Help getting Traefik to run on Synology using docker

Traefik Traefik v3 (latest)
1

I'm trying to get the latest version of Traefik to run in docker on my Synology NAS. DSM already uses ports 80 and 443, I tried unbinding them but I don't want to change the nginx configuration, so indeed the ports might be issue but I don't think so. So her's the issue, The container starts, I checked the logs and they appear fine, but when I try to connect to the dashboard page on another pc not the NAS the connection is suddenly cut of. Here's a list of things I've tried:

  • Verified that Traefik listens on new port(netstat success)
  • Verified with curl from NAS to localhost:10443 and myIp:10443, TLS handshake OK
  • Tried curl from Mac to NAS got “Connection reset by peer”
  • NAS firewall is disabled
  • I use AdGuard and that's properly configured as well
  • When I enter //traefik-docker.mydomain.org I get redirected to port 5001, the port I log on my NAS
    Here are my files:

docker-compose.yaml
secrets:
cf-token:
file: ./cf-token
services:
traefik:
image: traefik:latest # or traefik:v3.3 to pin a version
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
secrets:
- cf-token # the secret at the top of this file
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 8080:80
- 10443:443
# - 10000:10000 # optional
# - 33073:33073 # optional
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
- CF_API_EMAIL=${CF_API_EMAIL} # Cloudflare email
# - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see //doc.traefik.io/traefik/https/acme/#providers
# token file is the proper way to do it
- TZ=My TimeZone
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /volume1/docker/traefik/traefik.yaml:/traefik.yaml:ro
- /volume1/docker/traefik/acme.json:/acme.json
- /volume1/docker/traefik/config.yaml:/config.yaml:ro
- /volume1/docker/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(traefik-docker.mydomain.org)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(traefik-docker.mydomain.org)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.org"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.org"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true # or comment this line to auto create the network

cf-token
my cf-token

config.yaml
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https

.env
TRAEFIK_DASHBOARD_CREDENTIALS=admin:$$my credentials
CF_API_EMAIL=my email

traefik.yaml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":8080"
http:
# middlewares: # uncomment if using CrowdSec - see my video
# - crowdsec-bouncer@file
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":10443"
# http:
# middlewares: # uncomment if using CrowdSec - see my video
# - crowdsec-bouncer@file
# tcp:
# address: ":10000"
# apis:
# address: ":33073"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yaml
certificatesResolvers:
cloudflare:
acme:
# caServer: ://acme-v02.api.letsencrypt.org/directory # production (default)
caServer: ://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
email: myemail # Cloudflare email (or other provider)
storage: acme.json
dnsChallenge:
provider: cloudflare # change as required
# disablePropagationCheck: true # Some people using Cloudflare note this can solve DNS propagation issues.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"

2

Place 3 backticks before and after code/config to make it more readable and preserve spacing, which is important in yaml.

If you use different ports, then you need to add those ports to the URL, like https://domain:port.