Issues with linkwarden getting 502

Traefik Traefik v3 (latest)
,
1

I am getting 502 errors when trying to setup linkwarden with traefik. I know it has something to do with the network setup but i can’t figure out what i have setup wrong.

services:
  postgres:
    image: postgres:16-alpine
    env_file: .env
    restart: always
    volumes:
      - ./pgdata:/var/lib/postgresql/data
    networks:
      - linkwarden
  linkwarden:
    env_file: .env
    environment:
      - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/postgres
    restart: always
    # build: . # uncomment to build from source
    image: ghcr.io/linkwarden/linkwarden:latest # comment to build from source
    volumes:
      - ./data:/data/data
    depends_on:
      - postgres
      - meilisearch
    networks:
      - proxy
      - linkwarden
  meilisearch:
    image: getmeili/meilisearch:v1.12.8
    restart: always
    env_file:
      - .env
    volumes:
      - ./meili_data:/meili_data
    networks:
      - proxy
      - linkwarden
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.linkwarden.entrypoints=http"
      - "traefik.http.routers.linkwarden.rule=Host(`linkwarden.anarchyspeaks.com`)"
      - "traefik.http.middlewares.linkwarden-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.linkwarden.middlewares=linkwarden-https-redirect"
      - "traefik.http.routers.linkwarden-secure.entrypoints=https"
      - "traefik.http.routers.linkwarden-secure.rule=Host(`linkwarden.anarchyspeaks.com`)"
      - "traefik.http.routers.linkwarden-secure.tls=true"
      - "traefik.http.routers.linkwarden-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.linkwarden-secure.service=linkwarden"
      - "traefik.http.services.linkwarden.loadbalancer.server.port=3000"
networks:
  proxy:
    external: true
  linkwarden:

I have the proxy network working with other instances but linkwarden is the only one that needs other services besides it’s self to run such as postgres and meilisearch so im not sure if im setting up the network part for them to talk to each other but keeping it separate from traefik the proper way.

2

Share your full Traefik static and dynamic config, and Docker compose file(s) if used.

3

config

http:
  middlewares:    
    default-security-headers:
      headers:
        customBrowserXSSValue: 0                            # X-XSS-Protection=1; mode=block
        contentTypeNosniff: true                          # X-Content-Type-Options=nosniff
        forceSTSHeader: true                              # Add the Strict-Transport-Security header even when the connection is HTTP
        frameDeny: false                                   # X-Frame-Options=deny
        referrerPolicy: "strict-origin-when-cross-origin"
        stsIncludeSubdomains: true                        # Add includeSubdomains to the Strict-Transport-Security header
        stsPreload: true                                  # Add preload flag appended to the Strict-Transport-Security header
        stsSeconds: 3153600                              # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
        contentSecurityPolicy: "default-src 'self'"     
        customRequestHeaders:
          X-Forwarded-Proto: https
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

traefik.yaml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: ./config.yaml
certificatesResolvers:
  cloudflare:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
      email: myemail@email.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
           - "1.1.1.1:53"
           - "1.0.0.1:53"
log:
  level: "INFO"
  filePath: "/var/log/traefik/traefik.log"
accessLog:
  filePath: "/var/log/traefik/access.log"

compose.yaml

secrets:
  cf-token:
    file: ./cf-token
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    secrets:
      - cf-token
    env_file:
      - .env
    networks:
      proxy:
    ports:
      - 80:80
      - 443:443
    environment:
      - TRAEFIK_DASHBOARD_CREDENTIALSi=${TRAEFIK_DASHBOARD_CREDENTIALS}
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ubuntu/docker/traefik/traefik.yaml:/traefik.yaml:ro
      - /home/ubuntu/docker/traefik/acme.json:/acme.json
      - /home/ubuntu/docker/traefik/config.yaml:/config.yaml:ro
      - /home/ubuntu/docker/traefik/logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-docker.anarchyspeaks.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-docker.anarchyspeaks.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=anarchyspeaks.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.anarchyspeaks.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:
  proxy:
    external: true
4

Enable and check Traefik debug log (doc), any "ERR" in logs?

Enable and check Traefik access log in JSON format (doc), what’s the output during requests?

5

SO im not seeing anything in the logs that i can find.

I grep the logs for any mention of linkwarden and copied them to a pastebin link. Not sure if you can see anything im missing

Logs

6

It has OriginStatus: 502, so it comes directly from your target service. Check those logs.

7

So I have been working on this and not made much headway. I have been able to get it to give me a 504 time out now. I have found that this has to do with linkwarden creating it’s own network and not responding on the proper “proxy” network i created. Not sure how to get traefik to use the network or have linkwarden use the proxy only instead of creating it’s own network. I have removed the networks sections from the compose file but it didn’t seem to help