Traefik connection refused only for photoprism

Traefik Traefik v2
1

I've been trying to get traefik working with photoprism but no dice. Tried different options found here in the forum but still get connection refused. Debug Logs below.
2024-05-15 16:13:05 traefik | 2024-05-15T21:13:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 662a80fbb35844a9
2024-05-15 16:13:05 traefik | 2024-05-15T21:13:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/proxy.go:100 > 502 Bad Gateway error="dial tcp 172.18.0.5:2600: connect: connection refused"

I have other services working fine with traefik , its only photoprism that is having problems. This is on a Windows 11 host machine.

Here are the docker compose files for both photoprism and traefik. They use a external network named proxy to communicate with each other.
Traefik docker compose.yml

version: "3"

services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: unless-stopped
    depends_on:
      - socket-proxy
    ports:
      - "80:80"
      - "443:443"
 
    volumes:
      - "./traefik.yml:/traefik.yml:ro"
      - "./rules:/rules:ro"
      - "./letsencrypt:/letsencrypt"
      - ./logs/:/logs/
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    networks:
      - proxy
    extra_hosts:
      - host.docker.internal:172.18.0.1 # Needed to avoid Bad Gateway
    labels:
      - "traefik.enable=true"

      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"

      # redirect root to www
      - "traefik.http.routers.root.rule=host(`duckdns.org`)"
      - "traefik.http.routers.root.entrypoints=https"
      - "traefik.http.routers.root.middlewares=redirect-root-to-www"
      - "traefik.http.routers.root.tls=true"

      # middleware redirect root to www
      - "traefik.http.middlewares.redirect-root-to-www.redirectregex.regex=^https://duckdns\\.org/(.*)"
      - "traefik.http.middlewares.redirect-root-to-www.redirectregex.replacement=https://www.duckdns.org/$${1}"

      # Watchtower Update
      - "com.centurylinklabs.watchtower.enable=true"

  socket-proxy:
    image: tecnativa/docker-socket-proxy
    container_name: traefik-socket-proxy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      CONTAINERS: 1
    networks:
      - proxy
    labels:
      # Watchtower Update
      - "com.centurylinklabs.watchtower.enable=true"

networks:
  proxy:
    external: true

Photoprism docker compose .yml

# Example Docker Compose config file for PhotoPrism (Windows / AMD64)
#
# Note:
# - Running PhotoPrism on a server with less than 4 GB of swap space or setting a memory/swap limit can cause unexpected
#   restarts ("crashes"), for example, when the indexer temporarily needs more memory to process large files.
# - Windows Pro users should disable the WSL 2 based engine in Docker Settings > General so that
#   they can mount drives other than C:. This will enable Hyper-V, which Microsoft doesn't offer
#   to its Windows Home customers. Docker Desktop uses dynamic memory allocation with WSL 2.
#   It's important to explicitly increase the Docker memory limit to 4 GB or more when using Hyper-V.
#   The default of 2 GB may reduce indexing performance and cause unexpected restarts.
# - If you install PhotoPrism on a public server outside your home network, please always run it behind a secure
#   HTTPS reverse proxy such as Traefik or Caddy. Your files and passwords will otherwise be transmitted
#   in clear text and can be intercepted by anyone, including your provider, hackers, and governments:
#   https://docs.photoprism.app/getting-started/proxies/traefik/
#
# Setup Guide:
# - https://docs.photoprism.app/getting-started/docker-compose/
# - https://www.photoprism.app/kb/activation
#
# Troubleshooting Checklists:
# - https://docs.photoprism.app/getting-started/troubleshooting/
# - https://docs.photoprism.app/getting-started/troubleshooting/docker/
# - https://docs.photoprism.app/getting-started/troubleshooting/mariadb/
# - https://docs.photoprism.app/getting-started/troubleshooting/windows/
#
# CLI Commands:
# - https://docs.photoprism.app/getting-started/docker-compose/#command-line-interface

