Connection refused after migrating config from docker compose to static/dynamic files

I need tighter and cleaner control over some config options and so I decided to change my config from a docker-compose.yaml file to separate static/dynamic files. However, now I get a connection refused error when trying to hit any routes, and I can't seem to figure out why - the Traefik logs don't seem to indicate that anything is misconfigured.

This is my new config setup:

/etc/traefik/traefik.yaml (new)

api:
  dashboard: true
  debug: true
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
providers:
  file:
    filename: "/etc/traefik/dynamic_config.yaml"
    watch: true
  docker: {}

certificatesResolvers:
  myresolver:
    acme:
      email: "me@example.com"
      storage: "/etc/traefik/letsencrypt/acme.json"
      tlsChallenge: {}

/etc/traefik/dynamic_config.yaml (new)

http:
  routers:
    flame:
      rule: "Host(`example.com`)"   # real domain is used
      service: "flame"
      tls:
        certResolver: "myresolver"
    gotify:
      rule: "Host(`gotify.example.com`)"
      service: "gotify"
      tls:
        certResolver: "myresolver"

/opt/appdata/docker-compose.yaml (new)

version: "3.8"
services:

  traefik:
    image: traefik:v2.9
    command: --api.insecure=true --providers.docker 
    ports:
      - 80:80
      - 443:443
      - 9090:8080  # The Web UI (enabled by --api.insecure=true)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/traefik/letsencrypt:/letsencrypt

  flame:
    image: pawelmalak/flame
    container_name: flame
    volumes: ...
    environment: ...
    ports: ...
    restart: unless-stopped

  gotify:
    image: gotify/server
    container_name: gotify
    environment: ...
    ports: ...
    volumes: ...
    restart: unless-stopped

... and this is my previous config setup, which was working

/opt/appdata/docker-compose.yaml (old)

version: "3.8"
services:

  traefik:
    image: traefik:v2.9
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=me@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
      - 9090:8080  # The Web UI (enabled by --api.insecure=true)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/appdata/letsencrypt:/letsencrypt  # I moved this to /etc/traefik in the new setup

  flame:
    image: pawelmalak/flame
    container_name: flame
    volumes: ...
    environment: ...
    ports: ...
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.flame.rule=Host(`example.com`)"
      - "traefik.http.routers.flame.entrypoints=web,websecure"
      - "traefik.http.routers.flame.tls.certresolver=myresolver"
    restart: unless-stopped

  gotify:
    image: gotify/server
    container_name: gotify
    environment: ...
    ports: ...
    volumes: ...
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gotify.rule=Host(`gotify.example.com`)"
      - "traefik.http.routers.gotify.entrypoints=web,websecure"
      - "traefik.http.routers.gotify.tls.certresolver=myresolver"
    restart: unless-stopped

I've combed through the documentation and I'm not sure what the problem could be. I can access the Traefik web UI just fine, and the services and routers are listed, but trying to hit my domain using a web browser immediately gets me an "Unable to Connect" message, and curl gives me this:

$ curl https://example.com  # real domain is used
curl: (7) Failed to connect to example port 443 after 48 ms: Connection refused

Edit: additional troubleshooting I've done:

• If I try and access my domain using http (no ssl) I get a 404.
• I've ensured my acme.json file has the correct permissions.
• I'm able to access my services using the local IP/port given in the HTTP Services section of the Traefik web ui.
• The same problem exists using the LetsEncrypt caServer.

I'd sure appreciate any help. Thanks in advanced.

You can only use one type of static config: traefik.yml or command:.

I understand that, and I thought that's what I'm doing - the fact that the services show up in the web ui tells me the static file is being read. So you're saying I'm using both a static file and commands then? What should I do differently?

If I remove the --api.insecure=true --providers.docker commands from the docker-compose file then I'm unable to start the Traefik container - running docker compose up traefik just hangs.

Solved this problem (though I'm now getting an internal server error which is probably due to my dynamic config). The solution was to modify the docker-compose.yaml file like so:

version: "3.8"
services:

  traefik:
    image: traefik:v2.9
    # removed `commands:` section
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`)"
      - "traefik.http.routers.traefik-secure.service=api@internal"

    ports:
      - 80:80
      - 443:443
      - 9090:8080  # The Web UI (enabled by --api.insecure=true)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/traefik/letsencrypt:/letsencrypt/acme  # modified
      - /etc/traefik:/etc/traefik/:ro  # added

I also modified the providers.docker section in my static config:

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true   

Put the config from command into traefik.yml

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.