Cannot access services from local network

moped · February 6, 2023, 9:39pm

Hello,

I have a few services running in Docker and I would like to have them accessible as public subdomains from the internet and from local network too. I've set up Let's Encrypt for SSL and configured all necessary services. Everything running fine.

My router won't allow accessing these services from the inside (no DNS loopback) and won't allow for custom DNS, so I have an Unbound DNS running on the same machine as well. My PC is set to use this DNS when connected to local network, resolving all subdomains to local address and on the internet, it uses CF/Google DNS servers as usual, resolving public IP address of the router with port forwarding to Traefik.

The problem is, that all my services return error when I try to access them from local network. It resolves IP correctly but I only get Secure Connection Failed / PR_CONNECT_RESET_ERROR.

Before Traefik I used Caddy 2 and it was fairly simple to configure services and I didn't have this problem.

This is my Gitea config for example:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.rule=Host(`gitea.mydomain.com`)"
      - "traefik.http.routers.gitea.entrypoints=https"
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.tls.certresolver=le"
      - "traefik.http.routers.gitea.service=gitea"
      - "traefik.http.services.gitea.loadBalancer.server.port=3000"

Is there a config that needs to be added to make this work?

Thanks!

bluepuma77 · February 7, 2023, 8:20am

What does the Traefik debug log tell you?

Is a LetsEncrypt certificate generated successfully?

moped · February 7, 2023, 9:32pm

Below is what I found in the log when I tried to visit gitea.mydomain.com from my local network. As soon as I go through NordVPN, I can connect and the site works fine, certificate is OK.

{
    "level": "debug",
    "time": "2023-02-07T19:30:38Z",
    "caller": "github.com/traefik/traefik/v2/pkg/tls/certificate.go:158",
    "message": "Adding certificate for domain(s) gitea.mydomain.com"
}
{
    "level": "debug",
    "entryPointName": "https",
    "time": "2023-02-07T19:30:38Z",
    "caller": "github.com/traefik/traefik/v2/pkg/server/router/tcp/manager.go:235",
    "message": "Adding route for gitea.mydomain.com with TLS options default"
}
{
    "level": "debug",
    "providerName": "le.acme",
    "acmeCA": "https://acme-v02.api.letsencrypt.org/directory",
    "providerName": "le.acme",
    "routerName": "gitea@docker",
    "rule": "Host(`gitea.mydomain.com`)",
    "time": "2023-02-07T19:30:38Z",
    "caller": "github.com/traefik/traefik/v2/pkg/provider/acme/provider.go:385",
    "message": "Trying to challenge certificate for domain [gitea.mydomain.com] found in HostSNI rule"
}
{
    "level": "debug",
    "providerName": "le.acme",
    "acmeCA": "https://acme-v02.api.letsencrypt.org/directory",
    "providerName": "le.acme",
    "routerName": "gitea@docker",
    "rule": "Host(`gitea.mydomain.com`)",
    "time": "2023-02-07T19:30:38Z",
    "caller": "github.com/traefik/traefik/v2/pkg/provider/acme/provider.go:847",
    "message": "Looking for provided certificate(s) to validate [\"gitea.mydomain.com\"]..."
}
{
    "level": "debug",
    "providerName": "le.acme",
    "acmeCA": "https://acme-v02.api.letsencrypt.org/directory",
    "providerName": "le.acme",
    "routerName": "gitea@docker",
    "rule": "Host(`gitea.mydomain.com`)",
    "domains": [
        "gitea.mydomain.com"
    ],
    "time": "2023-02-07T19:30:38Z",
    "caller": "github.com/traefik/traefik/v2/pkg/provider/acme/provider.go:891",
    "message": "No ACME certificate generation required for domains"
}

bluepuma77 · February 8, 2023, 6:51am

Log tells that you already have a LetsEncryot cert created for your sub-domain, that should be fine.

So you use a local DNS. It resolves your public sub-domain to a local IP address?

Have your checked with ping that it has the right value?

moped · February 8, 2023, 8:01am

Yes, when I'm on VPN, ping shows public IP, when I'm not it shows local address as it should. As I wrote, it was working in Caddy2 so I believe it has to be something in Traefik.

bluepuma77 · February 8, 2023, 8:15am

Sorry, can not look into your system, so you need to provide more data.

What's the output when you curl the domain the two different ways?

What does Traefik debug log and access log tell you during those requests?

moped · February 13, 2023, 3:31pm

So I was putting together all the curl tests, logs etc.. and found out the router was randomly blocking 80/443. I did some changes to the configuration of my docker, closed as many ports as possible and made whole system directly available from the internet. Now I have 80 and 443 directly accessible without port forwarding and everything works perfectly.
Thanks @bluepuma77 for your help!

Topic		Replies	Views
Traefik wont route subdomain except .localhost, can access dashboard and docker applications through domain:port Traefik v2 docker , letsencrypt-acme	5	3252	May 1, 2023
Can someone help with setting expectations with local domain usage (and what I may be doing incorrectly) Traefik v2 docker , middleware	4	412	February 15, 2024
Having trouble exposing service Traefik v2 file	1	182	February 9, 2024
Expose docker service locally and publicly Traefik v2 docker , tcp	7	4730	December 18, 2023
Containers within traefik network unable to connect when using domain names Traefik v2 docker	9	9240	May 6, 2023

Cannot access services from local network

Related topics