[SOLVED] Entrypoint doesn't exist , Traefik won't detect new entrypoint for router

Hello Team!

I've recently switched from Caddy to Traefik v2 and have been finding it very intuitive to setup so far. However I've run into an issue. I've setup Traefik based on this guide:

I'm trying to reverse proxy to my wireguard setup on another local server. I'm having issues with the entryPoint of the router. I'm trying to setup wireguard.domain.com:58120 to route to LOCAL_IP:51820

I've set this up in config/rules/app-wireguard.toml which I understand is a dynamic config. The file looks like this:

    address = ":51820/udp"

      entryPoints = ["wireguard"]
      rule = "HostHeader(`wireguard.MYDOMAIN.com`)"
      service = "wg-svc"
      middlewares = ["chain-no-auth"]

      passHostHeader = true
        url = ""

This is what I get in the dashboard:

I don't know why the middleware is not found. If I switch the entrypoint of the router to https then it loads fine

I tried declaring the entryPoint in the docker-compose file like this (unnecessary code truncated):

      - --entryPoints.traefik.address=:8080
      - --entryPoints.wireguard.address=:51820/udp #wireguard

but the issue persists. Any help would be appreciated. Thank you!

Hello @generalnfg

Seems you are mixing static and dynamic configuration. I would suggest to first create a static config file and define all entrypoints. In the new file you can create the dynamic configuration.

Please also note that there 3 ways to define static configuration:

  • a file
  • CLI arguments
  • environment variables

however, they are mutually exclusive, so you can use only one at the same time.

Thank you @jakubhajek for the response.

So I removed the [entryPoints] from the .toml file and just maintained the CLI argument in the docker compose. So for clarity here is the traefik docker-compose section:

    container_name: traefik
    image: traefik:livarot
    restart: unless-stopped
      - --pilot.token=8a288e7b-d2e3-4e01-817b-e4f9e231e673
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=,,,,141.10$
      - --entryPoints.traefik.address=:8080
      - --entryPoints.wireguard.address=:51820/udp #wireguard
      - --api=true
      - --api.dashboard=true
#      - --api.insecure=true
      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsE$
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=,
      - t2_proxy
      - no-new-privileges:true
      - target: 80
        published: 80
        protocol: tcp
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
      - target: 51820 # wireguard
        published: 51820
        protocol: udp
        mode: host
      - $DOCKERDIR/traefik2/rules:/rules
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log
      - $DOCKERDIR/shared:/shared
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
#      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" 
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
      #- "traefik.http.routers.nas.router=nas-rtr@file"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"

and here is rules/app-wireguard.toml:

      entryPoints = ["wireguard"]
      rule = "HostHeader(`wireguard.MYDOMAIN.com`)"
      service = "wg-svc"
      middlewares = ["chain-no-auth"]

      passHostHeader = true
        url = ""

After recreating the traefik container I still get the same error entryPoint "wireguard" doesn't exist

Should I move the entire rules/app-wireguard.toml file into the labels part of the docker-compose? Is this what you mean that these methods are mutually exclusive?

You can create routes in a file as a part of the dynamic configuration or you can use labels. Traefik has a file provider and this is exactly what you are just using.

It is not related to the configuration types that I mentioned earlier.

What are the Traefik DEBUG logs when you run that compose file? Can you please check that defined entrypoint has been started? Are there any errors, warning?

Regular DNS entries. A dynamic dns service is the go to for home/dynamic ip addresses.

In the logs I read this line: level=debug msg="Start UDP Server" entryPointName=wireguard which made me realise that I've been creating a UDP entrypoint but an http router and service this whole time. I modified app-wireguard.toml as follows:

      entryPoints = ["wireguard"]
#      rule = "HostHeader(`wireguard.MYDOMAIN.com`)"
      service = "wg-svc"
#      middlewares = ["chain-no-auth"]

#      passHostHeader = true
        address = ""

I commented out variables which were not compatible with UDP according to the docs. Now the router is setup properly. (Everything OK in the dashboard.)

However this raises another question, how do I point my wireguard clients to a specific host.domain? Since UDP does not accept HostHeader rule I can only connect if I input my home IP directly.

@cakiwi sorry for deleting my previous post, I accidentally posted my domain. Is there a way for me to delete it permanently?

And yes, of course, with all of this meddling about with wild certificates in traefik I forgot about A records. Thank you.

I can't, I've flagged it for staff though.

Thanks! I'll mark this as solved since the original issue has been resolved.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.