Traefik does not work with MariaDB

So I have small cluster of RPI's - DockeSwarm, 4 hosts 1 manager running Traefik and on one of worker nodes there is MariaDB that is just working fine with standard Docker load balancing when port 3306 is exposed.
Traefik version is 2.6.1 from what I can see on dashboard and it works just fine with a lot of services on ports 443 and 80.
Here is my Traefik Config(docker-compose) - more or less - I copied it from unmanaged portainer stack so formatting might be a little off due to c&p from GUI:

version: '3.2'
services:
  reverse-proxy:
    image: traefik
    ports:
      - 80:80
      - 443:443
      - 3306:3306
    volumes:
      - /mnt/docker/traefik/data:/etc/traefik
      - /mnt/docker/traefik/certs:/ssl-certs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - OVH_ENDPOINT=XXX
      - OVH_APPLICATION_KEY=XXX
      - OVH_APPLICATION_SECRET=XXX
      - OVH_CONSUMER_KEY=XXX
    networks:
      - proxy
    deploy:
      placement:
        constraints:
          - node.role==manager
      labels:
        - traefik.enable=true
        - traefik.docker.network=proxy

        - traefik.http.middlewares.reverse-proxy-auth.basicauth.users=XXX



        - traefik.http.services.reverse-proxy.loadbalancer.server.port=8080

        - traefik.http.routers.reverse-proxy.rule=Host(`traefik.heima.ovh`)
        - traefik.http.routers.reverse-proxy.tls=true
        - traefik.http.routers.reverse-proxy.tls.domains[0].main=heima.ovh
        - traefik.http.routers.reverse-proxy.tls.domains[0].sans=*.heima.ovh
        - traefik.http.routers.reverse-proxy.tls.certresolver=production
        - traefik.http.routers.reverse-proxy.entrypoints=web,websecure
        - traefik.http.routers.reverse-proxy.middlewares=heima-cors-headers@file, reverse-proxy-auth@docker


#		  Ping for dashboard
        - traefik.http.routers.traefik-ping.rule=Host(`traefik.heima.ovh`) && Path(`/ping`)
        - traefik.http.routers.traefik-ping.tls=true
        - traefik.http.routers.traefik-ping.tls.domains[0].main=heima.ovh
        - traefik.http.routers.traefik-ping.tls.domains[0].sans=*.heima.ovh
        - traefik.http.routers.traefik-ping.tls.certresolver=production
        - traefik.http.routers.traefik-ping.entrypoints=web,websecure
        - traefik.http.routers.traefik-ping.middlewares=heima-cors-headers@file

networks:
    proxy:
        external: true

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

ping: {}

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

  mariadb:
    address: :3306

certificatesResolvers:
  staging:
    acme:
      email: XXX
      storage: /ssl-certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: ovh
        delayBeforeCheck: 10

  production:
    acme:
      email: XXX
      storage: /ssl-certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: ovh
        delayBeforeCheck: 10

providers:
  docker:
    swarmMode: true
    exposedByDefault: false
    watch: true
  file:
    filename: /etc/traefik/config.yml
    directory: /etc/traefik
    watch: true

In config.yml there are just a few static routes to things like my router configuration or CUPS wireless server/access point and one header containing info about CORS headers for my domain so I don't think it should matter in this example.

And lastly my MariaDB config(docker-compose):

version: '3.2'
services:
  mysqldb:
    image: arm64v8/mariadb:latest
    restart: always
    volumes:
      - /mnt/docker/mariadb/data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=my-secret-pw
    networks:
      - proxy
    command: --character-set-server=utf8 --collation-server=utf8_general_ci
    deploy:
      placement:
        constraints:
          - node.role==worker
          
      labels:
        - traefik.enable=true
        - traefik.docker.network=proxy

        - traefik.tcp.routers.mariadb.rule=HostSNI(`*`)
        - traefik.tcp.routers.mariadb.entrypoints=mariadb
        - traefik.tcp.routers.mariadb.service=mariadb
        - traefik.tcp.services.mariadb.loadbalancer.server.port=3306


networks:
    proxy:
        external: true

And now the thing is... I can see this config in my Traefik dashboard, but I cant access it in both my IDE and my containers also can't see this database:

I tried different configs:

  • jdbc:mysql://mariadb.heima.ovh:3306/
  • jdbc:mysql://heima.ovh:3306/
  • jdbc:mysql://heima.ovh/
  • jdbc:mysql://mariadb.heima.ovh/

And it just can't connect to it. I think I read all related posts on this but nothing seems to work for me. I am only able to access this DB when I expose the port in docker container and use it that way.

Remove - traefik.tcp.routers.mariadb.service=mariadb ?

The same :frowning:
It looks like a bug to me. I don't see any problems in the logs of both services, but still I can't connect to it.

Ok I found the problem. Default entypoints are by default ALL. When I defined new entrypoint mariadb it was automatically assigned to HTTP routes. After updating all my serices to only use web and websecure entrypoints TCP route started working correctly.

1 Like

Thanks @Lorthiz

Still seems suspect as I believe the TCP routers should be evaluated before HTTP.

Glad its working for you!

1 Like

Yeah I also thought so. But as it seems it might had some inpact. Or if that was not the fix then it was fixed in traefik 2.6.2 and I did not notice it when I updated the Traefik.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.