Dynamic File Not Updating After Move to TrueNAS Electric Eel

I'd like to migrate my Podman containers from a Fedora 41 VM to my TrueNAS server. I've taken my podman run command and altered it to create the Traefik container, utilizing the same file providers I've used on my old system.

For some reason however, my file providers are not updating with the new IP of my TrueNAS system. They are also not pulling in new systems/changes to my provider files as they normally would on my Fedora system.

Traefik is still serving connections to my other containers hosted on my Fedora system after changing my internal DNS to use my TrueNAS Traefik instance, but I've tried creating new containers on TrueNAS and pointing them using the file provider and they are still reflecting the old IP's in my access.log. I'm also getting 404 errors for new containers I've created on TrueNAS that never existed in the file prior to the move.

Reading the file providers section, it looks like this may be an issue with fsnotify on TrueNAS systems, but from what I gather this is working for other TrueNAS users. I'm not savvy with docker commands and adding Traefik dynamic configuration to a running container. If someone can take the below snippets and help me with the translation, I can try adding them to my containers running on the TrueNAS system to see if this is an issue specifically with File providers on the system.

You can see below my NAS IP is 192.168.10.20 while my Fedora server is 192.168.10.200.

Here is my traefik run command (redacting some info) as well as a snip of my file providers and configuration:

docker run -d --name traefik -p 8080:8080 -p 80:80 -p 443:443 -e CF_API_EMAIL="email@email.com" -e CF_DNS_API_TOKEN=token -e CF_ZONE_API_TOKEN=token-e CF_API_KEY=key -e "TZ=America/New_York" -v /mnt/Pool2/ContainerVol/traefik:/etc/traefik/ -v /var/run/docker.sock:/var/run/docker.sock -v /mnt/Pool2/ContainerVol/traefik/letsencrypt/acme.json:/acme.json -v /mnt/Pool2/ContainerVol/traefik/logs:/logs --restart=unless-stopped docker.io/library/traefik:latest

access.log output:
192.168.10.10 - - [23/Jan/2025:19:51:26 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 3 "sonarr4k@file" "http://192.168.10.200:8990" 1ms
192.168.10.10 - - [23/Jan/2025:19:51:26 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 4 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.10 - - [23/Jan/2025:19:51:27 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 5 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.10 - - [23/Jan/2025:19:51:27 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 6 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.10 - - [23/Jan/2025:19:51:27 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 7 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.10 - - [23/Jan/2025:19:51:27 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 8 "sonarr4k@file" "http://192.168.10.200:8990" 0ms

Configuration YML (in root of /etc/traefik/):

  docker:
    endpoint: unix:///var/run/docker.sock
    watch: true
#    exposedByDefault: false
  file:
    directory: /etc/traefik/configuration/
    watch: true

Routers.YML (in root of configuration mapped directory)

    sonarr4k:
      rule: (Host(`sonarr4k.mydomain.net`))
      service: sonarr4k
      entryPoints:
        - "websecure"

Services YML (in root of configuration mapped directory)

    sonarr4k:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.20:8990

Here is working configuration and logs for my pihole server which shows this traefik instance is still servicing data:

192.168.10.10 - - [23/Jan/2025:20:39:53 +0000] "GET / HTTP/2.0" 302 5 "-" "-" 4 "dns01@file" "-" 0ms
192.168.10.10 - - [23/Jan/2025:20:39:53 +0000] "GET /admin/ HTTP/2.0" 302 0 "-" "-" 5 "dns01@file" "http://192.168.10.201:8080" 3ms
192.168.10.10 - - [23/Jan/2025:20:39:53 +0000] "GET /admin/login.php HTTP/2.0" 200 7108 "-" "-" 6 "dns01@file" "http://192.168.10.201:8080" 2ms

Middlewares:

      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        referrerPolicy: "strict-origin-when-cross-origin"
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
    addprefix-pihole1:
        redirectRegex:
          regex: "^https?://pihole1.mydomain.net/$"
          replacement: "https://pihole1.mydomain.net/admin/"
    https-redirect-noport:
      redirectScheme:
        scheme: https
        permanent: true

Routers:

      rule: (Host(`pihole1.mydomain.net`))
      service: dns01
      entryPoints:
        - "websecure"
      middlewares:
        - default-headers
        - https-redirect-noport
        - addprefix-pihole1

Services:

      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.201:8080

I wouldn’t consider TrueNAS a standard operating system, Docker does not support it directly (doc).

You probably get better support in a dedicated TrueNAS forum.

I've been considering that, but this is clearly an issue with Traefik not updating the dynamic file properly.

TrueNAS Scale uses Debian as it's base distro which is supported by Docker, and they've recently moved to utilizing Docker natively over Kubernetes in it's latest Electric Eel release, with no extra steps needed to getting docker installed as there previously were in the operating system.

I saw various posts about TrueNAS Docker issues on forums.docker.com. If I remember correctly, TrieNAS creates their own modified Docker package, therefore it’s not officially supported (as it’s unknown what changes have been made compared to the official release).

I recommend to switch to docker compose and share your full Traefik static and dynamic config, not just small snippets.

Thanks,

I just changed my "tdarr" internal DNS record to point to my old Podman instance that is utilizing a copy of the below directory/configuration and I'm getting the same 404 error as I am on the TrueNAS configuration. tdarr is running on my TrueNAS server, same as Plex (which is working). I've also verified TrueNAS has no firewall to modify, and tdarr is configured to use Host Network same as my Plex container.
This tells me that something is up with my file configuration or Traefik itself with file provider after a recent update. These commands seemed to take okay after the version 3 change, but this is the first time I've made any changes to my configuration since the migration from v2 outside of the v2 configuration line. For posterity sake though, I did try reverting back to running version 2 and omitting the "v2" configuration line and the issue persisted.

