Need Help with Traefik and DuckDNS Setup for remote access - Can’t Access Services Externally

Hi everyone, I'm new to traefik and I'm trying to setup a homelab using traefik alongside DuckDNS to expose some of my services for external usage. I've setup everything according to this guide and can access the docker containers via by browsing service_name.mydomainname.duckdns.org.

However, when using an external network like wifi from another house or 5G connections, it always say connection timed out. Is there anything else I should setup besides the Guide provided above?
NOTE: I have already allow 443 through my firewall and expose it from my routers. I'm hosting this setup on Ubuntu 22.04.3 LTS using docker-compose

Here is my docker-compose file:

# Traefik Reverse Proxy ###########################################################################################################################################################
  traefik:  # Travel uses sock like homepage to identify container's label (traefik.enable=True)
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    profiles:
      - external
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy 
    depends_on:
      - socky_proxy
    ports:
      - ${PORT_TRAEFIK_HTTP}:80
      - ${PORT_TRAEFIK_HTTPS}:443
      - ${PORT_TRAEFIK_DASH}:8080  # (optional) expose the dashboard !don't use in production!
    environment:
      - DOCKER_HOST=socky_proxy
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - ${CONFIGDIR}/traefik:/config
      - ${STATICDIR}/traefik:/etc/traefik
      - crowdsec-logs:/var/log/crowdsec
    # Example for other container's label:
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.rule=Host(`coconut22.duckdns.org`)
      - traefik.http.routers.api.entryPoints=https
      - traefik.http.routers.api.service=api@internal
      # - traefik.http.routers.api.middlewares=api-auth
      # - traefik.http.middlewares.api-auth.basicauth.users=${TRAEFIK_HASHEDPSW}
      # - traefik.http.middlewares.api-auth.basicauth.removeheader=true
      - homepage.group=Network & Security
      - homepage.name=Traefik
      - homepage.icon=traefik
      - homepage.href=http://${SERVER_URL}:${PORT_TRAEFIK_DASH}
      - homepage.description=Reverse Proxy Manager
      - homepage.widget.type=traefik
      - homepage.widget.url=http://${SERVER_URL}:${PORT_TRAEFIK_DASH}
      - homepage.widget.username=${HOMEPAGE_TRAEFIK_USERNAME}
      - homepage.widget.password=${HOMEPAGE_TRAEFIK_PASSWORD}
  # Duck Domain Name server ###########################################################################################################################################################
  duckdns:
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    profiles:
      - external
    environment:
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}
      SUBDOMAINS: ${DUCKDNS_SUBDOMAINLIST}
      TOKEN: ${DUCKDNS_TOKEN}
    volumes:
      - ${CONFIGDIR}/duckdns:/config #optional
    labels:
      - homepage.group=Network & Security
      - homepage.name=DuckDNS
      - homepage.icon=duckdns
      - homepage.description=Dynamic DNS for external access
  # Socket Proxy for Docker ###########################################################################################################################################################
  socky_proxy:
    container_name: socky_proxy
    image: ghcr.io/tecnativa/docker-socket-proxy:0.1 # A security-enhanced proxy for the Docker Socket.
    profiles:
      - admin
      - external
      - monitor
    privileged: true
    networks:
      - proxy
      - socky_proxy-net
    ports:
      - ${PORT_SOCKY_PROXY}:2375
    environment:
      # Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc).
      #   0 - revoke access
      #   1 - grant access
      CONTAINERS: 1 # crowdsec, diun, homepage
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    healthcheck:
      test: wget --spider http://${SERVER_URL}:${PORT_SOCKY_PROXY}/version || exit 1
      interval: "30s"
      timeout: "5s"
      retries: 3
      start_period: "30s"
    restart: unless-stopped

networks:
  proxy:
    name: proxy
    driver: bridge
    external: true
  htpc-net:
    name: htpc-net
  dns-net:
    name: dns-net
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/16
  socky_proxy-net:
    name: socky_proxy-net

