Making WebSockets accessible via Traefik v2 additionally on a non-standard port

Traefik Traefik v2
1

Hello,

I am trying to achieve the following scenario.

I have a service running inside a docker container, that opens a WebSocket on port 2992, however WebSockets run on port 443 as well. The WebSockets on port 443 can be accessed from outside.

The partial docker-compose configuration is below.

  service:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.http-secure.rule=Host(`https://myhostname.com`)"
      - "traefik.http.routers.http-secure.entrypoints=websecure"
      - "traefik.http.routers.http-secure.tls=true"
    networks:
      - internal-network
      - public-network 

  
  
  traefik:
    image: traefik:2.11.2
    restart: always
    container_name: traefik
    volumes: 
    environment: 
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entrypoints.web.forwardedHeaders.insecure=true
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=public-network
      - --providers.file.directory=/configuration/
      - --providers.file.watch=true
      - --accesslog
      - --accesslog.fields.names.StartUTC=drop
      - --serversTransport.insecureSkipVerify=true
    ports:
      - 2992:2992
      - 80:80
      - 443:443
    networks:
      - internal-network
      - public-network
      
  networks:
    internal-network:
    internal: true
    public-network:```


Any potential suggestion to make this setup work would be appreciated
2

Can you rephrase, you want two external WebSocket ports with 2 internal WebSocket ports?

3

That is indeed correct.

The use case/implementation of the service requires this.

Is this a limitation of Traefik, because it works on a local machine without traefik without any problems.

Best Regards

4

You can create two entrypoints for the two ports, create two routers, each listening on one entrypoint and using a dedicated target service with the correct port.

And don’t forget to open both ports on Traefik container.

5

Hello,

after some experimentation and reading I managed to change my configuration, that at least the connection to the opened WebSocket is not disconnected immediately. There were no traefik errors in the console like Empty-Rules/Service not found either. However, the communication does not progress and it seems that traefik blocks the outgoing traffic... I would appreciate any kind of hints and help. Thank you:)

Here a little more context: The service is a Java-Backend that uses GraalVM with JavaScript. The additional WebSocket is for allowing Chrome to debug the JavaScript Code run in the backend (it works locally flawlessly)

    labels: 
      # First Router
      - "traefik.enable=true"
      - "traefik.http.routers.http-secure.rule=Host(`https://myhostname.com`)"
      - "traefik.http.routers.http-secure.entrypoints=websecure"
      - "traefik.http.routers.http-secure.tls=true"

      # Second Router
      - "traefik.http.routers.ws-debugging.rule=Host(`debug.myhostname.com:2992/debug`)"
      - "traefik.http.routers.ws-debugging.entrypoints=debugging"
      #I tried to add a tcp router as well
      - "traefik.tcp.routers.ws-debugging.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.ws-debugging.entrypoints=debugging"
    networks:
      - internal-network
      - public-network 

  
  
  traefik:
    image: traefik:2.11.2
    restart: always
    container_name: traefik
    volumes: 
    environment: 
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entrypoints.web.forwardedHeaders.insecure=true
      - --entrypoints.websecure.address=:443
      #This command was added
      - --entrypoints.debugging.address=:2992
      #Addition END
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=public-network
      - --providers.file.directory=/configuration/
      - --providers.file.watch=true
      - --accesslog
      - --accesslog.fields.names.StartUTC=drop
      - --serversTransport.insecureSkipVerify=true
    ports:
      - 2992:2992
      - 80:80
      - 443:443
    networks:
      - internal-network
      - public-network
      
  networks:
    internal-network:
    internal: true
    public-network:
6

A small update, after some experimentation I managed that Chrome Dev-Tools could connect over the WebSocket to the GraalVM backend. However, after some time the connection gets refused and I am at a roadblock again.

The burning question is... will it work without TLS over Traefik and hostnames or am I required to use TLS (This will be implementation work in the backend though and this should be a last resort)

Any kind of help would be appreciated.

