Router creation won't work with docker and label

I'm using different dockers with similar config and simple copy my compose file like this.

services:
  cryptpad:
    image: "cryptpad/cryptpad:version-5.6.0"
    restart: unless-stopped
    container_name: cryptpad
    networks:
      - myNetwork
    labels:
      - traefik.enable=true
      - traefik.http.routers.cryptpad.rule=Host(`office.intranet`, `sandbox.office.intranet`) && ClientIP(`192.168.0.0/16`)
    volumes:
      - /media/nfs/docker/cryptpad/data/blob:/cryptpad/blob
      - /media/nfs/docker/cryptpad/data/block:/cryptpad/block
      - /media/nfs/docker/cryptpad/customize:/cryptpad/customize
      - /media/nfs/docker/cryptpad/data/data:/cryptpad/data
      - /media/nfs/docker/cryptpad/data/files:/cryptpad/datastore
      - /media/nfs/docker/cryptpad/config/config.js:/cryptpad/config/config.js
    environment:
      - CPAD_MAIN_DOMAIN=https://office.intranet
      - CPAD_SANDBOX_DOMAIN=https://sandbox.office.intranet
      - CPAD_CONF=/cryptpad/config/config.js
    ports:
      - "3500:3000"

networks:
  myNetwork:
    external: true

In my traefik.yml is this part active

providers:
    docker:
        exposedByDefault: false

With debug mode in traefik I only see this in log.

23bc2161a6dbd2342343230ab1921c977 From:cryptpad/cryptpad:version-5.6.0 Type:container Action:start Actor:{ID:a5b8f16cc6e6c9289c23bc21234234234b2e30ab1921c977 Attributes:map[com.docker.compose.config-hash:d4b4681cc90bd4decc234236408dde0041bdb0a30e82 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:9e77f6a5a53faf116ea024d927fb7292a76ae4571a7b8490ea9465804d2942a9 com.docker.compose.oneoff:False com.docker.compose.project:cryptpad com.docker.compose.project.config_files:/media/nfs/docker/cryptpad/docker-compose.yml com.docker.compose.project.working_dir:/media/nfs/docker/cryptpad com.docker.compose.replace:4541b0c63960cc1a4f1595398782a87270ababa06be27cd80181d93dc1639397 com.docker.compose.service:cryptpad com.docker.compose.version:2.21.0 image:cryptpad/cryptpad:version-5.6.0 name:cryptpad traefik.enable:true traefik.http.routers.cryptpad.rule:Host(`office.intranet`, `sandbox.office.intranet`) && ClientIP(`192.168.0.0/16`)]} Scope:local Time:1707321600 TimeNano:1707321600370378773}" providerName=docker

After start the container the router will not be created and I see this router not on the dashboard in traefik web ui. In my other containers like baikal or nagios with similar config works fine. What can be the problem? Thanks for hints ...

Do you use different names for the routers?

Is the service/container running?

I would recommend to set the target service port for Traefik to use, compare to simple Traefik example.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Yes, I'm using different names for each docker services.

This is my static config:

providers:
    docker:
        exposedByDefault: false
        network: traefik_proxy
    file:
        filename: /etc/traefik/dynamic.yml
        watch: true

entryPoints:
    web:
        address: :80
        http:
            redirections:
                entryPoint:
                    to: websecure
                    scheme: https
    websecure:
        address: :443
        http:
            tls:
                certResolver: le

certificatesResolvers:
    le:
        acme:
            tlsChallenge: true
            email: "mymail"
            storage: "/etc/traefik/acme/acme.json"

api:
    dashboard: true
##    insecure: true

log:
    level: "DEBUG"
    filePath: "/var/log/traefik/traefik.log"

accessLog:
    filePath: "/var/log/traefik/access.log"
    bufferingSize: 100

serversTransport:
    insecureSkipVerify: "true"

Here the dynamic one:

tls:
    certificates:
        - certFile: /etc/traefik/certs/cert.crt
          keyFile: /etc/traefik/certs/Root-CA-Home.pem
    stores:
        default: 
            defaultCertificate:
                certFile: /etc/traefik/certs/cert.crt
                keyFile: /etc/traefik/certs/Root-CA-Home.pem

http:
    middlewares:        
        authTraefik:
            basicAuth:
                users:
                    - "traefik_user:secret"

The cryptpad container runs and I can access this service via ip address. I don't understand why traefik do no create the router. Here is an example from baikal which works. Other dockers works also. It doesn't have this problem anytime with other container and I'm confused. :wink:

Example with working baikal:

version: "2"
services:
  baikal:
    image: ckulka/baikal:nginx
    container_name: baikal
    labels:
      - traefik.enable=true
      - traefik.http.routers.baikal.rule=Host(`baikal.intranet`) && ClientIP(`192.168.0.0/16`)
#      - traefik.http.routers.baikal.middlewares=mygeoblock@file

    restart: always
    ports:
      - "8076:80"
    volumes:
      - config:/var/www/baikal/config
      - data:/var/www/baikal/Specific
#      - /media/nfs/docker/baikal/Server.php:/var/www/baikal/Core/Frameworks/Baikal/Core/Server.php

volumes:
  config:
  data:

networks:
  default:
    external: true
    name: myNetwork

Example with cryptpad which not works.