Here is my static traefik.yaml:

global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# Allow insecure certificate: Put Reverse proxy in front of another server with SSL
serversTransport:
  insecureSkipVerify: true
# (Optional) Log information
# ---
log:
  level: "ERROR"
  # filePath: "/var/log/crowdsec/traefik.log"
  filePath: "/etc/traefik/traefik.log"

# (Optional) Accesslog
# ---
accessLog:
  # filePath: "/var/log/crowdsec/access.log"
  filePath: "/var/log/crowdsec/access.log"

# (Optional) Enable API and Dashboard
# ---
api:
 dashboard: true  # true by default
 insecure: true  # Don't do this in production!

# Fix

# Entry Points configuration
# ---
entryPoints:
  http:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: :443
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: letsencrypt
        domains:
          - main: coconut22.duckdns.org
            sans:
              - '*.coconut22.duckdns.org'
      middlewares:
        - securityHeaders@file
        # - crowdsec-bouncer@file
        # - authelia@file # Add Authelia label to every container (if want selective, just add labels)


# Configure your CertificateResolver here...
# ---
certificatesResolvers:
  letsencrypt:  # Using letsencrypt to generate ssl certificates
    acme:
      email: jimmythenthusiast@gmail.com
      storage: /etc/traefik/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: duckdns
        disablePropagationCheck: true
        delayBeforeCheck: 60
        resolvers:  # Make sure the DNS challenge is propagated to the right dns servers
          - "1.1.1.1:53"
          - "8.8.8.8:53"    

# To detect Container's Labels for traefik to tracks
# Discover services in your infrastructure
providers:
  providersThrottleDuration: 2s
  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: proxy  # Docker network name here
    defaultRule: "Host(`{{index .Labels \"com.docker.compose.service\"}}.coconut22.duckdns.org`)"
    exposedByDefault: false  # Default is true
    endpoint: "tcp://socky_proxy:2375"
  # File provider for connecting things that are outside of docker / defining middlewares
  file:
    filename: /etc/traefik/config.yml 
    watch: true

Here's my Dynamic Traefik YAML:

# Define Middlewares, External Routing
http:
  ## MIDDLEWARES ##
  middlewares:
    # Authentik
    authentik:
      forwardauth:
        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth # Replace the port with Crowdsec exposed port
        trustForwardHeader: true



    securityHeaders:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: https
        referrerPolicy: "strict-origin-when-cross-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        accessControlAllowCredentials: true
        addVaryHeader: true
        accessControlMaxAge: 100
        sslRedirect: true
        sslForceHost: true
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
        frameDeny: true
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384

The containers start without issues, all checkmark in traefik are green and the certificate is provided properly (acme.json is populated). But somehow I still cant connect from outside network. If anyone has any idea on what I'm missing please help and thank you for your patience.

Do you have a port forward from DSL router to Ubuntu server?

To be honest I'm not sure what you're talking about. All i did with the router is add in an entry to route to port 443 of the traefik server

In general I recommend to start with a simple Traefik example and then work your way up to add more fluff to it.

When running from home, maybe start with a bare whoami directly on port 80 (no proxy), to check connectivity first.

Make sure the domain name points to your home IP, your DSL router forwards ports 80+443 to your server, your Docker container is listening externally on ports 80+443 and you use/enable the right ports inside the container.

Hi, I've tried using a simple Traefik example still can't seem to connect (due to Connection Timeout). I suspect maybe something is wrong with my server's network internally that makes it timeout. Do you know what I should check? resolv.conf, hosts, hostname, etc.