services:
  photoprism:
    ## Use photoprism/photoprism:preview for testing preview builds:
    image: photoprism/photoprism:latest
    ## Don't enable automatic restarts until PhotoPrism has been properly configured and tested!
    ## If the service gets stuck in a restart loop, this points to a memory, filesystem, network, or database issue:
    ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors
    # restart: unless-stopped
    stop_grace_period: 10s
    depends_on:
      - mariadb
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined
    ## Server port mapping in the format "Host:Container". To use a different port, change the host port on
    ## the left-hand side and keep the container port, e.g. "80:2342" (for HTTP) or "443:2342 (for HTTPS):
   # ports:
      #- "2600:2600" #no difference with out without this option
    ## Before you start the service, please check the following config options (and change them as needed):
    ## https://docs.photoprism.app/getting-started/config-options/
    environment:
      PHOTOPRISM_ADMIN_USER: "admin"                 # admin login username
      PHOTOPRISM_ADMIN_PASSWORD: "zzzzzzz"          # initial admin password (8-72 characters)
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
      PHOTOPRISM_SITE_URL: "https://zzzzzzz.duckdns.org/"  # server URL in the format "http(s)://domain.name(:port)/(path)"
      PHOTOPRISM_DISABLE_TLS: "false"                # disables HTTPS/TLS even if the site URL starts with https:// and a certificate is available
      PHOTOPRISM_DEFAULT_TLS: "true"                 # defaults to a self-signed HTTPS/TLS certificate if no other certificate is available
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_DEBUG: "false"                      # run in debug mode, shows additional log messages
      PHOTOPRISM_READONLY: "false"                   # do not modify originals folder; disables import, upload, and delete
      PHOTOPRISM_EXPERIMENTAL: "false"               # enables experimental features
      PHOTOPRISM_DISABLE_CHOWN: "false"              # disables updating storage permissions via chmod and chown on startup
      PHOTOPRISM_DISABLE_WEBDAV: "false"             # disables built-in WebDAV server
      PHOTOPRISM_DISABLE_SETTINGS: "false"           # disables settings UI and API
      PHOTOPRISM_DISABLE_TENSORFLOW: "false"         # disables all features depending on TensorFlow
      PHOTOPRISM_DISABLE_FACES: "false"              # disables face detection and recognition (requires TensorFlow)
      PHOTOPRISM_DISABLE_CLASSIFICATION: "false"     # disables image classification (requires TensorFlow)
      PHOTOPRISM_DISABLE_VECTORS: "false"            # disables vector graphics support
      PHOTOPRISM_DISABLE_RAW: "false"                # disables indexing and conversion of RAW images
      PHOTOPRISM_RAW_PRESETS: "false"                # enables applying user presets when converting RAW images (reduces performance)
      PHOTOPRISM_JPEG_QUALITY: 85                    # a higher value increases the quality and file size of JPEG images and thumbnails (25-100)
      PHOTOPRISM_DETECT_NSFW: "false"                # automatically flags photos as private that MAY be offensive (requires TensorFlow)
      PHOTOPRISM_UPLOAD_NSFW: "true"                 # allows uploads that MAY be offensive (no effect without TensorFlow)
      PHOTOPRISM_DATABASE_DRIVER: "mysql"            # use MariaDB 10.5+ or MySQL 8+ instead of SQLite for improved performance
      PHOTOPRISM_DATABASE_SERVER: "mariadb:3306"     # MariaDB or MySQL database server hostname (:port is optional)
      PHOTOPRISM_DATABASE_NAME: "photoprism"         # MariaDB or MySQL database schema name
      PHOTOPRISM_DATABASE_USER: "photoprism"         # MariaDB or MySQL database user name
      PHOTOPRISM_DATABASE_PASSWORD: "insecure"       # MariaDB or MySQL database user password
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
      ## Video Transcoding (https://docs.photoprism.app/getting-started/advanced/transcoding/):
      # PHOTOPRISM_FFMPEG_ENCODER: "software"        # H.264/AVC encoder (software, intel, nvidia, apple, raspberry, or vaapi)
      # PHOTOPRISM_FFMPEG_SIZE: "1920"               # video size limit in pixels (720-7680) (default: 3840)
      # PHOTOPRISM_FFMPEG_BITRATE: "32"              # video bitrate limit in Mbit/s (default: 50)
    working_dir: "/photoprism" # do not change or remove
    ## Storage Folders: use "/" not "\" as separator, "~" is a shortcut for C:/user/{username}, "." for the current directory
    volumes:
      # "C:/user/username/folder:/photoprism/folder"       # example
      - "~/Pictures:/photoprism/originals"                 # original media files (photos and videos)
      # - "D:/example/family:/photoprism/originals/family" # *additional* media folders can be mounted like this
      # - "E:/:/photoprism/import"                         # *optional* base folder from which files can be imported to originals
      - "./storage:/photoprism/storage"                    # *writable* storage folder for cache, database, and sidecar files (never remove)

