Port forwarding and Traefik

Traefik Traefik v3 (latest)
1

I'm trying to install Traefik but I run into problems with port forwarding.

I have a dedicated macvlan in my "Servers" network (10.10.2.0/24) named "external_proxy" where Traefik is. Set a static IP for Traefik (10.10.2.222). Now trying to port forward 80 and 443 but when using a site like portchecker.io to see if ports are open it says no. Also when starting the Traefik container I have these error messages :

traefik  | 2024-06-25T20:45:18+02:00 ERR error="accept tcp [::]:443: use of closed network connection" entryPointName=https
traefik  | 2024-06-25T20:45:18+02:00 ERR error="accept tcp [::]:80: use of closed network connection" entryPointName=http
traefik  | 2024-06-25T20:45:18+02:00 ERR error="close tcp [::]:443: use of closed network connection" entryPointName=https
traefik  | 2024-06-25T20:45:18+02:00 ERR error="close tcp [::]:80: use of closed network connection" entryPointName=http
traefik  | 2024-06-25T21:23:54+02:00 ERR error="accept tcp [::]:80: use of closed network connection" entryPointName=http
traefik  | 2024-06-25T21:23:54+02:00 ERR error="close tcp [::]:80: use of closed network connection" entryPointName=http
traefik  | 2024-06-25T21:23:54+02:00 ERR error="accept tcp [::]:443: use of closed network connection" entryPointName=https
traefik  | 2024-06-25T21:23:54+02:00 ERR error="close tcp [::]:443: use of closed network connection" entryPointName=https

When I try to do port forwarding on my NAS (part of the same "Servers" network but not part of any macvlan, ip 10.10.2.2) then I see the port open on the website so it seems to work, which makes me think the issue is Traefik or docker network related.

Any idea what could cause this?

Here is my docker-compose.yml file :

version: "3.5"
services:
  traefik:
    image: traefik
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      external_proxy:
        ipv4_address: 10.10.2.222
    ports:
      - 800:80
      - 4443:443
    environment:
      - CF_API_EMAIL=***
      - CF_DNS_API_TOKEN=***
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume2/docker/appdata/traefik/traefik.yml:/traefik.yml:ro
      - /volume2/docker/appdata/traefik/acme.json:/acme.json
      - /volume2/docker/appdata/traefik/config.yml:/config.yml:ro
      - /volume2/docker/appdata/traefik/logs:/var/log/traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=http
      - traefik.http.routers.traefik.rule=Host(`traefik-dashboard.mydomain.com`)
      - traefik.http.middlewares.traefik-auth.basicauth.users=*****
      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.services.whoami.loadbalancer.server.port=80
      - traefik.http.routers.traefik.middlewares=traefik-https-redirect
      - traefik.http.routers.traefik-secure.entrypoints=https
      - traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.mydomain.com`)
      - traefik.http.routers.traefik-secure.middlewares=traefik-auth
      - traefik.http.routers.traefik-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.certresolver=cloudflare
      - traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com
      - traefik.http.routers.traefik-secure.service=api@internal
networks:
  external_proxy:
    external: true

My traefik.yml file :

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: raphaelgrau@gmail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
2

is usually only happening during container shutdown.

Can you detail the overall picture? You are using a private IP and expect an external portcheck website to connect to it? That doesn't work.

3

You are using a private IP and expect an external portcheck website to connect to it? That doesn't work.

To be more precise: on the portchecker website, I use my external public IP (the one from my ISP). When adding the port forwarding on my NAS ip, I can see the port open on the portchecker webiste. When using Traefik ip I cannot.

Can you detail the overall picture?

I receive these logs after trying to launch the container. It is marked as "running". When I inspect the docker network, I can see the container is there too.

4

Is your port forwarding working? Maybe try running a simple traefik/whoami container on port 80.

5

Thanks! I run this :

version: '3.9'

services:
  whoami:
    image: traefik/whoami
    networks:
      external_proxy:
        ipv4_address: 10.10.2.223
    command:
       # It tells whoami to start listening on 2001 instead of 80
       - --port=2001
       - --name=iamfoo

networks:
  external_proxy:
    external: true

And did a port forwarding from port 12334 to port 2001 in my router.
How can I test this work?

6

You are missing to set ports: for the container to actually open the port to the outside world.

To test, you should be able to call your home IP with the port from a browser: http://<ip>:2001.