Might I send a super miniature docker-compose and all its config for you to test on ur machine? I'm afraid this is caused either due to my ISP or my own server network setting

  1. docker-compose.yaml:
version: "3.3"

services:
# Traefik Reverse Proxy 
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
      - 8800:8080  
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
      - DUCKDNS_SUBDOMAIN=${DUCKDNS_SUBDOMAIN}
    volumes:
      - .:/etc/traefik
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.rule=Host(`${DUCKDNS_SUBDOMAIN}.duckdns.org`)
      - traefik.http.routers.api.entryPoints=https
      - traefik.http.routers.api.service=api@internal

  # Duck Domain Name server 
  duckdns:
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      PUID: 1000
      PGID: 1000
      TZ: ${TZ}
      SUBDOMAINS: ${DUCKDNS_SUBDOMAIN}
      TOKEN: ${DUCKDNS_TOKEN}
  # Test Website
  whoami:
    image: "traefik/whoami"
    container_name: whoami
    ports:
      - "3000:80"
    labels:
      - "traefik.enable=true"
  1. traefik.yaml (NOTE: Replace the ${ENV_VARIABLE} with actual value):
global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

serversTransport:
  insecureSkipVerify: true


api:
 dashboard: true  # true by default
 insecure: true  # Don't do this in production!

entryPoints:
  http:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: :443
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: ${DUCKDNS_SUBDOMAIN}.duckdns.org
            sans:
              - '*.${DUCKDNS_SUBDOMAIN}.duckdns.org'

certificatesResolvers:
  letsencrypt: 
    acme:
      email: ${DUCKDNS_EMAIL}
      storage: /etc/traefik/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: duckdns
        disablePropagationCheck: true
        delayBeforeCheck: 30
        resolvers:  
          - "1.1.1.1:53"
          - "8.8.8.8:53"    

providers:
  providersThrottleDuration: 2s
  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    # network: proxy  # Docker network name here
    defaultRule: "Host(`{{index .Labels \"com.docker.compose.service\"}}.${DUCKDNS_SUBDOMAIN}.duckdns.org`)"
    exposedByDefault: false  # Default is true

  1. .env file:
TZ=
DUCKDNS_TOKEN=
DUCKDNS_SUBDOMAIN=
DUCKDNS_EMAIL=

Where do you get the connection timeout? In the browser? Can you ping the domain? Is the request logged in Traefik access log and lost later on (doc)? What does Traefik debug log tell you?

What are you using the DuckDNS service/container for? In 99.9% here in the forum people don’t need a DNS server.

I got the connection timeout from the browser. I can ping it internally, but when tried using external network it got request timeout. I'm using DuckDNS to update my public IP for my duckdns domain name (its free) since traefik is hosting using that domain name (Example: service.mydomain.duckdns.org)

Here are the logs:

  1. traefik log:
time="2024-01-21T02:24:39Z" level=debug msg="Creating server 0 http://192.168.144.15:9000" entryPointName=https routerName=authentik@docker serviceName=authentik-homelab serverName=0
time="2024-01-21T02:24:39Z" level=debug msg="child http://192.168.144.15:9000 now UP"
time="2024-01-21T02:24:39Z" level=debug msg="Propagating new UP status"
time="2024-01-21T02:24:39Z" level=debug msg="Added outgoing tracing middleware authentik-homelab" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=authentik@docker
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" routerName=authentik@docker middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https routerName=authentik@docker middlewareName=securityHeaders@file middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." entryPointName=https routerName=authentik@docker middlewareName=securityHeaders@file middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." routerName=authentik@docker middlewareName=securityHeaders@file middlewareType=Headers entryPointName=https
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareName=securityHeaders@file middlewareType=Headers entryPointName=https routerName=authentik@docker
time="2024-01-21T02:24:39Z" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" entryPointName=https routerName=authentik@docker middlewareName=securityHeaders@file middlewareType=Headers
time="2024-01-21T02:24:39Z" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" middlewareName=securityHeaders@file middlewareType=Headers entryPointName=https routerName=authentik@docker
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=debug msg="Adding tracing to middleware" routerName=authentik@docker middlewareName=securityHeaders@file entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" routerName=https-stash@docker serviceName=stash-homelab middlewareName=pipelining middlewareType=Pipelining entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=https-stash@docker serviceName=stash-homelab
time="2024-01-21T02:24:39Z" level=debug msg="Creating server 0 http://192.168.144.2:9999" routerName=https-stash@docker serviceName=stash-homelab serverName=0 entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="child http://192.168.144.2:9999 now UP"
time="2024-01-21T02:24:39Z" level=debug msg="Propagating new UP status"
time="2024-01-21T02:24:39Z" level=debug msg="Added outgoing tracing middleware stash-homelab" middlewareType=TracingForwarder entryPointName=https routerName=https-stash@docker middlewareName=tracing
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https routerName=https-stash@docker middlewareName=authentik@file middlewareType=ForwardedAuthType
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https routerName=https-stash@docker middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file routerName=https-stash@docker
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file routerName=https-stash@docker
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." routerName=https-stash@docker entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file routerName=https-stash@docker
time="2024-01-21T02:24:39Z" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" routerName=https-stash@docker entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" middlewareType=Headers middlewareName=securityHeaders@file routerName=https-stash@docker entryPointName=https
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=https-stash@docker middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" serviceName=rpgx middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=rpgx@file
time="2024-01-21T02:24:39Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=rpgx@file serviceName=rpgx
time="2024-01-21T02:24:39Z" level=debug msg="Creating server 0 http://192.168.1.200:6900" serverName=0 entryPointName=https routerName=rpgx@file serviceName=rpgx
time="2024-01-21T02:24:39Z" level=debug msg="child http://192.168.1.200:6900 now UP"
time="2024-01-21T02:24:39Z" level=debug msg="Propagating new UP status"
time="2024-01-21T02:24:39Z" level=debug msg="Added outgoing tracing middleware rpgx" middlewareType=TracingForwarder entryPointName=https routerName=rpgx@file middlewareName=tracing
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https routerName=rpgx@file middlewareName=authentik@file middlewareType=ForwardedAuthType
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType entryPointName=https routerName=rpgx@file
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" middlewareName=securityHeaders@file routerName=rpgx@file entryPointName=https middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareType=Headers middlewareName=securityHeaders@file routerName=rpgx@file entryPointName=https
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." routerName=rpgx@file entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareType=Headers middlewareName=securityHeaders@file routerName=rpgx@file entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" routerName=rpgx@file entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" middlewareName=securityHeaders@file routerName=rpgx@file entryPointName=https middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=rpgx@file middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https routerName=rpgx@file middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file routerName=rpgx@file
