Issue when connecting to service with dedicated Apps but work in browser

corazon008 · August 20, 2025, 8:19pm

What did you do?

I’m running several services (Home Assistant, Immich, Gotify, Nextcloud, Jellyfin) behind Traefik v3.5.0, with Cloudflare DNS challenge for TLS.
From my Android phone:

When connected via cellular (4G/5G) → all mobile apps connect fine through Traefik using my domain (e.g. https://ha.mydomain.com).
When connected via Wi-Fi on my local LAN:
- Accessing the same URL in a browser works perfectly (all services load).
- Accessing the same URL in the native mobile apps fails (connection timeout / no logs in Traefik).
- Example: Home Assistant app fails immediately, but browser access to https://ha.mydomain.com works fine. Same with Immich, Gotify, Nextcloud, Jellyfin.

So, the issue only appears with mobile apps + Wi-Fi LAN.
The fact that Traefik logs show no connection suggests the requests never reach the backend router properly in this scenario.
Also, worth mentionning but this configuration used to work but now it doesn't and from what I can tell the issue appear when I upgraded my PVE to 9.0 and the LXC where dcker is running to debian 13.

What did you see instead?

Apps time out / fail to connect when on LAN Wi-Fi.
Browser access on the same device, same URL, works fine.
Traefik access logs show nothing for these failed app attempts.
-Problem affects multiple apps (HA, Immich, Gotify, Nextcloud, Jellyfin).

What version of Traefik are you using?

Version: 3.5.0
Codename: chabichou
Go version: go1.24.5
Built: 2025-07-23T13:57:30Z
OS/Arch: linux/amd64

What is your environment & configuration?

traefik.yml

api:
  dashboard: true
  debug: true

entryPoints:
  sftp:
    address: :2022  # Utilisation d'un port distinct pour éviter les conflits avec SSH

  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs:
        - "172.18.0.0/16"  # Adresse du réseau Docker interne
    http:
      middlewares:
        - secured@file
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    forwardedHeaders:
      trustedIPs:
        - "172.18.0.0/16"  # Adresse du réseau Docker interne
    http:
      middlewares:
        - secured@file
      tls:
        options: default
        certResolver: cloudflare

  http-external:
    address: ":81"
    forwardedHeaders:
      trustedIPs:
        - "172.18.0.0/16"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "108.162.192.0/18"
        - "131.0.72.0/22"
        - "141.101.64.0/18"
        - "162.158.0.0/15"
        - "172.64.0.0/13"
        - "173.245.48.0/20"
        - "188.114.96.0/20"
        - "190.93.240.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
    http:
      middlewares:
        - secured-external@file
      redirections:
        entryPoint:
          to: https-external
          scheme: https

  https-external:
    address: ":444"
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    forwardedHeaders:
      trustedIPs:
        - "172.18.0.0/16"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "108.162.192.0/18"
        - "131.0.72.0/22"
        - "141.101.64.0/18"
        - "162.158.0.0/15"
        - "172.64.0.0/13"
        - "173.245.48.0/20"
        - "188.114.96.0/20"
        - "190.93.240.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
    http:
      middlewares:
        - secured-external@file
      tls:
        options: default
        certResolver: cloudflare

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /rules
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      email: cert@bronevez.uk
      storage: acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

tls:
  options:
    default:
      minVersion: VersionTLS13
      curvePreferences:
        - X25519
        - CurveP256
        - CurveP384

experimental:
  plugins:
    crowdsec-bouncer-traefik-plugin:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: "v1.4.2"

log:
  filePath: "/var/log/traefik/traefik.log"
  level: DEBUG
  format: json
accessLog:
  filePath: "/var/log/traefik/access.log"
  format: json

Can be optimized but works... or it used to.