  
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.photoprism.rule=Host(`zzzzzzz.duckdns.org`)"
      - "traefik.http.routers.photoprism.entrypoints=https"
      - "traefik.http.routers.photoprism.tls=true"
      - "traefik.http.routers.photoprism.tls.certresolver=mydnschallenge"
      #- "traefik.http.routers.photoprism.service=photoprism-service"
      - "traefik.http.services.photoprism.loadbalancer.server.port=2600"
      - "traefik.docker.network=proxy"


  ## MariaDB Database Server (recommended)
  ## see https://docs.photoprism.app/getting-started/faq/#should-i-use-sqlite-mariadb-or-mysql
  mariadb:
    image: mariadb:11
    ## If MariaDB gets stuck in a restart loop, this points to a memory or filesystem issue:
    ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors
    restart: unless-stopped
    stop_grace_period: 5s
    security_opt: # see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239
      - seccomp:unconfined
      - apparmor:unconfined
    ## --lower-case-table-names=1 stores tables in lowercase and compares names in a case-insensitive manner
    ## see https://mariadb.com/kb/en/server-system-variables/#lower_case_table_names
    command: --innodb-buffer-pool-size=512M --lower-case-table-names=1 --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
    volumes:
      - "database:/var/lib/mysql" # Named volume "database" is defined at the bottom (DO NOT REMOVE)
    environment:
      MARIADB_AUTO_UPGRADE: "1"
      MARIADB_INITDB_SKIP_TZINFO: "1"
      MARIADB_DATABASE: "photoprism"
      MARIADB_USER: "photoprism"
      MARIADB_PASSWORD: "insecure"
      MARIADB_ROOT_PASSWORD: "insecure"

  ## Watchtower upgrades services automatically (optional)
  ## see https://docs.photoprism.app/getting-started/updates/#watchtower
  #
  # watchtower:
  #   restart: unless-stopped
  #   image: containrrr/watchtower
  #   environment:
  #     WATCHTOWER_CLEANUP: "true"
  #     WATCHTOWER_POLL_INTERVAL: 7200 # checks for updates every two hours
  #   volumes:
  #     - "/var/run/docker.sock:/var/run/docker.sock"
  #     - "~/.docker/config.json:/config.json" # optional, for authentication if you have a Docker Hub account

## Create named volumes, advanced users may remove this if they mount a regular host folder
## for the database or use SQLite instead (never remove otherwise)
volumes:
  database:
    driver: local
    
networks:
  proxy:
    external: true

traefik.yml

entryPoints:
http:
address: ":80"

https:
address: ":443"

providers:
docker:
endpoint: "tcp://socket-proxy:2375"
exposedByDefault: false

file:
directory: /rules
watch: true

certificatesResolvers:
mydnschallenge:
acme:
email: zzzzz@gmail.com
storage: ./letsencrypt/acme.json
dnsChallenge:
provider: duckdns
delayBeforeCheck: 10

log:
level: DEBUG

2

Interesting approach to increase security with a docker-socket-proxy from a trusted source :smiling_face:, but then place it in the common proxy network for everyone to reach.

