Services reachable via WAN but not LAN

Traefik Traefik v2
1

Hello dear traefik community,

I am running (among other things) a selfhosted nextcloud instance behind traefik everthing works fine as long as I access everything from the WAN. But I dont always want to send packages on a journey when start and end is inside my LAN. Sadly my router does not support hairpinning and does not recognize packages originating and terminating in my LAN.

My (not working) solution was to run a pihole locally which resolves my domain to the local address. This is working and I can dig/nslookup/ping my domain and I get the local ip.

Once I enter the domain in the browser I can see in the pihole logs that the domain is being resolved but there is nothing in the traefik access logs and I end up in an infinite loading loop in the browser. Since the lookup is working I do not know what the problem is and why the packages don't seem to reach traefik.

The pihole is not behind traefik.

This is my docker-compose for treafik:

version: '3'

services:
  traefik:
    # The official v2 Traefik docker image
    image: traefik:v2.11
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    # Enables the web UI and tells Traefik to listen to docker
    command:
      --api.insecure=true
      --providers.docker
      --logLevel=DEBUG
      --accesslogi=true
    domainname: "mydomain.com"
    networks:
      - proxy
      - nextcloud-aio
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "9080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /etc/localtime:/etc/localtime
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/traefik/data/traefik.yml:/traefik.yml:ro
      - /root/traefik/data/acme.json:/acme.json
      - /root/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:password"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=netcup"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:   
 proxy:
   external: true
 nextcloud-aio:
   external: true

aswell as my traefik,yaml

global:
  checkNewVersion: true
  sendAnonymousUsage: true
api:
  dashboard: true
  debug: true
log:
  level: DEBUG
accessLog: {}
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  netcup:
    acme:
      ... unrelated to the issue ...

Any idea how do debug this further?

Thanks in advance!

2

You can’t have Traefik static config in traefik.yml and command:, decide for one (doc).

Then check browsers developer tools network tab for what’s happening, if you see a loading loop.

3

I removed the command part in the docker-compose file it was old and I forgot to delete it. There is the same in the static config traefik.yml or rather the same is configured there but in more detail.
This is my current (fixed) docker-compose.

version: '3'

services:
  traefik:
    # The official v2 Traefik docker image
    image: traefik:v2.11
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    domainname: "mydomain.com"
    networks:
      - proxy
      - nextcloud-aio
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "9080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /etc/localtime:/etc/localtime
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/traefik/data/traefik.yml:/traefik.yml:ro
      - /root/traefik/data/acme.json:/acme.json
      - /root/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:password"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=netcup"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:   
 proxy:
   external: true
 nextcloud-aio:
   external: true

loading loop was phrased poorly on my side.
If I call a a service lets say nextcloud.mydomain.com then in the developer tools network tab I can only see an initial get where remote ip is "unknown"

network
network1364×132 21.3 KB

and after some loading the request times out.
I see the dns request and that it has been answered in my pihole logs tho.

4

How do you configure Nextcloud to play with Traefik?

What IP do you get from PiHole?

5

If I dig nextcloud.mydomain.com pihole returns

;; ANSWER SECTION:
nextcloud.mydomain.com. 0	IN	CNAME	mydomain.com.
mydomain.com.	0	IN	A	192.168.0.3

which is the local ip of the docker host container running traefik and nextcloud.

This is the sections of my config.yml where my nextcloud is configured.

http:                                          
 #region routers                                                                                                  
  routers:                                  
    nextcloud:                                                
      entryPoints:                                                                                                
        - "https"                                                                                                 
      rule: "Host(`nextcloud.mydomain.com`)"                                                         
      middlewares:                   
        - https-redirect                                      
        - nextcloud-secure-headers                            
      tls: {}                     
      service: nextcloud                                            
#endregion             
#region services                                                                                                  
  services:                                                                                                       
    nextcloud:                                                                                                    
      loadBalancer:                                                                                       
        servers:                           
          - url: "http://192.168.0.3:11000"                   
        passHostHeader: true               
#endregion                        
middlewares:                                                                                            
    nextcloud-secure-headers:                                 
      headers:                                                                                                    
        hostsProxyHeaders:                                                                                        
          - "X-Forwarded-Host"                                                                            
        referrerPolicy: "same-origin"      
        customResponseHeaders:                                
          X-Robots-Tag: "noindex, nofollow"                   
                                                        
    https-redirect:                                      
      redirectScheme:                                    
        scheme: https                                    
        permanent: true