Since Podman doesn't have a traditional composer, I'll need to modify my run command to fit so, but all of the variables in a compose file are present in the run command, and should satisfy the requirements of the container as it is currently running and servicing my environment.

Here are my redacted configs for reference:

File/Folder Structure:

├── configuration
│   ├── middlewares.v2.yml
│   ├── middlewares.yml
│   ├── routers.v2.yml
│   ├── routers.yml
│   ├── services.v2.yml
│   └── services.yml
├── letsencrypt
│   ├── acme.json
│   ├── acme.json.old
│   ├── acme.json.old2
│   ├── cert.pem
│   ├── cloudflare
│   │   ├── acme.json
│   │   ├── cloudflarecert.crt
│   │   ├── cloudflarecert.pem
│   │   ├── cloudflarekey.der
│   │   └── cloudflarekey.pem
│   ├── create_p12_file.sh
│   ├── fullchain.pem
│   ├── galmotech_certificate.crt
│   ├── galmotech_certificate.p12
│   ├── key.pem
│   ├── mailcow_copy.sh
│   └── renewal-hooks
│       ├── deploy
│       ├── post
│       └── pre
├── logrotate.sh
├── logs
│   ├── access.log
│   ├── access.log.1
│   ├── access.log.2
│   ├── access.log.2.gz
│   ├── access.log.3.gz
│   ├── access.log.4.gz
│   ├── access.log.5.gz
│   ├── traefik-2024-11-07T14-05-07.081.log.gz
│   ├── traefik-2024-12-01T16-39-21.611.log.gz
│   ├── traefik-2025-01-18T18-30-19.923.log.gz
│   ├── traefik.log
│   ├── traefik.log.1
│   ├── traefik.log.2
│   ├── traefik.log.2.gz
│   ├── traefik.log.3.gz
│   ├── traefik.log.4.gz
│   └── traefik.log.5.gz
├── traefik.v2.yml
└── traefik.yml

9 directories, 41 files

traefik.yml:

#global:
#  checkNewVersion: true
#  sendAnonymousUsage: false
# static configuration
core:
  defaultRuleSyntax: v2
api:
#  insecure: true
  dashboard: true
  debug: true
serversTransport:
  insecureSkipVerify: true
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          permanent: true
          to: websecure
          scheme: https
          priority: 1000
  websecure:
    address: :443
    proxyProtocol:
      insecure: true
#    forwardedHeaders:
#      trustedIPs:
#        - "127.0.0.1/32"
#        - "192.168.10.203/32"
    http:
      tls:
        options: default
        certResolver: letsEncrypt
        domains:
          - main: "mydomain.net"
            sans:
              - "*.mydomain.net"
  sftp:
    address: ":2022"
#  unifiHA:
#    address: "192.168.10.211:8443"
  traefikhub-api: ":9900"
  traefikhub-tunl: ":9901"

certificatesResolvers:
  letsEncrypt:
    acme:
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      email: myemail@email.com
      storage: /acme.json
      keyType: 'RSA4096'
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
#  cloudflare:
#    acme:
#      email: myemail@email.com
#      storage: /cloudflare/acme.json
#      dnsChallenge:
#        provider: cloudflare
#        resolvers:
#          - "1.1.1.1:53"
#          - "1.0.0.1:53"
tls:
  stores:
    default:
#      defaultCertificate:
#        certfile: /letsencrypt/cloudflarecert.pem
#        keyFile: /letsencrypt/cloudflarekey.pem
#  certificates:
#     Description - CloudFlare Origin Certificate
#    - certFile: /letsencrypt/cloudflarecert.pem
#      keyFile: /letsencrypt/cloudflarekey.pem
#      stores:
#        - default
  options:
    default:
      minVersion: VersionTLS12
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    watch: true
#    exposedByDefault: false
  file:
    directory: /etc/traefik/configuration/
    watch: true
#tracing:
#  jaeger:
#    samplingServerURL: http://192.168.10.200:5778/sampling
#    samplingType: const
#    samplingParam: 1.0
#    localAgentHostPort: 192.168.10.200:6831
log:
  filePath: "/logs/traefik.log"
  format: common json
  level: DEBUG
accessLog:
  filePath: "/logs/access.log"
  bufferingSize: 100
#NEW HUB ITEMS 2.8+
#experimental:
#  hub: true
#hub: {}
#metrics:
#  prometheus:
#    addRoutersLabels: true
#DEPRECIATED CONFIGURATION ITEMS
#pilot:
#    token: "3a8e5066-d7bc-4411-9e93-ce245284ef16"
#experimental:
#  plugins:
#    log4shell:
#      modulename: github.com/traefik/plugin-log4shell
#      version: v0.1.2

middlewares.yml:

http:
  middlewares: 
    user-auth:
      basicAuth:
        users:
          - "admin:somepasswordhash" #password-somepassword
    my-auth:
      basicAuth:
        users:
          - 'username:${pass}' #run "authelia hash-password <password>", if you want to use basic auth and replace ${pass} value accordingly 
        headerField: "X-WebAuth-User"
        removeHeader: true
    authelia:  #use authelia if you want to have local oauth service
      forwardAuth:
        address: "http://192.168.10.200:9091/api/verify?rd=https://login.mydomain.net"
        trustForwardHeader: true
        authResponseHeaders:
          - "adminGroup"
          - "Remote-User"
          - "Remote-Groups"
    chain-authelia:
      chain:
        middlewares:
          - middlewares-rate-limit
          - nextcloud-middlewares-secure-headers
          - authelia
    chain-no-auth:
      chain:
        middlewares:
          - middlewares-rate-limit
          - middlewares-secure-headers
    https-redirect:
      redirectScheme:
        scheme: https
        port: 443
        permanent: true
    https-redirect-noport:
      redirectScheme:
        scheme: https
        permanent: true
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        referrerPolicy: "strict-origin-when-cross-origin"
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
#    block-log4shell:
#      plugin:
#        log4shell:
#          errorCode: 200
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50
    nextcloud-middlewares-secure-headers:
      headers:
        accessControlMaxAge: 100
#        sslRedirect: true ###v2Only
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
#   ### We will modify this value for Nextcloud to remove the X-Frame-Options error:
        customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
#       sslHost: "example.com" ###v2Only
        referrerPolicy: "no-referrer"
#   ### While CSP is a good security setting, Nextcloud's Apache server takes care of this for us!
#       contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
        permissionsPolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
#    ### Change this to none to remove the Robots error:
          X-Robots-Tag: "none"
          server: ""
    nextcloud-redirect:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"
    allow-origin-header:
      headers:
        accessControlAllowMethods:
          - "GET"
          - "OPTIONS"
          - "PUT"
        accessControlAllowHeaders:
          - "*"
        accessControlAllowOriginList: 
          - "https://*.mydomain.net"
          - "https://gameon.mydomain.net"
          - "https://gameona.mydomain.net"
        accessControlMaxAge: 100
        addVaryHeader: true
    addprefix-pihole1:
        redirectRegex:
          regex: "^https?://pihole1.mydomain.net/$"
          replacement: "https://pihole1.mydomain.net/admin/"
    addprefix-pihole2:
        redirectRegex:
          regex: "^https?://pihole2.mydomain.net/$"
          replacement: "https://pihole2.mydomain.net/admin/"
    viewtube:
      headers:
        customRequestHeaders:
          X-SCHEME: https
    onlyoffice-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
#        accessControlAllowOriginList:
#          - "*"

services.yml:

#tcp:
#  services:
http:
  services:
    authelia:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:9091
    plex:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.20:32400
    tautulli:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:8181
    mail:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.205
    homeassistant:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.211:8123
    nextcloud:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:8443
    office:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:88
    freepbx:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.150
    kasm:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:6901
    kasmws:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.225
    retro:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.225
    qnap:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.25:4443
    qnap2:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.30:4443
    gameon:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.20:31100
    truenas:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.20:443
    supermicro:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.48
    dell:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.49
    radarr:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:7878
    radarr4k:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:7879
    sonarr:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:8989
    sonarr4k:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.20:8990
    bazarr:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:6767
    bazarr4k:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:6768
    lidarr:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:8686
    tdarr:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.20:30028
    notify:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:8000
    containerstation:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:9090
    dns01:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.201:8080
    dns02:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.202:8080
    heimdall:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:444
    wikijs:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:3000
    portainer:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.20:31015
    printer:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.40
    nessus:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: https://192.168.10.200:8834
    viewtube:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:8066
    cyberchef:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:8000
    proxylog:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.200:16686

routers.yml:

http:
  routers:
    dashboard:
      rule: (Host(`proxy.mydomain.net`) && (PathPrefix(`/api/`)) || PathPrefix(`/dashboard/`))
      service: api@internal
      entryPoints:
        - "websecure"
      middlewares:
        - user-auth
#        - block-log4shell
    authelia:
      rule: (Host(`login.mydomain.net`))
      service: authelia
      entryPoints:
        - "websecure"
      middlewares:
        - authelia
    plex:
      rule: (Host(`plex.mydomain.net`))
      service: plex
      entryPoints:
        - "websecure"
    tautulli:
      rule: (Host(`tautulli.mydomain.net`))
      service: tautulli
      entryPoints:
        - "websecure"
    mail:
      rule: (Host(`mail.mydomain.net`))
      service: mail
      entryPoints:
        - "websecure"
    homeassistant:
      rule: (Host(`home.mydomain.net`))
      service: homeassistant
      entryPoints:
        - "websecure"
    nextcloud:
      rule: (Host(`cloud.mydomain.net`))
      service: nextcloud
      entryPoints:
        - "websecure"
      middlewares:
        - nextcloud-redirect
        - nextcloud-middlewares-secure-headers
    office:
      rule: (Host(`office.mydomain.net`))
      service: office
      entryPoints:
        - "websecure"
      middlewares:
        - onlyoffice-headers
    freepbx:
      rule: (Host(`freepbx.mydomain.net`))
      service: freepbx
      entryPoints:
        - "websecure"
    kasm:
      rule: (Host(`kasm.mydomain.net`))
      service: kasm
      entryPoints:
        - "websecure"
      middlewares:
        - authelia
    retro:
      rule: (Host(`retro.mydomain.net`))
      service: retro
      entryPoints:
        - "websecure"
      middlewares:
        - authelia
        - default-headers
    kasmws:
      rule: (Host(`kasmws.mydomain.net`))
      service: kasmws
      entryPoints:
        - "websecure"
      middlewares:
        - authelia
    qnap:
      rule: (Host(`qnap.mydomain.net`))
      service: qnap
      entryPoints:
        - "websecure"
    qnap2:
      rule: (Host(`qnapb.mydomain.net`))
      service: qnap2
      entryPoints:
        - "websecure"
    gameon:
      rule: (Host(`gameon.mydomain.net`))
      service: gameon
      entryPoints:
        - "websecure"
    truenas:
      rule: (Host(`truenas.mydomain.net`))
      service: truenas
      entryPoints:
        - "websecure"
    supermicro:
      rule: (Host(`supermicro.mydomain.net`))
      service: supermicro
      entryPoints:
        - "websecure"
    dell:
      rule: (Host(`dell.mydomain.net`))
      service: dell
      entryPoints:
        - "websecure"
    radarr:
      rule: (Host(`radarr.mydomain.net`))
      service: radarr
      entryPoints:
        - "websecure"
    radarr4k:
      rule: (Host(`radarr4k.mydomain.net`))
      service: radarr4k
      entryPoints:
        - "websecure"
    sonarr:
      rule: (Host(`sonarr.mydomain.net`))
      service: sonarr
      entryPoints:
        - "websecure"
#      middlewares:
#        - chain-authelia
    sonarr4k:
      rule: (Host(`sonarr4k.mydomain.net`))
      service: sonarr4k
      entryPoints:
        - "websecure"
    bazarr:
      rule: (Host(`bazarr.mydomain.net`))
      service: bazarr
      entryPoints:
        - "websecure"
    bazarr4k:
      rule: (Host(`bazarr4k.mydomain.net`))
      service: bazarr4k
      entryPoints:
        - "websecure"
    lidarr:
      rule: (Host(`lidarr.mydomain.net`))
      service: lidarr
      entryPoints:
        - "websecure"
    tdarr:
      rule: (Host(`tdarr.mydomain.net`) && (PathPrefix(`/#/`))
      service: tdarr
      entryPoints:
        - "websecure"
    notify:
      rule: (Host(`notify.mydomain.net`))
      service: notify
      entryPoints:
        - "websecure"
    podman:
      rule: (Host(`podman.mydomain.net`))
      service: containerstation
      entryPoints:
        - "websecure"
    dns01: 
      rule: (Host(`pihole1.mydomain.net`))
      service: dns01
      entryPoints:
        - "websecure"
      middlewares:
        - default-headers
        - https-redirect-noport
        - addprefix-pihole1
    dns02:
      rule: (Host(`pihole2.mydomain.net`))
      service: dns02
      entryPoints:
        - "websecure"
      middlewares:
        - default-headers
        - addprefix-pihole2
        - https-redirect-noport
    heimdall:
      rule: (Host(`dashboard.mydomain.net`))
      service: heimdall
      entryPoints:
        - "websecure"
    wikijs:
      rule: (Host(`wiki.mydomain.net`))
      service: wikijs
      entryPoints:
        - "websecure"
    portainer:
      rule: (Host(`portainer.mydomain.net`))
      service: portainer
      entryPoints:
        - "websecure"
    printer:
      rule: (Host(`printer.mydomain.net`))
      service: printer
      entryPoints:
        - "websecure"
    nessus:
      rule: (Host(`nessus.mydomain.net`))
      service: nessus
      entryPoints:
        - "websecure"
    viewtube:
      rule: (Host(`tube.mydomain.net`))
      service: viewtube
      entryPoints:
        - "websecure"
    cyberchef:
      rule: (Host(`cyberchef.mydomain.net`))
      service: cyberchef
      entryPoints:
        - "websecure"
    proxylog:
      rule: (Host(`proxylog.mydomain.net`))
      service: proxylog
      entryPoints:
        - "websecure"

You run Docker or podman on TrueNAS?

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Debug log: Is the dynamic config file read, are the routers and services created. Do requests arrive at Traefik?

Access log: Do requests arrive at Traefik, are errors returned by Traefik (only DownstreamStatus) or by target service (OriginStatus)?

Enable and check Traefik /dashboard/, if the routers and services are registered.

I'm utilizing Podman on my Fedora server (192.168.10.200) where Traefik is working okay, but after adding new entries for containers hosted on the TrueNAS (192.168.10.20), Traefik is not redirecting correctly. I am able to get to my TrueNAS webpage and Plex which are hosted on my TrueNAS system through Traefik which were working fine before this issue arose.

I'm utilizing Docker on my TrueNAS server where I'm trying to migrate my services to. After troubleshooting some more yesterday, I'm experiencing issues with Traefik on both systems where it appears the dynamic file is not working properly.

I'm currently routing most traffic through my TrueNAS server at 192.168.10.20 via DNS. I currently have DNS for my "tdarr.domain.net" and "sonarr4k.mydomain.net" entries routing through my TrueNAS server. Sonarr4k was an established service on my Fedora server which I moved to TrueNAS and is now giving a "Bad Gateway" page. Tdarr is a new service only established on TrueNAS which is giving me a 404 error no matter which Traefik instance (Fedora or TrueNAS) I run it through.

Here is my dashboard running through my TrueNAS instance. Most containers still live on my Fedora server which are working, so I'm focusing on those that are not which are tdarr and sonarr4k, both hosted on the TrueNAS system.

image1493×874 52.3 KB

I'm hopeful these logs show that Traefik is not updating my configuration as it shows above. They clearly show Traefik is trying to reach my Fedora server instead of my TrueNAS server IP.

I cannot enable Debug for my access log as it crashes the container and it won't start with that line item. I already had debug enabled for traefik.log via my requested configuration. If I check my access.log for tdarr.mydomain.net, there are no entries at all. But if I check for sonarr4k.galmotech.net, I see new entries pointing to my "old" Fedora server IP 192.168.10.200 instead of 192.168.10.20 of my TrueNAS that I've moved the container to.

