Slower Container Local Network Access with Traefik

Hi all. Posted this on the issues page on github, and it was closed due to it apparently being a question and not an issue. Hoping someone can help me with the below. Here is a link to the now closed issue so you can see the the whole thread: Slower Container Local Network Access with Traefik · Issue #11730 · traefik/traefik · GitHub

Please excuse the github formatting:

What did you do?
I'm soley using Traefik to route traffic to internal container IPs based on subdomains. I use AdGuard Home for DNS rewrites, directing those subdomains to Traefik's container IP. My Traefik configuration appears to be working for basic routing, as confirmed by successful routing to several containers now routing internally via Traefik. I can ping the subdomains, and they resolve to Traefik's IP with very low latency (<1ms) compared to those not managed by Traefik.

What did you see instead?
While basic routing and DNS resolution work, I've observed slower download/upload speeds when transferring large files to/from containers via the Traefik-managed subdomains compared to accessing the containers directly using their internal IP and port. The speed is better than before Traefik, but still significantly slower than a direct connection.

What version of Traefik are you using?
3.3.6

What is your environment & configuration?
Deployment: Docker Compose
Traefik Docker Compose:
Provider: Docker
Platform: ArchLinux

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    command:
      - "--api.insecure=true" # Enable the Traefik dashboard (for local access only, secure it later if needed)
      - "--providers.docker=true" # Enable Docker provider
      - "--providers.docker.exposedbydefault=false" # Don't expose all containers by default
      - "--entrypoints.web.address=:80" # HTTP entrypoint
      - "--entrypoints.websecure.address=:443" # HTTPS entrypoint (even if Cloudflare handles SSL externally)
      - "--providers.redis=true" # Enable Redis provider
      - "--providers.redis.endpoints=traefik-redis:6379"
      - "--providers.redis.rootKey=traefik"
    ports:
      - "7480:80" # Host port 80 forwarded to container port 80
      - "7443:443" # Host port 443 forwarded to container port 443
      - "8880:8080" # Host port 8080 forwarded to the Traefik dashboard (for local access)
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro" # Allow Traefik to listen to Docker events

    networks:
      - traefik-net

  redis:
    image: redis:alpine
    container_name: traefik-redis
    restart: unless-stopped
    volumes:
      - redis-data:/data
    ports:
      - "6379:6379"  # Publish Redis on the host
    networks:
      - traefik-net
      
networks:
  traefik-net:
    name: traefik-net

volumes:
  redis-data:

Did a quick test with Traefik and apache as target service. When downloading a 1GB file, Traefik took 5 secs, while Apache direct took 1-2 secs. But when disabling Traefik TLS und using plain http, it also took 1-2 secs through Traefik. So it seems TLS encryption is the bottleneck.

thanks for your reply, and what you state make sense. Unfortunately i already have disabled TLS. For example trying a large rom in ROMM, is almost instant via direct ip, but over domain via traefik internally, is very slow. If it were just a matter of a few seconds i wouldnt care too much but its very significant, almost as much as when off the network.

image911×377 12 KB

Works for me. Try with plain and easy target.

mkdir ./htdocs
dd if=/dev/zero of=./htdocs/10mb.dat bs=1M count=10
dd if=/dev/zero of=./htdocs/100mb.dat bs=1M count=100
dd if=/dev/zero of=./htdocs/1000mb.dat bs=1M count=1000

services:
  traefik:
    image: traefik:latest
    ports:
      - 80:80
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command:
      - --api.dashboard=true
      - --log.level=INFO
      - --accesslog=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  speed:
    image: httpd:2.4
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.speedtest.rule=Host(`speedtest.example.com`)
      - traefik.http.services.speedtest.loadbalancer.server.port=80
    ports:
      - 4080:80
    volumes:
      - ./htdocs:/usr/local/apache2/htdocs/

networks:
  proxy:
    name: proxy

Thanks for the docker compose file. i know i am supposed to change the Host's of both services, but not sure to what to. Then once i do and deploy them, what should i be doing or looking for? If you don't mind walking me through this id appreciate it.

following up on the above.

You can test plaint http performance with curl:

curl -o /dev/null -s -w \
"DNS: %{time_namelookup}s\nConnect: %{time_connect}s\nSSL: %{time_appconnect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n" \
https://example.com

Specifically with the URLs

via Traefik
http://speedtest.example.com/1000mb.dat

without Traefik
http://speedtest.example.com:4080/1000mb.dat