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file routerName=rpgx@file
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." routerName=rpgx@file entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareType=Headers middlewareName=securityHeaders@file routerName=rpgx@file entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" routerName=rpgx@file entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[X-Forwarded-Proto:https X-Robots-Tag:none,noarchive,nosnippet,notranslate,noimageindex] true [] [GET OPTIONS PUT] [] [] [] 100 true [] [X-Forwarded-Host] true false  map[X-Forwarded-Proto:https] true 63072000 true true true true  true true    strict-origin-when-cross-origin camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';  false}" entryPointName=https middlewareType=Headers middlewareName=securityHeaders@file routerName=rpgx@file
time="2024-01-21T02:24:39Z" level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="SSLForceHost is deprecated, please use RedirectScheme middleware instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=warning msg="FeaturePolicy is deprecated, please use PermissionsPolicy header instead." middlewareType=Headers
time="2024-01-21T02:24:39Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=rpgx@file middlewareName=securityHeaders@file
time="2024-01-21T02:24:39Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for stash.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for rpgx.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for syno-lanraragi.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for syno-navidrome.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for synology.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for taba.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Adding route for authentik.coconut22.duckdns.org with TLS options default" entryPointName=https
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-01-21T02:24:39Z" level=debug msg="No ACME certificate generation required for domains [\"coconut22.duckdns.org\" \"*.coconut22.duckdns.org\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-21T02:25:05Z" level=debug msg="Provider event received {Status:health_status: healthy ID:24317fdfe7927798995cb01371d91025203eabeea6b5d03802ca6b338c5a8345 From:ghcr.io/tecnativa/docker-socket-proxy:0.1 Type:container Action:health_status: healthy Actor:{ID:24317fdfe7927798995cb01371d91025203eabeea6b5d03802ca6b338c5a8345 Attributes:map[com.docker.compose.config-hash:a1651781a9635842c45084166b75f104d3dd70a52086a2448df24fca49494ed2 com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:homelab com.docker.compose.project.config_files:docker-compose.yaml com.docker.compose.project.working_dir:/home/jimmy/Homelab com.docker.compose.service:socky_proxy com.docker.compose.version:1.29.2 image:ghcr.io/tecnativa/docker-socket-proxy:0.1 name:socky_proxy org.opencontainers.image.created:2021-01-26T10:32:59.090Z org.opencontainers.image.description:Proxy over your Docker socket to restrict which requests it accepts org.opencontainers.image.licenses:Apache-2.0 org.opencontainers.image.revision:b911e572d0d65c672f4da6d2ef06d7d95c89de6d org.opencontainers.image.source:https://github.com/Tecnativa/docker-socket-proxy org.opencontainers.image.title:docker-socket-proxy org.opencontainers.image.url:https://github.com/Tecnativa/docker-socket-proxy org.opencontainers.image.vendor:Tecnativa org.opencontainers.image.version:0.1.1]} Scope:local Time:1705803905 TimeNano:1705803905320079535}" providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-homelab-527569b54258ec578de2ccd4246f8b8bb5e15a643e62ddd71e3550a4ff46ad64
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=socky-proxy-homelab-24317fdfe7927798995cb01371d91025203eabeea6b5d03802ca6b338c5a8345
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=endlessh-homelab-6bd2169183962adeadd3d308fd9ee17d82b480d8948d3124c643cf700a310580 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=syncthing-homelab-22e0865b2d6d221d079616d15ab7c42679f81cb1d2c6abd9077211a8cd6e353c providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=nextcloud-homelab-976560250ca8c5b2b92c6aeb84ffb92b9878bf4858ae8b4e3c98e682ddba4103
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=sonarr-homelab-74561c711b976cae3307b25d9dd6f948805b3a660de9dd7c083998e1451f0ad3
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=bouncer-traefik-homelab-70c15b02ca02fc15f10040257105141097b6c2822b83906c48c33790e37926c4
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=crowdsec-homelab-ca581bcb79bae336096ff33b5cf11eeea55bb5731fc41005c30e3334ff56e080
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=jellyseerr-homelab-9f33e022e789a8d88021213cd119b644bde10329f7c7ff03fd65b4c759fc1d9c
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=radarr-homelab-dbe1cd7b184fccbafcec012fd3d47ce84559c735d1bc3cf595116e5cd95d5308 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=tubearchivist-homelab-ea74a1a66fa9208e81f0c85d006db1d27298eedd92367db82c8c7e75292ef0e0 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=watchtower-homelab-11e08cc659159af435baf4e8dc74657693a0e032b06131c3198df40f4b005261
