API not accessible when Traefik in host network mode

I am running Traefik on a simple single-node docker host. I had a successful configuration in the past with port-forwarding, but decided to let Traefik run with host network mode to get useful source IP addresses, for example for fail2ban.

Problem is: After switching Traefik to host network, i cannot access its dashboard and API, and am struggling to find out why.

Currently i have this in my compose file for traefik itself:

    labels:
      traefik.enable: "true"
      traefik.http.routers.api.rule: "Host(`traefik.{{ traefik_domain }}`)"
      traefik.http.routers.api.entrypoints: "https"
      traefik.http.routers.api.middlewares: "auth@file"
      traefik.http.routers.api.service: "api@internal"
      traefik.http.routers.api.tls.certresolver: "le"

This is a snippet from my traefik.yaml:

entryPoints:
  http:
    address: ":80"
  https: 
    address: ":443"
  traefik:
    address: ":8082"

The dashboard is currently accessible via http://hostip:8082, but i want traefik to have a route to itself, for middlewares, TLS handling and so on.
I have some other services on the same host with host networking, which have a similar config in their compose files, which are still accessible, so i'm wondering why the API behaves differently.

What is working, however, is to not define the service as api@internal but with the following settings:

      traefik.http.routers.api.rule: "Host(`traefik.{{ traefik_domain }}`)"
      traefik.http.routers.api.entrypoints: "https"
      traefik.http.routers.api.middlewares: "auth@file"
      traefik.http.routers.api.service: "api"
      traefik.http.routers.api.tls.certresolver: "le"
      traefik.http.services.api.loadbalancer.server.port: "8082"

So not letting traefik access itself internally but accessing the host network address on port 8082 which is the entrypoint for the API. Why is it like that, that its not possible to access traefik internally when its running in host network mode?

1 Like

I believe I'm running into the same issue as you. I'm trying to switch Traefik over to the host networking driver and running into issues accessing it. If I look in my logs:

time="2022-04-09T14:30:21-07:00" level=error msg="service \"reverse-proxy-traefik\" error: port is missing" providerName=docker container=reverse-proxy-traefik

I believe this comes down to auto-assigning ports. From the documentation:

If a container exposes multiple ports, or does not expose any port, then you must manually specify which port Traefik should use for communication by using the label traefik.http.services.<service_name>.loadbalancer.server.port (Read more on this label in the dedicated section in routing).

Don't quote me on this as I'm still wrapping my head around it, but I believe since the traefik definition exposes multiple ports, it's confused and unable to pick one for the dashboard/api. I think we have to tell traefik which one to use with the loadbalancer label from above.

Edit: I think you may have accidentally solved your own issue by adding the loadbalancer label. It was probably unnecessary to change the service definition. Here are my labels:


labels:
      # Configure dashboard & API enablement (complement to static config)
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls"
      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"