Traefik + Docker + sftpgo - tcp connection issues

Traefik Traefik v2
,
1

I've had my head around sftpgo and the docker container the last weekend.

My config works as far as, that I can reach the web ui of sftpgo, but I cannot establish a tcp/sftp connection to that container.

traefik.yaml

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "https"
          scheme: "https"
  https:
    address: ":443"
    http:
      middlewares:
        - crowdsec-bouncer@file
  sftp:
    address: ":2222/tcp"

sftpgo docker-compose.yaml

version: "3.0"

services:
    sftpgo:
        image: drakkan/sftpgo:v2.5.4-alpine
        container_name: sftpgo
        # Peer-facing ports
        expose:
            - "1111/tcp"
            - "2222/tcp"
 
        environment:
            # Proxy Protocol
            - "SFTPGO_COMMON__PROXY_PROTOCOL=2"
            - "SFTPGO_COMMON__PROXY_ALLOWED=0.0.0.0"
 
            # SFTP
            - "SFTPGO_SFTPD__BINDINGS__0__PORT=1111"
            - "SFTPGO_SFTPD__BINDINGS__0__PROXY_ALLOWED=0.0.0.0"
 
            # HTTP
            - "SFTPGO_HTTPD__BINDINGS__0__PORT=2222"
            - "SFTPGO_HTTPD__BINDINGS__0__PROXY_ALLOWED=0.0.0.0"
 
            # Defender (similar concept as Fail2ban) — see https://github.com/drakkan/sftpgo/blob/main/docs/defender.md
            - "SFTPGO_COMMON__DEFENDER__ENABLED=true"
            - "SFTPGO_COMMON__DEFENDER__BAN_TIME=30"
            - "SFTPGO_COMMON__DEFENDER__BAN_TIME_INCREMENT=50"
            - "SFTPGO_COMMON__DEFENDER__THRESHOLD=15"
            - "SFTPGO_COMMON__DEFENDER__OBSERVATION_TIME=30"
 
        volumes:
            - /opt/containers/sftpgo/data:/srv/sftpgo/data
            - /opt/containers/sftpgo/backups:/srv/sftpgo/backups
            - /opt/containers/sftpgo/config:/var/lib/sftpgo
        
        labels:
            - "traefik.enable=true"

            - "traefik.tcp.routers.sftpgo-tcp.entrypoints=sftp"
            - "traefik.tcp.routers.sftpgo-tcp.rule=HostSNI(`*`)"
            - "traefik.tcp.routers.sftpgo-tcp.tls=false"
            - "traefik.tcp.routers.sftpgo-tcp.service=sftpgo-tcp-proxy"
            - "traefik.tcp.services.sftpgo-tcp-proxy.loadbalancer.server.port=1111"

            - "traefik.http.routers.sftpgo.entrypoints=http"
            - "traefik.http.routers.sftpgo.rule=Host(`sftpgo.example.com`)"

            - "traefik.http.routers.sftpgo-secure.entrypoints=https"
            - "traefik.http.routers.sftpgo-secure.rule=Host(`sftpgo.example.com`)"
            - "traefik.http.routers.sftpgo-secure.tls=true"
            - "traefik.http.routers.sftpgo-secure.tls.certresolver=http"
            - "traefik.http.routers.sftpgo-secure.service=sftpgo-proxy"
            - "traefik.http.services.sftpgo-proxy.loadbalancer.server.port=2222"

            - "traefik.docker.network=proxy"
       
        networks:
            - proxy
 
        restart: unless-stopped

networks:
    proxy:
        external: true

In the webui I can see, that the sftp server is running
enter image description here

return of docker ps (seems like, ports are populated):

a7a581a23a90   drakkan/sftpgo:v2.5.4-alpine                "sftpgo serve"           5 minutes ago   Up 5 minutes            1111/tcp, 2222/tcp                                                                                                                                                                                                                  sftpgo

checked firewall rules, seems ok.

traefik dashboard looking fine for me as well:
enter image description here

Test connection from the docker hostmachine. Same results from external connection

{13:55:10} root@docker-live:[/opt/containers/sftpgo]: sftp -oPort=2222 testuser@localhost
ssh: connect to host localhost port 2222: Connection refused
Connection closed.
Connection closed
{13:55:20} root@docker-live:[/opt/containers/sftpgo]: sftp -oPort=1111 testuser@localhost
ssh: connect to host localhost port 1111: Connection refused
Connection closed.
Connection closed

My guess is, that the loadbalancer of traefik is not probably working and I have misconfigured something. But I cannot figure it out, what's wrong here. Any direction where I can take a closer look, would help.

2

Seems you mixed up 1111 and 2222. Create your sftp entrypoint with 1111 and make sure you open the container port.

3

Try to set proxy protocol manually on tcp service. Looks like Traefik is not setting it up by default, but I am not sure. I'm using traefik:v2.10.7.

- "traefik.tcp.services.<your-service>.loadbalancer.proxyprotocol.version=2"

In your case:

- "traefik.tcp.services.sftpgo-tcp-proxy.loadbalancer.proxyprotocol.version=2"

Then you can try to connect on 2222 (traefik entrypoint) which is pointing to 1111 sftpgo port inside container.

It solved my problems.

My config, most important settings (I didn't setup allowed proxies in sftpgo config):

# Traefik static config, entrypoints
    sftpgo:
        address: ":2022"

# Traefik docker-compose
    ports:
      - 2022:2022


# sftpgo docker-compose
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.sftpgo.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.sftpgo.entrypoints=sftpgo"
      - "traefik.tcp.services.sftpgo-service.loadbalancer.server.port=2022"
      - "traefik.tcp.services.sftpgo-service.loadbalancer.proxyprotocol.version=2"
    expose:
      - 2022

    environment:
      - SFTPGO_SFTPD__BINDINGS__0__PORT=2022
      - SFTPGO_COMMON__PROXY_PROTOCOL=2