Traefik + Docker service not applied between containers?

Traefik Traefik v2
#1

I have a docker compose setup creating a bunch of services and want to use Traefik for terminating TLS and for load-balancing.

As some of the services need to call other internal services, which are also exposed, they need to do it via the public host name and including TLS. This is where the trouble comes in as it looks like Traefik does not intercept the communication at all and I didn't find a way to enforce routing over the proxy for specific hosts.

In my concrete case, I have a service that is accessed from the outside as "https://oauth.${domain}" (defined in "fxa-oauth" below) and another service that is accessed from the outside as "https://accounts.${domain}" (defined in "fxa-auth-server" below), which in turn needs to call the "fxa-oauth" service using its public base URL "https://oauth.${domain}".

How can I force the service calls from "fxa-auth-server" to "fxa-oauth" to go through Traefik and its TLS termination and load-balancing?

Excerpt of my docker-compose.yml for traefik v2:

version: '3.6'

networks:
  fxa-net:
    external: true

services:
  traefik:
    image: "traefik:2.0"
    container_name: fxa-proxy
    hostname: proxy.${DOMAIN_NAME}
    networks:
      fxa-net:
        ipv4_address: 10.2.3.1
    ports:
      - target: 80
        published: 80
        protocol: tcp
      - target: 443
        published: 443
        protocol: tcp
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./stages/test/traefik:/etc/traefik:ro
      - ./stages/test/tls:/tls:ro
    restart: unless-stopped
    labels:
      - "traefik.http.routers.api.rule=Host(`proxy.${DOMAIN_NAME}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=proxyAuth"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.middlewares.proxyAuth.basicauth.users=..."

...the service that needs to be called from other containers:

services:
  fxa-oauth:
    image: "mozilla/fxa-oauth-server:${FXA_VERSION}"
    container_name: fxa-oauth
    hostname: oauth.${DOMAIN_NAME}
    depends_on:
      - mysql-oauth
    restart: unless-stopped
    networks:
      fxa-net:
        aliases:
          - oauth.${DOMAIN_NAME}
    environment:
      ...
    volumes:
      - ./tmp/openid.key.json:/app/config/openid.key.json:ro
    command: node ./fxa-oauth-server/bin/server.js
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.oauth_http.rule=Host(`oauth.${DOMAIN_NAME}`)"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.oauth_http.middlewares=https_redirect"
      - "traefik.http.routers.oauth_https.rule=Host(`oauth.${DOMAIN_NAME}`)"
      - "traefik.http.routers.oauth_https.tls=true"
      - "traefik.http.services.oauth_service.loadbalancer.server.port=9010"

...and the service that needs to call it:

services:
  fxa-auth-server:
    image: "mozilla/fxa-auth-server:${FXA_VERSION}"
    container_name: fxa-auth-server
    hostname: accounts.${DOMAIN_NAME}
    restart: unless-stopped
    depends_on:
      - ...
      - fxa-oauth
    networks:
      fxa-net:
        aliases:
          - accounts.${DOMAIN_NAME}
    environment: ...
    command: node ./bin/key_server.js
    volumes:
      - ./tmp/auth-keys:/keys:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.accounts_http.rule=Host(`accounts.${DOMAIN_NAME}`)"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.accounts_http.middlewares=https_redirect"
      - "traefik.http.routers.accounts_https.rule=Host(`accounts.${DOMAIN_NAME}`)"
      - "traefik.http.routers.accounts_https.tls=true"
      - "traefik.http.services.accountsservice.loadbalancer.server.port=9000"