Here are those entries:

	Line 33: 172.16.0.1 - - [27/Jan/2025:14:09:56 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 37 "sonarr4k@file" "http://192.168.10.200:8990" 1ms
	Line 35: 172.16.0.1 - - [27/Jan/2025:14:09:56 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 38 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
	Line 36: 192.168.10.200 - - [27/Jan/2025:14:10:00 +0000] "GET /api/v3/queue?apikey=a2c7a0399be743f3a8faf4d5756fdf79&includeEpisode=true HTTP/1.1" 502 11 "-" "-" 42 "sonarr4k@file" "http://192.168.10.200:8990" 1ms

Here are sonarr4k records from traefik.log:

	Line 186128: 2025-01-27T09:09:34-05:00 WRN github.com/traefik/traefik/v3/pkg/provider/file/file.go:422 > HTTP router already configured, skipping filename=routers.yml providerName=file routerName=sonarr4k
	Line 186168: 2025-01-27T09:09:34-05:00 WRN github.com/traefik/traefik/v3/pkg/provider/file/file.go:438 > HTTP service already configured, skipping filename=services.yml providerName=file serviceName=sonarr4k
	Line 186187: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"addprefix-pihole1":{"redirectRegex":{"regex":"^https?://pihole1.mydomain.net/$","replacement":"https://pihole1.mydomain.net/admin/"}},"addprefix-pihole2":{"redirectRegex":{"regex":"^https?://pihole2.mydomain.net/$","replacement":"https://pihole2.mydomain.net/admin/"}},"allow-origin-header":{"headers":{"accessControlAllowHeaders":["*"],"accessControlAllowMethods":["GET","OPTIONS","PUT"],"accessControlAllowOriginList":["https://*.mydomain.net","https://gameon.mydomain.net","https://gameona.mydomain.net"],"accessControlMaxAge":100,"addVaryHeader":true}},"authelia":{"forwardAuth":{"address":"http://192.168.10.200:9091/api/verify?rd=https://login.mydomain.net","authResponseHeaders":["adminGroup","Remote-User","Remote-Groups"],"maxBodySize":-1,"trustForwardHeader":true}},"chain-authelia":{"chain":{"middlewares":["middlewares-rate-limit","nextcloud-middlewares-secure-headers","authelia"]}},"chain-no-auth":{"chain":{"middlewares":["middlewares-rate-limit","middlewares-secure-headers"]}},"default-headers":{"headers":{"browserXssFilter":true,"contentTypeNosniff":true,"customFrameOptionsValue":"SAMEORIGIN","customRequestHeaders":{"X-Forwarded-Proto":"https"},"forceSTSHeader":true,"frameDeny":true,"referrerPolicy":"strict-origin-when-cross-origin","stsIncludeSubdomains":true,"stsPreload":true,"stsSeconds":15552000}},"https-redirect":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}},"https-redirect-noport":{"redirectScheme":{"permanent":true,"scheme":"https"}},"middlewares-rate-limit":{"rateLimit":{"average":100,"burst":50,"period":"1s"}},"my-auth":{"basicAuth":{"headerField":"X-WebAuth-User","removeHeader":true,"users":["username:${pass}"]}},"nextcloud-middlewares-secure-headers":{"headers":{"accessControlMaxAge":100,"browserXssFilter":true,"contentTypeNosniff":true,"customFrameOptionsValue":"SAMEORIGIN","customResponseHeader ...
	Line 186222: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=websecure routerName=sonarr4k@file serviceName=sonarr4k@file
	Line 186223: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=sonarr4k@file serverName=9bde6258e42b47ab serviceName=sonarr4k@file target=http://192.168.10.200:8990
	Line 186390: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for sonarr4k.mydomain.net with TLS options default entryPointName=websecure
	Line 186563: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=websecure routerName=sonarr4k@file serviceName=sonarr4k@file
	Line 186565: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=sonarr4k@file serverName=9bde6258e42b47ab serviceName=sonarr4k@file target=http://192.168.10.200:8990
	Line 186679: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for sonarr4k.mydomain.net with TLS options default entryPointName=websecure

Here are tdarr log entries from only traefik.log. As mentioned, there are no logs in access.log file for this service/router:

	Line 186187: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"addprefix-pihole1":{"redirectRegex":{"regex":"^https?://pihole1.mydomain.net/$","replacement":"https://pihole1.mydomain.net/admin/"}},"addprefix-pihole2":{"redirectRegex":{"regex":"^https?://pihole2.mydomain.net/$","replacement":"https://pihole2.mydomain.net/admin/"}},"allow-origin-header":{"headers":{"accessControlAllowHeaders":["*"],"accessControlAllowMethods":["GET","OPTIONS","PUT"],"accessControlAllowOriginList":["https://*.mydomain.net","https://gameon.mydomain.net","https://gameona.mydomain.net"],"accessControlMaxAge":100,"addVaryHeader":true}},"authelia":{"forwardAuth":{"address":"http://192.168.10.200:9091/api/verify?rd=https://login.mydomain.net","authResponseHeaders":["adminGroup","Remote-User","Remote-Groups"],"maxBodySize":-1,"trustForwardHeader":true}},"chain-authelia":{"chain":{"middlewares":["middlewares-rate-limit","nextcloud-middlewares-secure-headers","authelia"]}},"chain-no-auth":{"chain":{"middlewares":["middlewares-rate-limit","middlewares-secure-headers"]}},"default-headers":{"headers":{"browserXssFilter":true,"contentTypeNosniff":true,"customFrameOptionsValue":"SAMEORIGIN","customRequestHeaders":{"X-Forwarded-Proto":"https"},"forceSTSHeader":true,"frameDeny":true,"referrerPolicy":"strict-origin-when-cross-origin","stsIncludeSubdomains":true,"stsPreload":true,"stsSeconds":15552000}},"https-redirect":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}},"https-redirect-noport":{"redirectScheme":{"permanent":true,"scheme":"https"}},"middlewares-rate-limit":{"rateLimit":{"average":100,"burst":50,"period":"1s"}},"my-auth":{"basicAuth":{"headerField":"X-WebAuth-User","removeHeader":true,"users":["username:${pass}"]}},"nextcloud-middlewares-secure-headers":{"headers":{"accessControlMaxAge":100,"browserXssFilter":true,"contentTypeNosniff":true,"customFrameOptionsValue":"SAMEORIGIN","customResponseHeader ...
	Line 186330: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=websecure routerName=tdarr@file serviceName=tdarr@file
	Line 186331: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=tdarr@file serverName=72c666012f67cc01 serviceName=tdarr@file target=https://192.168.10.20:30028
	Line 186385: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for tdarr.mydomain.net with TLS options default entryPointName=websecure
	Line 186474: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=websecure routerName=tdarr@file serviceName=tdarr@file
	Line 186475: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=tdarr@file serverName=72c666012f67cc01 serviceName=tdarr@file target=https://192.168.10.20:30028
	Line 186668: 2025-01-27T09:09:34-05:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for tdarr.mydomain.net with TLS options default entryPointName=websecure

If you need anything else or have recommendations I can certainly provide. Thanks for your help!