version: '3.8'
services:
  cryptpad:
    image: "cryptpad/cryptpad:version-5.6.0"
    restart: unless-stopped
    container_name: cryptpad
    labels:
      - traefik.enable=true
      - traefik.http.routers.cryptoffice.rule=Host(`office.intranet`, `sandbox.office.intranet`) && ClientIP(`192.168.0.0/16`)
    volumes:
      - /media/nfs/docker/cryptpad/data/blob:/cryptpad/blob
      - /media/nfs/docker/cryptpad/data/block:/cryptpad/block
      - /media/nfs/docker/cryptpad/customize:/cryptpad/customize
      - /media/nfs/docker/cryptpad/data/data:/cryptpad/data
      - /media/nfs/docker/cryptpad/data/files:/cryptpad/datastore
      - /media/nfs/docker/cryptpad/config/config.js:/cryptpad/config/config.js
    environment:
      - CPAD_MAIN_DOMAIN=https://office.intranet
      - CPAD_SANDBOX_DOMAIN=https://sandbox.office.intranet
      - CPAD_CONF=/cryptpad/config/config.js
    ports:
      - "3500:3000"

networks:
  default:
    external: true
    name: myNetwork

You are missing the Traefik docker-compose.yml.

Traefik and the services should use the same network. When you specify the network for Traefik in options, you need to make sure the name is correct as by default compose will prefix with a project name.

I usually prefer a dedicated Docker network, not default, to make it all clear. You don’t need to expose ports of your services (except Traefik). Check simple Traefik example.

Sorry, my mistake and forget the information.

This is the compose for traefik.

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    command:
      - "--providers.file.filename=/etc/traefik/traefik.yml"
    restart: always

    labels:
      - traefik.http.routers.traefik.rule=Host(`traefik.intranet`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      - traefik.enable=true
      - traefik.http.routers.traefik.middlewares=authTraefik@file
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.sticky.cookie.httpOnly=true
      - traefik.http.services.traefik.loadbalancer.sticky.cookie.secure=true

    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /media/nfs/docker/traefik/config:/etc/traefik
      - /media/nfs/docker/traefik/log:/var/log/traefik/
      - /media/nfs/docker/traefik/acme/acme.json:/etc/traefik/acme/acme.json
    environment:
      TZ: Europe/Berlin
    ports:
      - 80:80
      - 443:443

networks:
  default:
    external: true
    name: traefik_proxy

I want to use two docker networks. One for services with access to internet and one for internal stuff. But why it works with baikal? There is a another network name "myNetwork". baikal and cryptpad shold be only intern.

Thanks for your hints. I will check the example and try this in my env.

The problem still exists. I removed the exposed ports and put the container in the same network. Nothing changes the behaviour.

This is the actual yml for the cryptpad compose.

version: '3.8'
services:
  cryptpad:
	image: "cryptpad/cryptpad:version-5.6.0"
	restart: unless-stopped
	container_name: cryptpad
	labels:
	  - traefik.enable=true
	  - traefik.http.routers.cryptpad.rule=Host(`office.intranet`, `sandbox.office.intranet`) && ClientIP(`192.168.0.0/16`)
	environment:
	  - CPAD_MAIN_DOMAIN=https://office.intranet
	  - CPAD_SANDBOX_DOMAIN=https://sandbox.office.intranet
	  - CPAD_CONF=/cryptpad/config/config.js
#      - CPAD_HTTP2_DISABLE=true
	volumes:
	  - /media/nfs/docker/cryptpad/data/blob:/cryptpad/blob
	  - /media/nfs/docker/cryptpad/data/block:/cryptpad/block
	  - /media/nfs/docker/cryptpad/customize:/cryptpad/customize
	  - /media/nfs/docker/cryptpad/data/data:/cryptpad/data
	  - /media/nfs/docker/cryptpad/data/files:/cryptpad/datastore
	  - /media/nfs/docker/cryptpad/config/config.js:/cryptpad/config/config.js

#    ulimits:
#      nofile:
#        soft: 1000000
#        hard: 1000000

networks:
  default:
	external: true
	name: traefik_proxy

Is there another thing what I can check?

Update:
I test this with a traefik/whoami service. This works. There must be a problem with the cryptpad specially. Could it be that the image (cryptpad) affected the behaviour of traefik labels?

You need to add the network to the service.

Then you can go into the Traefik container (docker exec -it <cid> sh) and try to ping cryptpad and wget http://cryptpad (maybe need to add port number).

You need to add the network to the service

I'm using a pre-existing network with the external option which assign the existing network to the service (Networking Docker). Or is there antoher thing which I do not understand?

I wrote that all other containers work with this config constellation. Why not with cryptpad? The cryptpad container is in the "traefik_proxy" network and it's reachable via ping from the traefik container.

Don't understand why, but using the image promasu/cryptpad works with exact the delivered config in past post.

Never mind. Because you declare the default network, you implicitly automatically add the network to your service. Usually you would use network: within a service declaration.