Error 502 Websocket time out with Gotify

Hello, long time :slight_smile:

I have jump to Traefik v3.3. All is working except Gotify.

services:
  gotify:
    image: gotify/server:2.6.1
    container_name: gotify
    volumes:
      - $BASE/gotify:/app/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    command:
      - "--host=tcp://g-docker-socket-proxy:2375"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - dockerproxy
    networks:
      - mynet
      - socket-g
    environment:
      - TZ=Europe/Helsinki
      - GOTIFY_SERVER_PORT=8081

    labels:
    # Traefik Redirect to HTTPS
      - "traefik.http.middlewares.redirect-https.redirectScheme.scheme=https"
      - "traefik.http.middlewares.redirect-https.redirectScheme.permanent=true"

    # Traefik Router + Service Configuration
      - "traefik.http.routers.gotify-server.rule=Host(`gotify mynet.org`)"
      - "traefik.http.routers.gotify-server.entrypoints=https-external"
      - "traefik.http.routers.gotify-server.tls=true"
      - "traefik.http.routers.gotify-server.tls.certresolver=cloudflare"
      - "traefik.http.routers.gotify-server.middlewares=redirect-https"
      - "traefik.http.routers.gotify-server.service=gotify-server"
      - "traefik.http.services.gotify-server.loadbalancer.passhostheader=true"
      - "traefik.http.services.gotify-server.loadbalancer.server.port=8081"
      - "traefik.http.services.gotify-server.loadbalancer.sticky=true"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto = http"
      - "traefik.http.routers.gotify-server.service.loadbalancer.server.respondingTimeouts.readTimeout=420"
      - "traefik.http.routers.gotify-server.service.loadbalancer.server.respondingTimeouts.writeTimeout=420"
      - "traefik.http.routers.gotify-server.service.loadbalancer.server.respondingTimeouts.idleTimeout=420"
      - "traefik.docker.network mynet"

      #- "traefik.enable=true"
      #- "traefik.http.routers.gotify.entrypoints=http-external"
      #- "traefik.http.routers.gotify.rule=Host(`gotify mynet.org`)"
      #- "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
      #- "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
      #- "traefik.http.routers.gotify-secure.entrypoints=https-external"
      #- "traefik.http.routers.gotify-secure.rule=Host(`gotify mynet.org`)"
      #- "traefik.http.routers.gotify-secure.tls=true"
      #- "traefik.http.routers.gotify-secure.service=gotify"
      #- "traefik.http.services.gotify.loadbalancer.server.port=8081"
      #- "traefik.docker.network mynet"


  dockerproxy:
    image: wollomatic/socket-proxy:1.5.4
    container_name: g-docker-socket-proxy
    command:
      - -loglevel=info # change to info in prod
      - -allowfrom=gotify
      - -listenip=0.0.0.0
      - -shutdowngracetime=5
      - -allowGET=/containers/.*
      - -watchdoginterval=600
      - -stoponwatchdog
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:110 # change gid from 998 to the gid of the docker group on your host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket-g
networks:
  socket-g:
    internal: true
    attachable: false
  mynet:
    external: true
gotify:
      entryPoints:
        - "https-external"
      rule: "Host(`gotify.mynet.org`)"
      middlewares:
        - https-redirectscheme
        #- authentik
      tls: {}
      service: gotify
gotify:
      loadBalancer:
        servers:
          - url: "http://192.168.xxx.XXX:8081"
        passHostHeader: true

Concerning the traefik commented labels, when using its, sometimes it is working for a certain amount of time until I have the websocket time out.
I have read posts from 2020 concerning the same problem, but it didn't help.

Thx

I can spot 3 potential issues:

Hi,
I forget to add the "traefix.enable=true" but the two other mistakes were typo when I did my copy/past.
Still have the same pb. Thx

services:
  gotify:
    image: gotify/server:2.6.1
    container_name: gotify
    volumes:
      - $BASE/gotify:/app/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    command:
      - "--host=tcp://g-docker-socket-proxy:2375"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - dockerproxy
    networks:
      - mynet
      - socket-g
    environment:
      - TZ=Europe/Helsinki
      - GOTIFY_SERVER_PORT=8081

    labels:
      - "traefik.enable=true"
    # Traefik Redirect to HTTPS
      - "traefik.http.middlewares.redirect-https.redirectScheme.scheme=https"
      - "traefik.http.middlewares.redirect-https.redirectScheme.permanent=true"

