Docker aren't reacheable behind traefik

Hello everyone

I'm currently running a NAS on my local network (on a address like http://192.168.4.184) with a couple of docker that I would like to put behind traefik. Since I'm using a dynamic configuration, I don't have a static config file for traefik.

Unfortunately, despite lots of research and troubleshoot, my dockers aren't reachable and I don't understand where the issue come from

For security (and to be easier to maintain), all my containers are split across several stacks and each one of them has a specific network

(1) Here's my traefik docker-compose :

networks:
    traefik_network:
    audiobookshelf_network:

services:
    traefik:
     image: traefik:latest
     container_name: traefik
     security_opt:
      - no-new-privileges=true
     command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web-secure.address=:443"
#      - "--serverstransport.insecureskipverify=true"
#      - "--entrypoints.web.http.redirections.entryPoint.to=web-secure"
#      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
     ports:
      # Entry-point (port 80 and 443 are already used by the NAS web-UI) 
      - "40000:80"
      - "40010:443"
      # Debug interface
      - "40020:8080"
     labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`localhost`) && PathPrefix(`/traefik`)"
     volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
     networks:
      - "traefik_network"
      - "audiobookshelf_network"
     restart: unless-stopped

(2) Here's one of the container (as a example). Note that the container was already accessible before setting up traefik:

networks:    
    audiobookshelf_network:

services:
    audiobookshelf:
     image: ghcr.io/advplyr/audiobookshelf:latest
     container_name: audiobookshelf
     security_opt:
      - no-new-privileges=true
     ports:
      # Web-UI
      - 42000:80
     volumes:
      # Some paths
     networks:
      - "audiobookshelf_network"
     labels:
      - "traefik.enable=true"
      - "traefik.http.services.audiobookshelf.loadbalancer.server.port=42000"
      - "traefik.http.routers.audiobookshelf.rule=Host(`localhost`) && PathPrefix(`/audiobookshelf`)"
      - "traefik.http.routers.audiobookshelf.tls=false"
      - "traefik.http.routers.audiobookshelf.entrypoints=web,web-secure"
     restart: unless-stopped

When I tried to access it via http://192.168.4.184:40000/audiobookshelf, I get a 404 page not found

(3) The debug interface also indicate that the container is accessible

Screenshot1000×623 58.7 KB

In advance, thanks for your help Traefik is quite complex and my brain get lost in the documentation

Your Traefik "static" config is in command, you need to define at least an entrypoint

When declaring a Docker network in compose, they are usually isolated from other compose "projects". Despite the same name, they are different networks.

So instead you need to declare a Docker network on CLI or declare in one compose (make sure to add name:) and let the others use the external Docker network.

You should not assign a non-existing entrypoint web-secure to a router, that will probably break the dynamic config.

Mostly you can not place a web app with GUI on an arbitrary PathPrefix(). They usually have fixed paths they work on (like /) and will mostly respond with absolute paths for links, redirects, scripts and images. This usually only works when you can set some kind of "base path". Use a sub-domain instead.

Finally, it’s not best practice to have the target services expose ports via ports. As that enables access to the target services potentially circumventing any Traefik security middlewares. Within Docker networks the ports are all enabled.

I've made several modifications based on your advice (thanks for pointing out several misconfig !), but unfortunately it's still not working

Here's my compose now for (1) Traefik

networks:
    traefik_network:
      name: "traefik_network"
    audiobookshelf_network:
      external: true

services:
    traefik:
     image: traefik:latest
     container_name: traefik
     security_opt:
      - no-new-privileges=true
     command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web-secure.address=:443"
      - "--serverstransport.insecureskipverify=true"
     ports:
      # Entry-point
      - "40000:80"
      - "40010:443"
      # Debug interface
      - "40020:8080"
     labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
     volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
     networks:
      - "traefik_network"
      - "audiobookshelf_network"
     restart: unless-stopped

(2) My second container

networks:
    audiobookshelf_network:
      name: "audiobookshelf_network"

services:
    audiobookshelf:
     image: ghcr.io/advplyr/audiobookshelf:latest
     container_name: audiobookshelf
     security_opt:
      - no-new-privileges=true
     expose:
      # Web-UI
      - "80"
     volumes:
      # Some paths
     networks:
      - "audiobookshelf_network"
     labels:
      - "traefik.enable=true"
      - "traefik.http.services.audiobookshelf.loadbalancer.server.port=80"
      - "traefik.http.routers.audiobookshelf.rule=Host(`audiobookshelf.localhost`)"
      - "traefik.http.routers.audiobookshelf.tls=false"
      - "traefik.http.routers.audiobookshelf.entrypoints=web-secure"
     restart: unless-stopped

I don’t think this will work. Your config will create a network for the project, but I would assume it needs to be attachable (doc).

This would require to have the audioshelf to be always started first to create the network.

Also note that externally the network name will be prefixed with the project, so you should give it a fixed name: in compose.

Finally for easy LetsEncrypt TLS you need to use ports 80 or 443. Other ports only work with the more complicated dnsChallenge.

Check and compare to simple Traefik example.

So, I've created the network externally (with portainer web-ui) and make it attachable, then modify my docker compose like this (both containers are now on the same "audiobook" network)

networks:
    traefik:
      external: true
    audiobook:
      external: true

I've modify my NAS config to put the web-UI on another port, so I'm now able to use 80/443 for traefik

  ports:
      # Entry-point
      - "80:80"
      - "443:443"
      # Debug interface
      - "40000:8080"

I will probably not being able to setup Letsencrypt since I'm on a local network ? Using a self-signed certificat for testing would be enough ?

From a security standpoint, since traefik need access to each separate docker networking, is it still a good pratice to separate each one of them on its own network ?

Thanks for your time

If you think there is a risk from a service/container, then I would create a separate Docker network.

We only have 10+ services of our own application, they all run over the same proxy network.

You can not create valid LetsEncrypt TLS certs for localhost. If you just enbale .tls=true, then Traefik will generate a custom cert, you can just select trust/continue in your browser.

Indeed, I've just enabled TLS without issue. I can access the debug interface successfully but I'm still unable to reach the container behind traefik with my local subdomain, despite being on the same network

Did you create a DNS entry for audiobookshelf.localhost in hosts or local DNS to resolve to the Traefik IP?

Yes indeed, I've registered nas.local pointing to the traefik server IP on my computer DNS file and defined this label to create the subdomain on my container

services:
    audiobookshelf:
    labels:
     - "traefik.http.routers.audiobookshelf.rule=Host(`audiobookshelf.nas.local`)"

You need to create audiobookshelf.nas.local, too. The browser is resolving it to an IP, only afterwards Traefik is coming into play.

My god, it was working since the beginning I didn't know that you need to register your subdomains dns entry too. Thanks for all your help

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.