You lost me. You got a Fedora server with Traefik and TrueNAS with Traefik?

What IPs are your domains pointing to? Should one Traefik proxy to the other?

My apologies if I didn't explain the above sufficiently enough in my previous two posts.

Fedora Server running Traefik --> 192.168.10.200
TrueNAS Server running Traefik --> 192.168.10.20

Both Traefik servers have separate root-level configuration folders that contain the same configuration items and tree structure above.

I control my fqdn.mydomain.net IP designations via internal PiHole DNS servers to determine what Traefik server handles requests. I can point my traffic to either my Fedora instance or TrueNAS instance for troubleshooting while I work through this migration of services.

For the logs from my example above, both tdarr.mydomain.net and sonarr4k.mydomain.net are pointing to my TrueNAS Traefik deployment.

You can see in my configuration that I'm pointing Traefik to use websecure for both domains pointing to 192.168.10.20 where the containers are now running, but in the logs you can see that the IP is still pointing to a stale 192.168.10.200 which the configuration used to point to.

The operating system caches DNS responses, so even if you switch the IP in Pi-Hole, it may takes some time for the change to take effect on every client.

It may even take different time on different clients, depending on last local resolve.

I can clear my cache manually and check each time I make a DNS change. As mentioned, this issue is persistent on each instance of Traefik, my Fedora and TrueNAS instance.

Additionally, my tdarr.mydomain.net entry is a new entry that only lives on my TrueNAS instance. Receiving a 404 and no log in access.log is a glaring issue.

File permissions are owned by root and 777 across the board except for ame.json, cert.pem and key.pem respectively for both folder structures.

I'm willing to do a screen share to prove out this issue to you. I'm available all day today outside of 11:00-11:30 and 2:00-3:00 EST

EDIT: As another test, I moved all my files locally to my Fedora server and the issue persists. I had to run sudo chcon -Rt svirt_sandbox_file_t /var/traefik on my Fedora server before the container would start (After moving everything to an another machine, unable to connect or 404 - #9 by Wave6677).

Logs showing I am still receiving a 404 to tdarr.mydomain.net, but it is pointing to the correct IP at least. I assume this is an actual configuration issue with the router or container:

[root@ContainerStation ~]# cat /var/traefik/logs/traefik.log | grep tdarr@file
2025-01-29T07:30:50-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > 
Creating load-balancer entryPointName=websecure routerName=tdarr@file serviceName=tdarr@file
2025-01-29T07:30:50-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=tdarr@file serverName=72c666012f67cc01 serviceName=tdarr@file target=https://192.168.10.20:30028

[root@ContainerStation ~]# cat /var/traefik/logs/access.log | grep tdarr@file
[root@ContainerStation ~]#

Logs showing my sonarr4k however is still pointing to my local Fedora server, the container is not honoring the configuration. For some reason I'm not seeing my laptop even hit the query, it's all stuck on internal Podman, which I have also restarted with systemctl restart podman.

[root@ContainerStation ~]# cat /var/traefik/logs/traefik.log | grep sonarr4k@file
2025-01-29T08:14:45-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=websecure routerName=sonarr4k@file serviceName=sonarr4k@file
2025-01-29T08:14:45-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=sonarr4k@file serverName=9bde6258e42b47ab serviceName=sonarr4k@file target=http://192.168.10.200:8990
2025-01-29T08:14:46-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=websecure routerName=sonarr4k@file serviceName=sonarr4k@file
2025-01-29T08:14:46-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=sonarr4k@file serverName=9bde6258e42b47ab serviceName=sonarr4k@file target=http://192.168.10.200:8990


[root@ContainerStation ~]# cat /var/traefik/logs/access.log | grep sonarr4k@file
192.168.10.65 - - [29/Jan/2025:13:26:18 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 30 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:18 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 31 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:19 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 32 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:19 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 33 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:19 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 34 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:19 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 35 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:19 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 36 "sonarr4k@file" "http://192.168.10.200:8990" 0ms
192.168.10.65 - - [29/Jan/2025:13:26:19 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 37 "sonarr4k@file" "http://192.168.10.200:8990" 0ms



[root@ContainerStation ~]# ping sonarr4k.mydomain.net
PING sonarr4k.galmotech.net (192.168.10.20) 56(84) bytes of data.
64 bytes from 192-168-10-20.plex.direct (192.168.10.20): icmp_seq=1 ttl=64 time=0.379 ms
64 bytes from 192-168-10-20.plex.direct (192.168.10.20): icmp_seq=2 ttl=64 time=0.315 ms
64 bytes from 192-168-10-20.plex.direct (192.168.10.20): icmp_seq=3 ttl=64 time=0.261 ms
64 bytes from 192-168-10-20-.plex.direct (192.168.10.20): icmp_seq=4 ttl=64 time=0.277 ms

Logs showing my Nextcloud container is still working on the local Fedora station:

[root@ContainerStation ~]# cat /var/traefik/logs/access.log | grep nextcloud@file
192.168.10.65 - - [29/Jan/2025:12:24:48 +0000] "GET / HTTP/2.0" 302 0 "-" "-" 7 "nextcloud@file" "https://192.168.10.200:8443" 451ms
192.168.10.65 - - [29/Jan/2025:12:24:49 +0000] "GET /login HTTP/2.0" 302 0 "-" "-" 8 "nextcloud@file" "https://192.168.10.200:8443" 69ms
192.168.10.65 - - [29/Jan/2025:12:24:49 +0000] "GET /apps/oidc_login/oidc HTTP/2.0" 302 0 "-" "-" 9 "nextcloud@file" "https://192.168.10.200:8443" 347ms

I've never had issues updating my dynamic file configuration before. I can try downgrading to version 2 and see if that resolves the issue but some help would be appreciated as I'm just trying shotgun approach troubleshooting right now with little constructive feedback.