From

github.com/traefik/traefik

Issue when connecting to service with dedicated Apps but work in browser

opened 03:07PM - 17 Aug 25 UTC

closed 12:54PM - 18 Aug 25 UTC

corazon008

kind/question area/server status/5-frozen-due-to-age

### Welcome! - [x] Yes, I've searched similar issues on [GitHub](https://github….com/traefik/traefik/issues) and didn't find any. - [x] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you do? I’m running several services (Home Assistant, Immich, Gotify, Nextcloud, Jellyfin) behind Traefik v3.5.0, with Cloudflare DNS challenge for TLS. From my Android phone: - When connected via cellular (4G/5G) → all mobile apps connect fine through Traefik using my domain (e.g. https://ha.mydomain.com). - When connected via Wi-Fi on my local LAN: - Accessing the same URL in a browser works perfectly (all services load). - Accessing the same URL in the native mobile apps fails (connection timeout / no logs in Traefik). - Example: Home Assistant app fails immediately, but browser access to https://ha.mydomain.com works fine. Same with Immich, Gotify, Nextcloud, Jellyfin. So, the issue only appears with mobile apps + Wi-Fi LAN. The fact that Traefik logs show no connection suggests the requests never reach the backend router properly in this scenario. Also, worth mentionning but this configuration used to work but now it doesn't and from what I can tell the issue appear when I upgraded my PVE to 9.0 and the LXC where dcker is running to debian 13. ### What did you see instead? - Apps time out / fail to connect when on LAN Wi-Fi. - Browser access on the same device, same URL, works fine. - Traefik access logs show nothing for these failed app attempts. -Problem affects multiple apps (HA, Immich, Gotify, Nextcloud, Jellyfin). ### What version of Traefik are you using? Version: 3.5.0 Codename: chabichou Go version: go1.24.5 Built: 2025-07-23T13:57:30Z OS/Arch: linux/amd64 ### What is your environment & configuration? traefik.yml ```yaml api: dashboard: true debug: true entryPoints: sftp: address: :2022 # Utilisation d'un port distinct pour éviter les conflits avec SSH http: address: ":80" forwardedHeaders: trustedIPs: - "172.18.0.0/16" # Adresse du réseau Docker interne http: middlewares: - secured@file redirections: entryPoint: to: https scheme: https https: address: ":443" transport: respondingTimeouts: readTimeout: 600s idleTimeout: 600s writeTimeout: 600s forwardedHeaders: trustedIPs: - "172.18.0.0/16" # Adresse du réseau Docker interne http: middlewares: - secured@file tls: options: default certResolver: cloudflare http-external: address: ":81" forwardedHeaders: trustedIPs: - "172.18.0.0/16" - "103.21.244.0/22" - "103.22.200.0/22" - "103.31.4.0/22" - "104.16.0.0/13" - "104.24.0.0/14" - "108.162.192.0/18" - "131.0.72.0/22" - "141.101.64.0/18" - "162.158.0.0/15" - "172.64.0.0/13" - "173.245.48.0/20" - "188.114.96.0/20" - "190.93.240.0/20" - "197.234.240.0/22" - "198.41.128.0/17" http: middlewares: - secured-external@file redirections: entryPoint: to: https-external scheme: https https-external: address: ":444" transport: respondingTimeouts: readTimeout: 600s idleTimeout: 600s writeTimeout: 600s forwardedHeaders: trustedIPs: - "172.18.0.0/16" - "103.21.244.0/22" - "103.22.200.0/22" - "103.31.4.0/22" - "104.16.0.0/13" - "104.24.0.0/14" - "108.162.192.0/18" - "131.0.72.0/22" - "141.101.64.0/18" - "162.158.0.0/15" - "172.64.0.0/13" - "173.245.48.0/20" - "188.114.96.0/20" - "190.93.240.0/20" - "197.234.240.0/22" - "198.41.128.0/17" http: middlewares: - secured-external@file tls: options: default certResolver: cloudflare serversTransport: insecureSkipVerify: true providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: directory: /rules watch: true certificatesResolvers: cloudflare: acme: email: cert@bronevez.uk storage: acme.json caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default) #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging dnsChallenge: provider: cloudflare #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers. resolvers: - "1.1.1.1:53" - "1.0.0.1:53" tls: options: default: minVersion: VersionTLS13 curvePreferences: - X25519 - CurveP256 - CurveP384 experimental: plugins: crowdsec-bouncer-traefik-plugin: moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin version: "v1.4.2" log: filePath: "/var/log/traefik/traefik.log" level: DEBUG format: json accessLog: filePath: "/var/log/traefik/access.log" format: json ``` Can be optimized but works... or it used to. ### If applicable, please paste the log output in DEBUG level _No response_

bluepuma77 · August 20, 2025, 8:56pm

Why do you think it’s a Traefik issue, if no requests show up in the log? It could be Android, Proxmox, LXC, Docker.

Maybe it’s time to freshen up your Wireshark skills. Or just check the network interfaces on the different layers if packet count increases.

corazon008 · August 20, 2025, 9:14pm

I thougt it was traefik because I didn’t expect the others to be the problem, I will dig more on the issue and come back if I find something interesting.

bac1x · August 21, 2025, 7:55pm

I'm not sure what caused the error; suddenly it stopped working. Is it the Android Companion app? Does it have something to do with Home Assistant Core, Supervisor, the operating system, or the front end? It's unfortunate when you can no longer access it remotely. I've already tried Cloudflare, but I haven't quite figured it out yet. What also surprises me is that so few people are experiencing this error, or rather, that there is so little information about it.

Translated with DeepL.com (free version)

Topic		Replies	Views
Traefik 2/ LetsEncrypt / IOS issue Traefik v2 letsencrypt-acme	13	993	November 20, 2022
Unable to connect to jellyfin and mattermost from android apps Traefik v2 docker , letsencrypt-acme	11	2082	February 13, 2023
Synology mobile apps won't connect anymore after setting up Traefik reverse proxy Traefik v2 file	8	1194	March 4, 2024
Cannot Access Applications behind Traefik with Firefox Mobile Traefik v3 (latest) docker	5	261	March 19, 2025
Trying to connect multiple app to one domain Traefik v3 (latest) docker	9	173	December 28, 2024

Issue when connecting to service with dedicated Apps but work in browser

What did you do?

What did you see instead?

What version of Traefik are you using?

What is your environment & configuration?

From

Related topics