    # Traefik Router + Service Configuration
      - "traefik.http.routers.gotify-server.rule=Host(`gotify.mynet.org`)"
      - "traefik.http.routers.gotify-server.entrypoints=https-external"
      - "traefik.http.routers.gotify-server.tls=true"
      - "traefik.http.routers.gotify-server.tls.certresolver=cloudflare"
      - "traefik.http.routers.gotify-server.middlewares=redirect-https"
      - "traefik.http.routers.gotify-server.service=gotify-server"
      - "traefik.http.services.gotify-server.loadbalancer.passhostheader=true"
      - "traefik.http.services.gotify-server.loadbalancer.server.port=8081"
      - "traefik.http.services.gotify-server.loadbalancer.sticky=true"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto = http"
      - "traefik.http.routers.gotify-server.service.loadbalancer.server.respondingTimeouts.readTimeout=420"
      - "traefik.http.routers.gotify-server.service.loadbalancer.server.respondingTimeouts.writeTimeout=420"
      - "traefik.http.routers.gotify-server.service.loadbalancer.server.respondingTimeouts.idleTimeout=420"
      - "traefik.docker.network=mynet"

      #- "traefik.enable=true"
      #- "traefik.http.routers.gotify.entrypoints=http-external"
      #- "traefik.http.routers.gotify.rule=Host(`gotify.mynet.org`)"
      #- "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
      #- "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
      #- "traefik.http.routers.gotify-secure.entrypoints=https-external"
      #- "traefik.http.routers.gotify-secure.rule=Host(`gotify.mynet.org`)"
      #- "traefik.http.routers.gotify-secure.tls=true"
      #- "traefik.http.routers.gotify-secure.service=gotify"
      #- "traefik.http.services.gotify.loadbalancer.server.port=8081"
      #- "traefik.docker.network=mynet"


  dockerproxy:
    image: wollomatic/socket-proxy:1.5.4
    container_name: g-docker-socket-proxy
    command:
      - -loglevel=info # change to info in prod
      - -allowfrom=gotify
      - -listenip=0.0.0.0
      - -shutdowngracetime=5
      - -allowGET=/containers/.*
      - -watchdoginterval=600
      - -stoponwatchdog
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:110 # change gid from 998 to the gid of the docker group on your host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket-g
networks:
  socket-g:
    internal: true

I have put back my original config, it is now working until the websocket pb appear, in the same time I have add three new flags in the command :

services:
  gotify:
    image: gotify/server:2.6.1

    container_name: gotify
    volumes:
      - $BASE/gotify:/app/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    command:
      - "--host=tcp://g-docker-socket-proxy:2375"
      - "--entryPoints.https-external.transport.respondingTimeouts.readTimeout=420"
      - "--entryPoints.https-external.transport.respondingTimeouts.writeTimeout=420"
      - "--entryPoints.https-external.transport.respondingTimeouts.idleTimeout=420"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - dockerproxy
    networks:
      - mynet
      - socket-g
    environment:
      - TZ=Europe/Helsinki
      - GOTIFY_SERVER_PORT=8081

    labels:
      
      - "traefik.enable=true"
      - "traefik.http.routers.gotify.entrypoints=http-external"
      - "traefik.http.routers.gotify.rule=Host(`gotify.domain.org`)"
      - "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
      - "traefik.http.routers.gotify-secure.entrypoints=https-external"
      - "traefik.http.routers.gotify-secure.rule=Host(`gotify.domain.org`)"
      - "traefik.http.routers.gotify-secure.tls=true"
      - "traefik.http.routers.gotify-secure.service=gotify"
      - "traefik.http.services.gotify.loadbalancer.server.port=8081"
      - "traefik.docker.network=mynet"


  dockerproxy:
    image: wollomatic/socket-proxy:1.5.4
    container_name: g-docker-socket-proxy
    command:
      - -loglevel=info # change to info in prod
      - -allowfrom=gotify
      - -listenip=0.0.0.0
      - -shutdowngracetime=5
      - -allowGET=/containers/.*
      - -watchdoginterval=600
      - -stoponwatchdog
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:110 # change gid from 998 to the gid of the docker group on your host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket-g
networks:
  socket-g:
    internal: true
    attachable: false
  mynet:
    external: true

I am writing to seek clarification regarding the correct way to specify the port number when using Docker and Traefik.

Today, I am a bit confused about how to properly configure the port number. If I am not mistaken, when using Docker and Traefik, I should not add any port number in the Docker configuration except for the "loadbalancer.server.port". It is Traefik that will reroute the traffic to the Docker container.

If my understanding is correct, I apologize for any confusion, but it seems that the current configuration for Gotify might be incorrect because I have added a port number.
I have add "GOTIFY_SERVER_PORT=8081" and "traefik.http.services.gotify.loadbalancer.server.port=8081"

Could you please confirm if this is the correct approach or provide guidance on the proper configuration?

Is it right ?

Thx

It break again .... Error 502.
I had to change the service url addr from HTTP to HTTPS (in the dynamic file) to make it working ....