Are all containers up and running, I see a lot of depends_on?

Note that you can reduce dynamic config in labels by placing http-to-https and LetsEncrypt one time on entrypoints, see simple Traefik example.

3

Thanks, but credit goes to BaptisteBdn (Baptiste BEDUNEAU) · GitHub where he explains the reason for increased security.
Yes both the depends on are up and running and traefik is able to route other services I have. If I take out the loadbalancer label in photoprism I get 404 error otherwise I get bad gateway. I did a Docker inspect on photoprism and the ports all look good. There is no reason why the the connection should be refused.

4

In this example they use port 2342.

5

I had tried 2342 before with same results , do you think the socket proxy could cause this?

6

Socket proxy should just restrict access, not change any data, so I doubt it.

What is Photoprism log telling you, is it up and running and listening on the port?

7

the logs show that it's not listening, when I comment out networks: and restart it starts listening on the specified port.

8

That doesn’t make sense. For Photoprism there should be no difference inside the container when Docker network is attached or not.

Except you set it to listen on a specific address, but usually it’s 0.0.0.0, so listening to all available interfaces.

Share your current Photoprism compose file.

9

Basic example works for me. Note that I disabled the special UID/GID for testing.

docker-compose.yml :

services:
  traefik:
    image: traefik:v2.11
    command: --configFile=/config/traefik.yml
    ports:
      - published: 80
        target: 80
        protocol: tcp
        mode: host
      - published: 443
        target: 443
        protocol: tcp
        mode: host
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/log:/var/log
      - ./config:/config

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`) || PathPrefix(`/whoami`)
      - traefik.http.services.whoami.loadbalancer.server.port=80

