Multiple entrypoints on same router label creates multiple routers?

Traefik Traefik v3 (latest)
1

I run Traefik with rootless Podman and have four entrypoints configured, two of those for socket activation, and the other two for podman-internal network traffic:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          scheme: https
          to: websecure
  web-internal:
    address: :80
    http:
      redirections:
        entryPoint:
          scheme: https
          to: websecure-internal
  websecure:
    address: :443
    http:
      tls:
        certResolver: letsencrypt
        domains:
        - main: mydomain.com
          sans:
          - '*.mydomain.com'
  websecure-internal:
    address: :443
    http:
      tls:
        certResolver: letsencrypt
        domains:
        - main: mydomain.com
          sans:
          - '*.mydomain.com'

Now, i would like to assign my routers to the websecure and the websecure-internal.
So on my containers i will have labels like:

traefik.http.routers.uptime-kuma.entrypoints=websecure,websecure-internal

When i do this, i notice that the number of routers doubles. Instead of one router with two entrypoints assigned, i now have two routers, each with one entrypoint.

This seems to only affect the https-routers. When using the http entrypoints, i can assign both of them to a single router. So for a test, i assigned all 4 entrypoints on the label and the result was this:

image
image1280×197 35.4 KB

Is there a way to assign both entrypoints websecure and websecure-internal to a single router, just like it works with web and web-internal ?

2

From my experience your Traefik static config seems strange. An entrypoint tells Traefik to open a listening port (doc).

EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.

You shouldn't have two listeners on the same port. When I try to use the same port twice with Traefik in Docker I get an error:

Command error error="command traefik error: 
error while building entryPoint web: 
error preparing server: 
error opening listener: 
listen tcp :80: bind: address already in use"
3

This is because you don't use socket activation.
Since two of my entrypoints use socket-activated ports, it works just fine.

So i have a socket like

[Install]
WantedBy=sockets.target

[Socket]
FileDescriptorName=websecure
ListenDatagram=443
ListenStream=443
Service=podman-traefik.service

which is used for the websecure entrypoint. The websecure-internal entrypoint will just open the port internally.

4

You run Traefik in a container, right? How do you tell Traefik to use those different ports?

5

I don't have access to my computer right now, but here is a similar excellent example of how it works: podman-traefik-socket-activation/examples/example2 at main · eriksjolund/podman-traefik-socket-activation · GitHub

Basically systemd opens the port for Traefik and passes a file descriptor to the service. Since traefik finds a file descriptor with a matching entrypoint name, it will use the file descriptor to handle connections. The "address" in the static config is ignored, as stated in the docs. I could omit it if i wanted to, i just leave it for documentation purposes.

Now the interesting question is, why i can't assign both entrypoints to the router in case of https (creates two routers), but for http it works just fine.

6

Found the doc, didn't know that's possible. If you think it's a bug, you can report it to the devs at Traefik Github.

7

Thanks, i opened an issue here now: Assigning multiple entrypoints to router label creates multiple routers · Issue #11889 · traefik/traefik · GitHub

8

You might want to reference the doc, not everyone knows about socket activation, and maybe this thread.