Can already working fully containerized docker cluster containing traefik, also be used to route to some services on the server's localhost?

I can't route to the service through the public internet as there is a firewall/vpn in the way. I want to know if there is anything that can be done to get containerized traefik (non-swarm mode, just straight docker-compose) to route to the local webserver (running on port 8080, which is blocked from public access).

An example of the setup can be found on open-source repo, Dean Kayton / research_db · GitLab (This contains the working traefik configuration without the local service that can't be containerized).


I did some tinkering on a local Vagrant dev VM and got it to work. Here is the config located at /config/dynamic.yml:

      minVersion: VersionTLS12
      minVersion: VersionTLS13

        certFile: /certs/local.crt
        keyFile: /certs/local.key

      rule: Host(`galaxy.mylocalserver.uct.lan`)
      tls: true
        - websecure
      service: galaxy
          - url: http://mylocalserver.lan:8080

To read the above config I added the following flags to the start command:

The other two steps I took (still undecided whether they were necessary or not, I had to run the "galaxy" service on and I needed to tell Vagrant to forward port 8080 from the guest to the host.

I am unsure in the above scenario which route traefik takes to get to my local service. Is it finding the VM's public ip and entering through the host port, which is forwarded to the guest then to the local service? Is there a way to not have to publish/forward any ports?

I will do some further experiments to try work out the answer for myself.

First thing I have worked out is:

port forwarding is not necessary but opening the port on the firewall is necessary.

So I didn't need to change Vagrantfile at all, but I had to provision the VM in a way that opens up port 8080 (see the following, I use ansible to configure firewall).

- name: Ensure firewall is set up
  hosts: all
  become: yes
  become_method: sudo
  become_user: root
    firewall_state: started
    firewall_enabled_at_boot: true
      - 22
      - 80
      - 443
      - 8080
    firewall_allowed_udp_ports: []
    firewall_disable_ufw: true
    firewall_enable_ipv6: false
    - geerlingguy.firewall

This sure means I will need to get permissions from the sysadmins that manage our VM, to open up port 8080.

I am hoping for a slightly more internal route from traefik container to the host service, one which does not rely on entering through a potentially closed port of the host's firewall.