If you receive a 404, it should be by Traefik proxy or the target service.

Enable and check Traefik /dashboard/, if the routers and services are registered.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

• Debug log: Is the dynamic config file read, are the routers and services created. Do requests arrive at Traefik?

• Access log: Do requests arrive at Traefik, are errors returned by Traefik (only DownstreamStatus) or by target service (also OriginStatus)?

• If nothing is shown, then requests probably don't arrive at that Traefik instance, potentially wrong DNS resolution, cached target IP, Traefik not listening on correct port)

I'm not sure if you're actually reading my posts in full.
I've already posted all of these logs and DNS pings in my previous posts, several times, along with my full configuration as requested.

Here is my tdarr entry, and no logs are shown in access.log:

image2412×1474 114 KB

http:
  routers:
    tdarr:
      rule: (Host(`tdarr.mydomain.net`) && (PathPrefix(`/#/`)))
      service: tdarr
      entryPoints:
        - "websecure"
http:
  services:
    tdarr:
      loadBalancer:
        passHostHeader: false
        servers:
          - url: https://192.168.10.20:30028

2025-02-01T14:05:38-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=tdarr@file serverName=72c666012f67cc01 serviceName=tdarr@file target=https://192.168.10.20:30028
2025-02-01T14:05:38-05:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for tdarr.mydomain.net with TLS options default entryPointName=websecure

Here is my sonarr4k entry with access.log entries again, pointing to the stale IP of 192.168.10.200, not the new IP of 192.168.10.20 which DNS properly resolves to:

image2232×1516 113 KB

image1537×342 30 KB

http:
  routers:
    sonarr4k:
      rule: (Host(`sonarr4k.mydomain.net`))
      service: sonarr4k
      entryPoints:
        - "websecure"
http:
  services:
    sonarr4k:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://192.168.10.20:8990

2025-02-01T14:05:38-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=websecure routerName=sonarr4k@file serverName=9bde6258e42b47ab serviceName=sonarr4k@file target=http://192.168.10.200:8990
2025-02-01T14:05:38-05:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for sonarr4k.mydomain.net with TLS options default entryPointName=websecure

192.168.10.200 - - [01/Feb/2025:19:16:00 +0000] "GET /api/v3/queue?apikey=a2c7a0399be743f3a8faf4d5756fdf79&includeEpisode=true HTTP/1.1" 502 11 "-" "-" 75 "sonarr4k@file" "http://192.168.10.200:8990" 1ms

DNS Entries:

image1542×394 22.6 KB

image1527×372 21.7 KB

I'd be happy to set up a screen share to look at this issue and you can see in real time that the dynamic file, based on logs is not updating the IP configured regardless of the system I use, Podman on Fedora, or Docker on Truenas.

As another test, I created two brand new services/routers.yml files and only put in my "sonarr4k" entries. Restarted the Traefik container, and it is still answering to 192.168.10.200:8990 instead of 192.168.10.20:8990.

I verified the container is receiving the correct IP information via DNS as well.

image1147×336 24.1 KB

I see in the logs that Traefik is reaching out to github.com for a lot of activity now. As another step, I disabled all adblocking on my pihole servers to rule that out, but the issue remains.

Is Traefik now reaching out and caching configuration in github in version 3?

traefik.log:

2025-02-02T20:30:02-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:02-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:02-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:02-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:02-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:02-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:03-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9805badcaaecff3b
2025-02-02T20:30:03-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9805badcaaecff3b
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: d139460c7d8d0710
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: d139460c7d8d0710
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: d139460c7d8d0710
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: d139460c7d8d0710
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 2895b14748414e57
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 2895b14748414e57
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 2895b14748414e57
2025-02-02T20:30:06-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 2895b14748414e57
2025-02-02T20:30:24-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:24-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:24-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:24-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:25-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:26-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bdae558e4283d6d
2025-02-02T20:30:26-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:27-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"
2025-02-02T20:30:27-05:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:207 > Service selected by WRR: 9bde6258e42b47ab
2025-02-02T20:30:28-05:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 502 Bad Gateway error="dial tcp 192.168.10.200:8990: connect: no route to host"

access.log:

192.168.10.10 - - [03/Feb/2025:01:30:26 +0000] "GET /api/v3/command HTTP/2.0" 200 12178 "-" "-" 26 "sonarr@file" "http://192.168.10.200:8989" 3ms
192.168.10.10 - - [03/Feb/2025:01:30:25 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 24 "sonarr4k@file" "http://192.168.10.200:8990" 1009ms
192.168.10.10 - - [03/Feb/2025:01:30:25 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 25 "sonarr4k@file" "http://192.168.10.200:8990" 2040ms
192.168.10.10 - - [03/Feb/2025:01:30:27 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 27 "sonarr4k@file" "http://192.168.10.200:8990" 1025ms

What does that mean? Traefik is reachable on the wrong IP? It’s the wrong target service Traefik is connecting to?

