502 Bad Gateway connection refused error

Hi,

Trying to implement Traefik on my docker host, but its driving me nuts!
Services like Plex are redirected perfectly, but other services getting a '502 Bad Gateway' caused by: dial tcp 127.0.0.1: 8123 : connect: connection refused"

Here is my Traefik config and a example of

  traefik:
    hostname: traefik
    container_name: traefik
    network_mode: bridge
    image: traefik:latest
    container_name: traefik
    command:
      - --log.level=INFO
      - --log.filePath=etc/traefik/log/traefik.log
      - --accessLog.filePath=etc/traefik/log/access.log
      - --accessLog.bufferingSize=100

      - --providers.docker=true
      - --providers.docker.exposedbydefault=false

      - --api
      - --api.insecure=true

      - --entrypoints.traefik.address=:8888

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=cloudflare

      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.cloudflare.acme.storage=acme.json
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
    ports:
      - 80:80
      - 443:443
      - 8888:8888
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/snap/docker/common/var-lib-docker/volumes/traefik/_data/acme.json:/acme.json
      - traefik/:/etc/traefik/log/
    labels:
      traefik.enable: true
      traefik.http.routers.traefik.rule: Host(`traefik.my-domain.com`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.service: api@internal

  homeassistant:
    hostname: homeassistant
    container_name: homeassistant
    image: homeassistant/home-assistant
    network_mode: host
    volumes:
      - homeassistant:/config
    restart: always
    labels:
      traefik.enable: true
      traefik.http.routers.homeassistant.rule: Host(`homeassistant.my-domain.com`)
      traefik.http.routers.homeassistant.entrypoints: websecure
      traefik.http.services.homeassistant.loadbalancer.server.port: 8123

I'm running Ubuntu 20.04 with Docker 18.09 and ufw disabled.
Any idea's/suggestions how to get this working?

homeassistant must be resolving to 127.0.0.1. Which in the context of the traefik container is itself.

Do you have a hosts entry on you docker host for 127.0.0.1 homeassistant ?

That makes sense... But no, didn't added homeassistant to the hosts file.
Weird thing is that I have the same error with another service that uses network_mode: bridge

  jenkins:
    hostname: jenkins
    image: jenkinsci/blueocean
    container_name: jenkins
    network_mode: bridge
    ports:
      - 32770:50000
      - 7676:8080
    volumes:
      - jenkins:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      traefik.enable: true
      traefik.http.routers.jenkins.rule: Host(`jenkins.my-domain.com`)
      traefik.http.routers.jenkins.entrypoints: websecure
      traefik.http.services.jenkins.loadbalancer.server.port: 7676

And this is what the log is showing...

level=debug msg="'502 Bad Gateway' caused by: dial tcp 172.17.0.11:7676: connect: connection refused"

Are they all in the same compose / compose project ?

Yes. Just a single docker-compose.yml to create my containers.

Bump
Anyone a suggestion or an idea?

For your jenkins at least, the traefik.http.services.jenkins.loadbalancer.server.port: 7676 should be 8080 as 7676 is the exposed port, not the port jenkins is bound to in the container.

For the Home Assistant you need to discover why traefik is resolving the container to 127.0.0.1

Awesome, struggling with this for a long time, but solution is simple.
Tested successfully, thank you!

Hello,

I have exactly the same bug.

For the Home Assistant you need to discover why traefik is resolving the container to 127.0.0.1

How did you solve your HA problem @ben9519? I don't understand why 127.0.0.1 is the problem. All containers in docker-compose.yml use host network_mode. In the host, I can access HA using http://127.0.0.1:8123 without problem.

For reference:

version: '3'
services:
  traefik:
    image: traefik:v2.3
    container_name: traefik
    restart: unless-stopped
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=myemail@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/traefik/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik:/traefik
  homeassistant:
    container_name: home-assistant
    image: homeassistant/home-assistant:stable
    volumes:
      - ./hass:/config
    restart: unless-stopped
    network_mode: host
    ports:
      - "8123:8123" # This is required as well.
    expose:
      - 8123 # As is this.
    labels:
      - traefik.enable=true
      - traefik.http.routers.homeassistant.rule=Host(`hass.my.example.com`)
      - traefik.http.routers.homeassistant.entrypoints=websecure
      - traefik.http.routers.homeassistant.tls=true
      - traefik.http.routers.homeassistant.tls.certresolver=myresolver
      - traefik.http.services.homeassistant.loadbalancer.server.port=8123

Found it! Need to add this to the traefik service:

    extra_hosts:
      - host.docker.internal:172.17.0.1 # Needed to avoid Bad Gateway.
2 Likes