.loadbalancer.server.scheme=http

- traefik.http.services.keycloak-service.loadbalancer.passHostHeader=true

# add security middlewares

- traefik.http.middlewares.keycloak-sslHeaders.headers.sslRedirect=true

- traefik.http.middlewares.keycloak-sslHeaders.headers.forceSTSHeader=true

- traefik.http.middlewares.keycloak-sslHeaders.headers.stsSeconds=31536000

- traefik.http.routers.keycloak.middlewares=keycloak-sslHeaders

networks:

- web

db:

image: dcm4che/postgres-dcm4chee:17.4-34

restart: always

logging:

driver: json-file

options:

max-size: "10m"

ports:

- "5432:5432"

environment:

POSTGRES_DB: pacsdb

POSTGRES_USER: pacs

POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}

volumes:

- /etc/localtime:/etc/localtime:ro

- /etc/timezone:/etc/timezone:ro

- /var/local/dcm4chee-arc/db:/var/lib/postgresql/data

networks:

- web

arc:

image: dcm4che/dcm4chee-arc-psql:5.34.0-secure

restart: always

ports:

- "8082:8080"

- "8443:8443"

- "9990:9990"

- "9993:9993"

- "11112:11112"

- "2762:2762"

- "2575:2575"

- "12575:12575"

environment:

POSTGRES_DB: pacsdb

POSTGRES_USER: pacs

POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}

AUTH_SERVER_URL: https://keycloak:8843

UI_AUTH_SERVER_URL: https://keycloak.myDomaine.net

HTTP_PROXY_ADDRESS_FORWARDING: true

WILDFLY_CHOWN: /storage

WILDFLY_WAIT_FOR: ldap:389 db:5432 keycloak:8843

# Optimisations JVM (SSL géré par Traefik)

JAVA_OPTS: "-Xms2g -Xmx8g -XX:+UseG1GC -XX:MaxGCPauseMillis=200"

depends_on:

- ldap

- keycloak

- db

volumes:

- /etc/localtime:/etc/localtime:ro

- /etc/timezone:/etc/timezone:ro

- /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone

- /var/local/dcm4chee-arc/storage:/storage

networks:

- web

labels:

- "traefik.enable=true"

# HTTP/HTTPS for web

- "traefik.http.routers.arc-https.rule=Host(`pacs.myDomaine.net`)"

- "traefik.http.routers.arc-https.entrypoints=secure"

- "traefik.http.routers.arc-https.service=arc-https-service"

- "traefik.http.routers.arc-https.tls=true"

- "traefik.http.routers.arc-https.tls.certresolver=letsencrypt"

- "traefik.http.services.arc-https-service.loadbalancer.server.port=8080"

- "traefik.http.services.arc-https-service.loadbalancer.server.scheme=http"

- "traefik.http.services.arc-https-service.loadbalancer.passHostHeader=true"

# security middlewares for arc

- "traefik.http.middlewares.arc-sslHeaders.headers.sslRedirect=true"

- "traefik.http.middlewares.arc-sslHeaders.headers.forceSTSHeader=true"

- "traefik.http.middlewares.arc-sslHeaders.headers.stsSeconds=31536000"

- "traefik.http.routers.arc-https.middlewares=arc-sslHeaders"

# DICOM TCP

- "traefik.tcp.routers.dicom.entrypoints=dicom"

- "traefik.tcp.routers.dicom.rule=HostSNI(`*`)"

- "traefik.tcp.routers.dicom.service=arc-dicom"

- "traefik.tcp.services.arc-dicom.loadbalancer.server.port=11112"

# HL7 TCP

- "traefik.tcp.routers.hl7.entrypoints=hl7"

- "traefik.tcp.routers.hl7.rule=HostSNI(`*`)"

- "traefik.tcp.routers.hl7.service=arc-hl7"

- "traefik.tcp.services.arc-hl7.loadbalancer.server.port=2575"

networks:

web:

external: true

NB1 : in keykloak you must also set
Root URL= https://pacs.myDomaine.net/dcm4chee-arc/ui2

Valid redirect URIs = https://pacs.myDomaine.net/dcm4chee-arc/ui2/*
Web origins = https://pacs.myDomaine.net
NB2 : I also use S3 for storage.

I also had a certificate issue that I resolved by also setting S3 to HTTP.
Storage URI=jclouds:aws-s3:http://dcm4chee.s3.fr-par.scw.cloud

hope this helps