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=portainer-homelab-fb40c7989bd2d59d04b14cc9347012700e009dbf9a6fd0fdf32b41a133f68638 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=prowlarr-homelab-f7e74e415a7def848653970c9a3534cedac6468138ab9bb8c5655a4695d82ea2
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=photoprism-homelab-f463ab8642e162896b3d11617067a3314ba1d0437b147b49e749f71a8c6b8cef
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=archivist-redis-homelab-4d74bed189744ef3c0c916e8fd04007db0a07ae70a3b89970d6c696c9abe825f
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=authentikworker-homelab-7faa72043a6966aeba0388498c94a4ce01a96c1752aca7ca31c25548f0b3ecb5
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=qbittorrent-homelab-a20da471ebd9a4df9c83e2b744eb10e9fac7449bcfbfc87889bb8a95887b86e6
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=homepage-homelab-8dd4f5141ebf6c5b7f8933676f788e3f6484169654f627de82758898f185dcd6
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=pihole-homelab-235c8b80b1714df9bc2617b1d90362c541f72743c3142fc0569687a45a426189 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=gitea-homelab-937b507fba03f8bf1e9b7e37c7445b91da586a164d76bc8a1f4367aefa5c7c57
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=cadvisor-homelab-f21d5c2383e190696404ca6529dda427e91a329cfb4bbeeb3bb6116ec3457bfe
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=duckdns-homelab-b6a08b74c853e1b7d30c5a01ab51c4b4afd62adaeb19f1a511a112641239d6c4 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=uptime-kuma-homelab-99b256b14f8aeb1d4f4cd9b40a41b314e47fbbe6a74dc0baedc5d8ccea4253ba providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=photoprismdb-homelab-977cc4e15a83cccb2da9704c31fc899b5bf9299d68020a233ab651ffdce7fd9c providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=archivist-es-homelab-24cc0faf4f7ab5c99afb48927de58fd99b61ede97088b08b8458d9b06d4d614c
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=jdownloader2-homelab-bfef288946d14df593d623028717fab87108f74cf043aabb035b6dfa5eb12e38 providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=code-server-homelab-4ee5771376453b5be27a9f1e26c4bf19d01ddb0c59ab46f7532cbef013ddd96d
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=navidrome-homelab-0f60a077fccb798536ad51d2c98e012df4ec2938f7f5c80504d6c64517eefa2e
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=nextclouddb-homelab-9b377197aeb1b4f0189afb3b6c3ba35dc78d84db0796a13b9f3749b819a5c3b8
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=jellyfin-homelab-e4f0915f1bbe3132f51a29ff9ac317b1f24c0ac79f5792cfbc77b4c98976897f
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=authentikredis-homelab-97ea65730831b4f976b59314c06ce7166fb5c735d5573670870f0356eef8ae2a
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=grafana-homelab-bcddf1987ffddfbeb46c807f2c67053edf82ea786eaf3f878f92952657e054de
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=prometheus-homelab-3ccf413b6c3f33e96775fa259b7a4679009a98dcadcee55c20031053db28069a
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=jupyter-homelab-b0b91d5256aff36f2ab11afc463047044e301967e02e691dcfa8b585c9ca198e
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=lanraragi-homelab-83ba248d8676e025e7dc007c598c02ee3293c80c14c7822da76330470e484344
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" container=node-exporter-homelab-c136888b3c25a91e203a5347798ed9752037982c26ddfdf43a1306c7708da7cb providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=authentikdb-homelab-1184a36f21927e84f48eaa714548896d70287c9d79da1b30c191a83b5c790be3
time="2024-01-21T02:25:05Z" level=debug msg="Filtering disabled container" providerName=docker container=ak-outpost-ldap-9c50a8710a0e1748a97ecfe66d3ca18e891b5c09c42594d0c2da99bec1937d9f
time="2024-01-21T02:25:05Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"authentik\":{\"entryPoints\":[\"https\"],\"service\":\"authentik-homelab\",\"rule\":\"Host(`authentik.coconut22.duckdns.org`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\\\\-]{0,61}[A-Za-z0-9])?}.coconut22.duckdns.org`) \\u0026\\u0026 PathPrefix(`/outpost.goauthentik.io/`)\"},\"stash\":{\"middlewares\":[\"authentik@file\"],\"service\":\"stash-homelab\",\"rule\":\"Host(`stash.coconut22.duckdns.org`)\"}},\"services\":{\"authentik-homelab\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.144.15:9000\"}],\"passHostHeader\":true}},\"stash-homelab\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.144.2:9999\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-01-21T02:25:05Z" level=debug msg="Skipping unchanged configuration." providerName=docker

Are you using https? Maybe forward and open ports 80+443.

I did open both 80 & 443 on my router

What IP is your domain pointing at? Is it an internal or external IP? ping should tell you.

Maybe your DuckDNS container pushes the wrong (internal only) IP to DNS? Does it write logs?

Ping shows me that the domain points to my external IP.