Please look at my configurations that I've provided twice (or more) times for you.

Traefik is sending requests to the wrong IP address, and it appears this is due to a cached entry in github for some reason.

My logs should CLEARLY SHOW that Traefik is not providing the correct IP address for translation based on it's dynamic file entry. I don't know how many more times I need to say this after the monumentous proof I've provided here.

I'm fine eating my own words if the solution is simple, but I do hope you're aware what the definition of insanity is, which is the core of this entire post at this point.

Lastly for you, I've verified via CURL command that DNS is resolving correctly to the proper IP and the site is reachable on my configured port in the dynamic file. When I try the site over HTTPS over CURL through Traefik, I get a bad gateway.

Regular CURL to mydomain.net:port (works)

root@Server1:~# curl -v sonarr4k.mydomain.net:8990
* Host sonarr4k.mydomain.net:8990 was resolved.
* IPv6: (none)
* IPv4: 192.168.10.20
*   Trying 192.168.10.20:8990...
* Connected to sonarr4k.mydomain.net (192.168.10.20) port 8990
> GET / HTTP/1.1
> Host: sonarr4k.mydomain.net:8990
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Length: 1926
< Content-Type: text/html
< Date: Mon, 03 Feb 2025 19:14:14 GMT
< Server: Kestrel
< Cache-Control: no-cache, no-store
< Expires: -1
< Pragma: no-cache
< 
<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#3a3f51"/><meta name="msapplication-navbutton-color" content="#3a3f51"/><meta name="mobile-web-app-capable" content="yes"/><meta name="apple-mobile-web-app-capable" content="yes"/><meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/><meta name="format-detection" content="telephone=no"><meta name="description" content="Sonarr"/><link rel="apple-touch-icon" sizes="180x180" href="/Content/Images/Icons/apple-touch-icon.png?h=d+iS4xWxn2A2bjUwrERmSg"/><link rel="icon" type="image/png" sizes="32x32" href="/Content/Images/Icons/favicon-32x32.png?h=s64FHSxrh1sgZCiBBIVikQ"/><link rel="icon" type="image/png" sizes="16x16" href="/Content/Images/Icons/favicon-16x16.png?h=wksVbPqhKGB2B5P0O0h8IQ"/><link rel="manifest" href="/Content/manifest.json?h=ha7Qimh4kpwwtF1t/N273Q" crossorigin="use-credentials"/><link rel="mask-icon" href="/Content/Images/Icons/safari-pinned-tab.svg?h=00yLx0v47nGMoh9FRbDFkg" color="#00ccff"/><link rel="shortcut icon" type="image/ico" href="/favicon.ico"/><meta name="msapplication-config" content="/Content/browserconfig.xml"/><link rel="stylesheet" href="/Content/Fonts/fonts.css?h=zGLiHXGOeD2wslXPvUJgKA"><script>window.Sonarr = {
        urlBase: ''
      };</script><script src="/index-9b9cdaa8db8bf7281dd2.js"></script><link href="/Content/styles.css?h=zd/NtvlL8ktbpoBZYtb1Yw" rel="stylesheet"><title>Sonarr</title><style>.root {
        overflow: hidden;
        height: 100%; /* needed for proper layout */
      }

      @media only screen and (max-width: 768px) {
        .root {
          display: flex;
          flex-direction: column;
          min-height: 100%;
          height: auto;
        }
* Connection #0 to host sonarr4k.mydomain.net left intact
      }</style></head><body><div id="portal-root"></div><div id="root" class="root"></div></body></html>

HTTPS Request through Traefik (broken due to sending to wrong IP):

root@Server1:~# curl -v https://sonarr4k.myserver.net
* Host sonarr4k.myserver.net:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.10.20
*   Trying 192.168.10.20:443...
* Connected to sonarr4k.myserver.net (192.168.10.20) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=myserver.net
*  start date: Dec 15 22:06:07 2024 GMT
*  expire date: Mar 15 22:06:06 2025 GMT
*  subjectAltName: host "sonarr4k.myserver.net" matched cert's "*.myserver.net"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://sonarr4k.myserver.net/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: sonarr4k.myserver.net]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: sonarr4k.myserver.net
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/2 502 
< content-length: 11
< date: Mon, 03 Feb 2025 19:22:41 GMT
< 
* Connection #0 to host sonarr4k.myserver.net left intact
Bad Gateway

This a community forum, I am just a user. If you want professional support, you can get the business subscription. But they probably do not support your OS.

If you don’t get help here, you can also try www.reddit.com/r/Traefik/ or Stackoverflow (or their correct brand for this kind of question).

Maybe it’s just a language issue, I am not a native English speaker, this sentence makes no sense to me:

Traefik is not providing the correct IP address for translation

In this whole topic we have two IPs. One in DNS, pointing domain name to Traefik instance. And the IP of the target service, which Traefik should proxy/forward requests to.

I don’t understand where the issue is happening.

What is Traefik dashboard showing in the "HTTP service" page, which should show the target IP?

My apologies then.
I will try to simply, and let's forget DNS for now.

There are two IP addresses:
"Old" Server1 - 192.168.10.200
"New" Server2 - 192.168.10.20

My Dynamic File configuration is pointing the service to Server2, 192.168.10.20.
But the Traefik logs show it still forwarding requests to Server1, 192.168.10.200.

Okay, that should not happen. Traefik doesn’t remember setting. So when it’s restarted, it reads the settings again.

So if it used old settings, something is probably wrong with the config files or bind mounts into container.

Yes, correct hence why I made this post as something is not working as intended.

The container would not start if configuration was incorrect, and the dashboard shows the items configured correctly.

I'm wondering why the logs are referencing github.com, and also wondering if version 3 has some type of cached configuration it's reaching github for.