The first one tells the application itself which port to use, the second one tells Traefik which port to use - so the port number should be the same.

It seems the application has a lot of env var config options (doc), from best practice (without knowing the application) I would recommend:

GOTIFY_SERVER_SSL_ENABLED=false
GOTIFY_SERVER_SSL_REDIRECTTOHTTPS=false
GOTIFY_SERVER_SSL_LETSENCRYPT_ENABLED=false

Ok I have applied your input, it break again.
To make it working again, I had to go to the dynamic traefik file and move from HTTPS to HTTP ...

gotify:
      loadBalancer:
        servers:
          - url: "http://192.168.xxxxx:8081"
        passHostHeader: true

When you tells the apps itself which port to use, an't you exposing this port to outside ??

My Gotify compose.yaml (maybe this will help).

services:
  gotify:
    image: gotify/server
    container_name: gotify
    restart: unless-stopped
    environment:
      - TZ=Phobos/Maelstrom
    security_opt:
      - no-new-privileges=true
    volumes:
      - data:/app/data
    networks:
      - proxy

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.gotify.entrypoints=web-external"
      - "traefik.http.routers.gotify.rule=Host(`go.somedomain`)"
      - "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
      - "traefik.http.routers.gotify-secure.entrypoints=websecure-external"
      - "traefik.http.routers.gotify-secure.rule=Host(`go.somedomain`)"
      - "traefik.http.routers.gotify-secure.service=gotify"
      - "traefik.http.services.gotify.loadbalancer.server.port=80"

networks:
  proxy:
    external: true

volumes:
  data:

Anything else?

if I comment out #- GOTIFY_SERVER_PORT=8081 and leave - "traefik.http.services.gotify.loadbalancer.server.port=8081" commented, I do not have anymore access to the gotify URL ...

services:
  gotify:
    image: gotify/server:2.6.1

    container_name: gotify
    volumes:
      - $BASE/gotify:/app/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    command:
      - "--host=tcp://g-docker-socket-proxy:2375"
      - "--entryPoints.https-external.transport.respondingTimeouts.readTimeout=420"
      - "--entryPoints.https-external.transport.respondingTimeouts.writeTimeout=420"
      - "--entryPoints.https-external.transport.respondingTimeouts.idleTimeout=420"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - dockerproxy
    networks:
      - mynet
      - socket-g
    environment:
      - TZ=Europe/Helsinki
      #- GOTIFY_SERVER_PORT=8081
      - GOTIFY_SERVER_SSL_ENABLED=false
      - GOTIFY_SERVER_SSL_REDIRECTTOHTTPS=false
      - GOTIFY_SERVER_SSL_LETSENCRYPT_ENABLED=false

    labels:
      
      - "traefik.enable=true"
      - "traefik.http.routers.gotify.entrypoints=http-external"
      - "traefik.http.routers.gotify.rule=Host(`gotify.domain.org`)"
      - "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
      - "traefik.http.routers.gotify-secure.entrypoints=https-external"
      - "traefik.http.routers.gotify-secure.rule=Host(`gotify.domains.org`)"
      - "traefik.http.routers.gotify-secure.tls=true"
      - "traefik.http.routers.gotify-secure.service=gotify"
      - "traefik.http.services.gotify.loadbalancer.server.port=8081"
      - "traefik.docker.network=mynet"


  dockerproxy:
    image: wollomatic/socket-proxy:1.5.4
    container_name: g-docker-socket-proxy
    command:
      - -loglevel=info # change to info in prod
      - -allowfrom=gotify
      - -listenip=0.0.0.0
      - -shutdowngracetime=5
      - -allowGET=/containers/.*
      - -watchdoginterval=600
      - -stoponwatchdog
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:110 # change gid from 998 to the gid of the docker group on your host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket-g
networks:
  socket-g:
    internal: true
    attachable: false
  mynet:
    external: true

This is a Traefik forum, we don’t know all the applications used.

It's probably better you understand the requirements of your application first (protocols, ports, paths) and then ask here for Traefik configuration support.

That's because you have assigned a custom port (8081) to the container. The default port is "80". I don't see the advantage in changing it, but if you must, then do not comment out that variable, and you must then use "8081" in the loadbalancer.

You've also added complexity to the Gotify compose. I would first establish that Gotify works in a simple manner before adding all those bits.

Problem Resolved

I am pleased to report that the issue has been successfully resolved. Initially, I removed the exposed port and excluded Gotify from the dynamic configuration file. The root cause was a misconfiguration on my part. When utilizing Traefik, it is essential not to expose ports directly in the product's Docker Compose file, as Traefik handles the routing. The Gotify configuration had become overly complex due to various online recommendations aimed at addressing the error 502 issue. Thank you for your assistance.