502 Bad Gateway for one container (onlyoffice-documentserver)

Traefik Traefik v2 (latest)
,
1

Hi there

Frist of all thanks for your awesome work!!!

I recently migrated from traefik 1.7 to chevrotin. With a little work I got everything up an running again. Now I wanted to add another docker-service (onlyoffice-documentserver) to my server. I have been testing around conluting all 502-posts on containous but nothing helped to get rid of the 502 error.

I have one docker-compose file which I use to start all services including traefik. Below you find the relevant snippets of the code. Just to let you know. I have 25 containers running of which 19 are accessible with an individual *.mydomain.com adress. All with one config, which so far, worked perfectly.

    traefik:
        container_name: traefik
        image: traefik:chevrotin
        command:
            - --global.checkNewVersion=true
            - --global.sendAnonymousUsage=true
            - --entryPoints.http.address=:80
            - --entryPoints.https.address=:443
            # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
            - --entrypoints.https.forwardedHeaders.trustedIPs=lots of IP's
            - --entryPoints.traefik.address=:8080
            - --api=true
     #        - --api.insecure=true
     #        - --serversTransport.insecureSkipVerify=true
            - --log=true
            - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
            - --accessLog=true
            - --accessLog.filePath=/traefik2.log
            - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
            - --accessLog.filters.statusCodes=400-499
            - --providers.docker=true
            - --providers.docker.endpoint=unix:///var/run/docker.sock
            - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
            - --providers.docker.exposedByDefault=false
            - --providers.docker.network=t2_proxy
            - --providers.docker.swarmMode=false
            - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
            - --providers.file.watch=true # Only works on top level files in the rules folder
     #       - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # uncomment when testing
            - --certificatesResolvers.dns-cloudflare.acme.email=$MYEMAIL
            - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
            - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
            - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
        networks:
          t2_proxy:
            ipv4_address: IP
        security_opt:
            - no-new-privileges:true
        ports:
            - target: 80
              published: 80
              protocol: tcp
              mode: host
            - target: 443
              published: 443
              protocol: tcp
              mode: host
            - target: 8080
              published: 8080
              protocol: tcp
              mode: host
        volumes:
            - $USERDIR/traefik2/rules:/rules # file provider directory
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - $USERDIR/traefik2/acme/acme.json:/acme.json
            - $USERDIR/traefik2/traefik2.log:/var/log/docker/traefik2.log
            - $USERDIR/shared:/shared     
        environment:    
            - CF_API_EMAIL=$MYEMAIL
            - CF_API_KEY=$CFAPI
            - TZ=${TZ}
        labels:
            - "traefik.enable=true"
            # HTTP-to-HTTPS Redirect
            - "traefik.http.routers.http-catchall.entrypoints=http"
            - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
            - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
            - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
            # HTTP Routers
            - "traefik.http.routers.traefik-rtr.entrypoints=https"
            - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
            - "traefik.http.routers.traefik-rtr.tls=true"
     #       - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
            - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
            - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
            ## Middlewares
            # - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" # No Authentication
            - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"
            #- "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
            ## Services - API
            - "traefik.http.routers.traefik-rtr.service=api@internal"   
        restart: unless-stopped

Header security is defined in a seperate .toml file in the "rules"-folder.

And here the onlyoffice service:

onlyoffice-documentserver:
        container_name: onlyoffice-documentserver
        image: onlyoffice/documentserver
        environment:
          - TZ=${TZ}
        stdin_open: true 
        tty: true
        networks:
           - t2_proxy
        restart: always
        volumes:
           - $USERDIR/onlyoffice/data:/var/www/onlyoffice/Data/
           - $USERDIR/onlyoffice/data/certs:/var/www/onlyoffice/Data/onlyoffice/documentserver
           - $USERDIR/onlyoffice/log:/var/log/onlyoffice
           - $USERDIR/onlyoffice/cache:/var/lib/onlyoffice/documentserver/App_Data/cache/files
           - $USERDIR/onlyoffice/example:/var/www/onlyoffice/documentserver-example/public/files
           - $USERDIR/onlyoffice/fonts:/usr/share/fonts
        labels:
            - "traefik.enable=true"
            ## HTTP Routers
            - "traefik.http.routers.onlyoffice-rtr.entrypoints=https"
            - "traefik.http.routers.onlyoffice-rtr.rule=Host(`onlyoffice.$DOMAINNAME`)"
            - "traefik.http.routers.onlyoffice-rtr.tls=true"
            ## Middlewares
            - "traefik.http.routers.onlyoffice-rtr.middlewares=chain-no-auth@file"
            ## HTTP Services
            - "traefik.http.routers.onlyoffice-rtr.service=onlyoffice-svc"
            - "traefik.http.services.onlyoffice-svc.loadbalancer.server.port=443"

Log is:

time="xxx" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip\"],\"Accept-Language\":[\"de-CH,en-US;q=0.7,en;q=0.3\"],\"Cache-Control\":[\"max-age=0\"],\"Cdn-Loop\":[\"cloudflare\"],\"Cf-Connecting-Ip\":[\"*myip*\"],\"Cf-Ipcountry\":[\"CH\"],\"Cf-Ray\":[\"*certinfo*\"],\"Cf-Request-Id\":[\"*certinfo*\"],\"Cf-Visitor\":[\"{\\\"scheme\\\":\\\"https\\\"}\"],\"Connection\":[\"Keep-Alive\"],\"Cookie\":[\"__cfduid=*alphanumerical*\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0\"],\"X-Forwarded-For\":[\"*myip*\"],\"X-Forwarded-Host\":[\"onlyoffice.mydomain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"*alphanumeric*\"],\"X-Real-Ip\":[\"162.158.91.242\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"onlyoffice.mydomain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"162.158.91.242:52126\",\"RequestURI\":\"/\",\"TLS\":null}"

and

time="xxx" level=debug msg="'502 Bad Gateway' caused by: dial tcp 192.168.90.20:443: connect: connection refused"

thanks for your help