     # First Router
     - "traefik.http.routers.http-secure.rule=Host(`https://myhostname.com`)"
     - "traefik.http.routers.http-secure.entrypoints=websecure"
     - "traefik.http.routers.http-secure.tls=true" 

     # Second Router
     # Only a TCP-Only router works for this case for me
     - "traefik.tcp.routers.ws-debugging.rule=HostSNI(`*`)"
     - "traefik.tcp.routers.ws-debugging.entrypoints=debugging"
     - "traefik.tcp.routers.ws-debugging.tls=false"
     - "traefik.tcp.routers.ws-debugging.service=ws-debugging"

     # Services
     # This is required in order to let Chrome Dev-Tools connect to the backend
     - "traefik.tcp.services.ws-debugging.loadbalancer.server.port=2992"
      
   networks:
     - internal-network
     - public-network 

 
 
 traefik:
   image: traefik:2.11.2
   restart: always
   container_name: traefik
   volumes: 
   environment: 
   command:
     - --entrypoints.web.address=:80
     - --entrypoints.web.http.redirections.entrypoint.to=websecure
     - --entrypoints.web.http.redirections.entrypoint.scheme=https
     - --entrypoints.web.http.redirections.entrypoint.permanent=true
     - --entrypoints.web.forwardedHeaders.insecure=true
     - --entrypoints.websecure.address=:443
     #This command was added
     - --entrypoints.debugging.address=:2992
     #Addition END
     - --providers.docker=true
     - --providers.docker.exposedbydefault=false
     - --providers.docker.network=public-network
     - --providers.file.directory=/configuration/
     - --providers.file.watch=true
     - --accesslog
     - --accesslog.fields.names.StartUTC=drop 
   ports:
     - 2992:2992
     - 80:80
     - 443:443
   networks:
     - internal-network
     - public-network
     
 networks:
   internal-network:
   internal: true
   public-network:``
7

I believe some timeouts were introduced or made stricter in v2.11 and v3.0 due to CVEs.

Enable and check Traefik debug log if timeouts are mentioned. Also check entrypoint, router and service doc if something is stated there.

8

Hi,

here is a short update: The error lied in the backend implementation of the service, that caused a disconnect. The following traefik configuration helped with the problem. The trick was to use a TCP router and TCP service. Timeouts were not needed to increase. I tried but everything was OK so far, either with or without increase of the times.

I thank you for your help and the hints that brought the solution:

Thank you :slight_smile:

Below is the final configuration.

    labels:
      - "traefik.enable=true"
       
      # First Router
      - "traefik.http.routers.http-secure.rule=Host(`https://myhostname.com`)"
      - "traefik.http.routers.http-secure.entrypoints=websecure"
      - "traefik.http.routers.http-secure.tls=true" 

      # Second Router (added)
      - "traefik.tcp.routers.ws-debugging.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.ws-debugging.entrypoints=debugging"
      - "traefik.tcp.routers.ws-debugging.tls=false"
      - "traefik.tcp.routers.ws-debugging.service=ws-debugging"

      # Services (added)
      # This is required in order to let Chrome Dev-Tools connect to the back-end service
      - "traefik.tcp.services.ws-debugging.loadbalancer.server.port=2992"
    networks:
      - internal-network
      - public-network 

  
  
  traefik:
    image: traefik:2.11.2
    restart: always
    container_name: traefik
    volumes: 
    environment: 
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entrypoints.web.forwardedHeaders.insecure=true
      - --entrypoints.websecure.address=:443
      #This is the only added line
      - --entrypoints.debugging.address=:2992
      #Addition end
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=public-network
      - --providers.file.directory=/configuration/
      - --providers.file.watch=true
      - --accesslog
      - --accesslog.fields.names.StartUTC=drop
      - --serversTransport.insecureSkipVerify=true
    ports:
      - 2992:2992
      - 80:80
      - 443:443
    networks:
      - internal-network
      - public-network
      
  networks:
    internal-network:
    internal: true
    public-network:
9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.