salacr
September 29, 2024, 6:14pm
1
Hi,
I'm running latest traefik (v3.1.4) as docker compose
version: '3'
services:
traefik:
# The official v2 Traefik docker image
image: traefik:v3.1.4
container_name: traefik
restart: always
volumes:
- ./dynamic_conf.yml:/etc/traefik/dynamic_conf.yml
- ./traefik.yml:/etc/traefik/traefik.yml
- ./shared:/shared
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
network_mode: host
logging:
driver: "json-file"
options:
max-size: "50m"
But it didn't work as expected I was unable to get to the services after some debuging I have found that it listen only on tcp6
ubuntu@arm:~/projects-docker/traefic$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 2567/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 709/systemd-resolve
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/init
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 709/systemd-resolve
tcp6 0 0 :::8080 :::* LISTEN 2575/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 3310/traefik
tcp6 0 0 :::111 :::* LISTEN 1/init
tcp6 0 0 :::443 :::* LISTEN 3310/traefik
Any advice how to enforce also tcp / ipv4 ?
My setup is as this:
docker:
ubuntu@arm:~/projects-docker/traefic$ docker info
Client: Docker Engine - Community
Version: 27.3.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.17.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.7
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 3
Running: 3
Paused: 0
Stopped: 0
Images: 5
Server Version: 27.3.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
runc version: v1.1.14-0-g2c9f560
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.0-1013-oracle
Operating System: Ubuntu 24.04.1 LTS
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 23.42GiB
Name: arm
ID: eca0d048-0b46-4266-963d-46de3e3bae7c
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
ubuntu:
ubuntu@arm:~/projects-docker/traefic$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
It's an ARM instance in Oracle OCI
You don’t show your full Traefik static and dynamic config, we don’t even know which port you want to use.
Have you tried curl
, it seems sometimes the netstat
result wasn’t reliable.
salacr
September 30, 2024, 6:23am
3
Sorry I tried to provide all necesary information and forgot this one
So traefik.yml
accessLog: {}
log:
level: DEBUG # DEBUG / INFO
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
scheme: https
websecure:
address: ":443"
providers:
file:
filename: /etc/traefik/dynamic_conf.yml
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
acmeresolver:
acme:
email: "my@email.com"
storage: "/shared/acme.json"
httpChallenge:
entryPoint: web
# API and dashboard configuration
api:
insecure: false
dashboard: false
dynamic_conf.yml
http:
middlewares:
# Redirect non-www URLs to their www equivalent
# Use with traefik.http.routers.myRouter.middlewares: "redirect-non-www-to-www@file"
redirect-non-www-to-www:
# Redirect a request from an url to another with regex matching and replacement
redirectregex:
# Apply a permanent redirection (HTTP 301)
permanent: true
# The regular expression to match and capture elements from the request URL
regex: "^https?://(?:www\\.)?(.+)"
# How to modify the URL to have the new target URL
replacement: "https://www.${1}"
# Redirect www URLs to their non-www equivalent
# Use with traefik.http.routers.myRouter.middlewares: "redirect-www-to-non-www@file"
redirect-www-to-non-www:
# Redirect a request from an url to another with regex matching and replacement
redirectregex:
# Apply a permanent redirection (HTTP 301)
permanent: true
# The regular expression to match and capture elements from the request URL
regex: "^https?://www\\.(.+)"
# How to modify the URL to have the new target URL
replacement: "https://${1}"
obfuscate-server-header:
headers:
customResponseHeaders:
server: Apache
and finaly the labels:
labels:
- traefik.enable=true
- traefik.http.routers.rss.rule=Host(`rss.example.org`)
- traefik.http.routers.rss.tls=true
- traefik.http.routers.rss.tls.certresolver=acmeresolver
- traefik.http.routers.rss.middlewares=obfuscate-server-header@file,redirect-www-to-non-www@file
I tried the remove middlewares at all but the result is the same. I believe that the problem is really with tcp6 as
curl 193.122.15.111:80
curl: (7) Failed to connect to 193.122.15.111 port 80 after 34 ms: Couldn't connect to server
On the other hand if i try:
curl 193.122.15.111:8080
I will get a proper result. firewall shouldn't be an issue I can run the service which is now on 8080 (and which I'm trying to proxy) on port 80 and it's working
Works for me.
On a non-Orcle ARM server with latest Ubuntu:
apt update && apt -y upgrade
apt install -y sudo htop git fail2ban curl wget
curl -fsSL https://get.docker.com | sh -
adduser test
sudo usermod -aG sudo test
su - test
sudo docker run -d -p 80:80 -p 8080:8080 --name traefik traefik:v3.1 --api.insecure=true --entrypoints.web.address=:80 --accesslog=true
sudo netstat -tulpn
$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9880/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 596/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 596/systemd-resolve
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 9901/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 9895/docker-proxy
tcp6 0 0 :::8080 :::* LISTEN 9908/docker-proxy
udp 0 0 127.0.0.54:53 0.0.0.0:* 596/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 596/systemd-resolve
udp 0 0 1.2.3.4:68 0.0.0.0:* 751/systemd-network
Update: Never mind, does not work with --network host
:
$ sudo docker run -d --network host --name traefik traefik:v3.1 --api.insecure=true --entrypoints.web.address=:80 --accesslog=true
$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 596/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 596/systemd-resolve
tcp6 0 0 :::22 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 10366/traefik
tcp6 0 0 :::8080 :::* LISTEN 10366/traefik
udp 0 0 127.0.0.54:53 0.0.0.0:* 596/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 596/systemd-resolve
udp 0 0 1.2.3.4:68 0.0.0.0:* 751/systemd-network
That's probably a case for forums.docker.com .
Update 2: It does work. netstat
does not show the port to be listened to, but curl
still works with both IPv4 and IPv6, I see both requests appearing in Traefik log.
$ sudo docker logs -f traefik
$ curl http://1.2.3.4
$ curl http://[1234:1234:1234:1234::1]
salacr
October 1, 2024, 8:11am
5
Mmm ok it means that's probably some local issue I can't see the request.
I'm planning to run multiple stack / multiple application on the VM for that reason I need to run it in a "host" network so it can proxy the other apps. Or maybe I'm missing something?
Only Traefik needs open ports, all other services/containers can just be attached to Docker networks. See simple Traefik example .