  # Example Docker Compose config file for PhotoPrism (Linux / AMD64)
  photoprism:
    image: photoprism/photoprism:latest
    restart: unless-stopped
    depends_on:
      - mariadb
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined
    #ports:
    #  - "2342:2342"
    environment:
      PHOTOPRISM_ADMIN_USER: "admin"                 # admin login username
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # initial admin password (8-72 characters)
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
      PHOTOPRISM_SITE_URL: "https://photoprism.example.com/"  # server URL in the format "http(s)://domain.name(:port)/(path)"
      PHOTOPRISM_DISABLE_TLS: "true"                # disables HTTPS/TLS even if the site URL starts with https:// and a certificate is available
      PHOTOPRISM_DEFAULT_TLS: "false"                 # defaults to a self-signed HTTPS/TLS certificate if no other certificate is available
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
      PHOTOPRISM_READONLY: "false"                   # do not modify originals directory (reduced functionality)
      PHOTOPRISM_EXPERIMENTAL: "false"               # enables experimental features
      PHOTOPRISM_DISABLE_CHOWN: "false"              # disables updating storage permissions via chmod and chown on startup
      PHOTOPRISM_DISABLE_WEBDAV: "false"             # disables built-in WebDAV server
      PHOTOPRISM_DISABLE_SETTINGS: "false"           # disables settings UI and API
      PHOTOPRISM_DISABLE_TENSORFLOW: "false"         # disables all features depending on TensorFlow
      PHOTOPRISM_DISABLE_FACES: "false"              # disables face detection and recognition (requires TensorFlow)
      PHOTOPRISM_DISABLE_CLASSIFICATION: "false"     # disables image classification (requires TensorFlow)
      PHOTOPRISM_DISABLE_VECTORS: "false"            # disables vector graphics support
      PHOTOPRISM_DISABLE_RAW: "false"                # disables indexing and conversion of RAW images
      PHOTOPRISM_RAW_PRESETS: "false"                # enables applying user presets when converting RAW images (reduces performance)
      PHOTOPRISM_JPEG_QUALITY: 85                    # a higher value increases the quality and file size of JPEG images and thumbnails (25-100)
      PHOTOPRISM_DETECT_NSFW: "false"                # automatically flags photos as private that MAY be offensive (requires TensorFlow)
      PHOTOPRISM_UPLOAD_NSFW: "true"                 # allows uploads that MAY be offensive (no effect without TensorFlow)
      # PHOTOPRISM_DATABASE_DRIVER: "sqlite"         # SQLite is an embedded database that doesn't require a server
      PHOTOPRISM_DATABASE_DRIVER: "mysql"            # use MariaDB 10.5+ or MySQL 8+ instead of SQLite for improved performance
      PHOTOPRISM_DATABASE_SERVER: "mariadb:3306"     # MariaDB or MySQL database server (hostname:port)
      PHOTOPRISM_DATABASE_NAME: "photoprism"         # MariaDB or MySQL database schema name
      PHOTOPRISM_DATABASE_USER: "photoprism"         # MariaDB or MySQL database user name
      PHOTOPRISM_DATABASE_PASSWORD: "insecure"       # MariaDB or MySQL database user password
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
      ## Video Transcoding (https://docs.photoprism.app/getting-started/advanced/transcoding/):
      # PHOTOPRISM_FFMPEG_ENCODER: "software"        # H.264/AVC encoder (software, intel, nvidia, apple, raspberry, or vaapi)
      # PHOTOPRISM_FFMPEG_SIZE: "1920"               # video size limit in pixels (720-7680) (default: 3840)
      # PHOTOPRISM_FFMPEG_BITRATE: "32"              # video bitrate limit in Mbit/s (default: 50)
      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
      # PHOTOPRISM_UID: 1000
      # PHOTOPRISM_GID: 1000
      # PHOTOPRISM_UMASK: 0000
    ## Start as non-root user before initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
    # user: "1000:1000"
    working_dir: "/photoprism" # do not change or remove
    volumes:
      # "/host/folder:/photoprism/folder"                # Example
      #- "~/Pictures:/photoprism/originals"               # Original media files (DO NOT REMOVE)
      # - "/example/family:/photoprism/originals/family" # *Additional* media folders can be mounted like this
      # - "~/Import:/photoprism/import"                  # *Optional* base folder from which files can be imported to originals
      - "./storage:/photoprism/storage"                  # *Writable* storage folder for cache, database, and sidecar files (DO NOT REMOVE)
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.photoprism.entrypoints=websecure
      - traefik.http.routers.photoprism.rule=Host(`photoprism.example.com`)
      - traefik.http.services.photoprism.loadbalancer.server.port=2342

  ## MariaDB Database Server (recommended)
  mariadb:
    image: mariadb:11
    restart: unless-stopped
    stop_grace_period: 5s
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined
    command: --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
    volumes:
      - "./database:/var/lib/mysql" # DO NOT REMOVE
    environment:
      MARIADB_AUTO_UPGRADE: "1"
      MARIADB_INITDB_SKIP_TZINFO: "1"
      MARIADB_DATABASE: "photoprism"
      MARIADB_USER: "photoprism"
      MARIADB_PASSWORD: "insecure"
      MARIADB_ROOT_PASSWORD: "insecure"
    networks:
      - proxy

networks:
  proxy:
    name: proxy
    attachable: true

./config/traefik.yml :

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxy
  file:
    directory: /config
    watch: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    http:
      tls:
        certResolver: myresolver
  traefik:
    address: :8080

api:
  dashboard: true
  debug: false
  insecure: false

log:
  level: DEBUG

accessLog: {}

certificatesResolvers:
  myresolver:
    acme:
      email: mail@example.com
      storage: /config/acme.json
      tlsChallenge: {}
10

Thank you so much!! Finally this is working there is a lot of changes from the original docker_compose.yml so not exactly sure what was wrong , but I will post if I find anything.