Trouble setting up Traefik on a Synology NAS in Docker

Traefik Traefik v2
1

Hi, I'm new here and looking for a little help. Before I dive into my issue, please know that I did search high and low for a solution online, using google, chatgpt and anything else at my disposal. So far, I'm coming up empty :slight_smile:

I believe what I am trying to accomplish is very easy, but somehow I can't get it to work.

I have a Synology NAS running multiple containers in docker. Simply put, I want to be able to create "easy" URL's to point to each of the services in those containers. For example, let's say I have Glances running on 192.168.1.120:61208, I'd like to be able to enter glances.local or similar and just be routed to the correct IP and port. I'm doing all this inside my network. I have no requirement to expose anything to the internet as I use a VPN. I also don't care about HTTPS, or certificates, as everything is happening behind my firewall.

I've read online that there are basically three ways to do this...

  1. With Traefik
  2. With NGINX
  3. With Caddy

I've tried all three and cannot get any of them to work. I think part of the issue is that Synology blocks ports 80 and 443 for use by the DSM software. It redirects port 80 to port 5000 and 443 to 5001. I've tried different networking modes too, including bridge, host, traefik_internal, etc. Still no dice.

I've included copies of my compose.yaml and traefik.yaml below. If anyone would be kind enough to help me, I would sincerely appreciate it. I am sure I am just missing something very simple.

COMPOSE.YAML

services:
  traefik:
    image: traefik:v2.9  # Use the latest stable Traefik version
    container_name: traefik
    command:
      - --api.insecure=true
      - --providers.docker
      - --entrypoints.web.address=:80  # HTTP entry point
    ports:
      - "80:80"  # Expose HTTP port
      - "8080:8080"  # Expose Traefik dashboard (optional)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # Docker socket for dynamic configuration
      - /volume1/docker/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro  # Traefik configuration file
    networks:
      - internal
    labels:
      # Traefik dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.local`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.services.api.loadbalancer.server.port=8080"

  # Define other services you want to proxy
  myservice:
    image: nicolargo/glances:latest-full  # Replace with your service's Docker image
    container_name: glances
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.myservice.rule=Host(`myservice.local`) && PathPrefix(`/`)"
      - "traefik.http.services.myservice.loadbalancer.server.port=8080"
    networks:
      - internal

networks:
  internal:
    driver: bridge

TRAEFIK.YAML

api:
  insecure: true  # Enable Traefik dashboard

providers:
  docker:
    exposedByDefault: true  # Enable services explicitly with labels

entryPoints:
  web:
    address: ":80"  # HTTP entry point
2

We start with the basics: only a single application can listen on a port. So if Synology software is already listening, you can’t have Traefik on the same ports.

It would be nice to have Traefik on those ports (80+443), so you can use plain domains and not add the port to every request.

Maybe ask ChatGPT: "How to disable Synology listening on port 80 and 443, which are only used to redirect to port 5000? Will port 5000 still be active?"

Sidenote: you should probably enable SSH access before, as a security measure, in case you disable any required web service and can’t login anymore.

Then your desired domain names need to resolve to the Syno IP, that’s something you probably need to setup on your router or VPN server. You can also use public DNS to point to private IPs.

Some apps require https, then the external DNS is even better, because you can simply create LetsEncrypt certs with dnsChallenge, even when the domain is not externally accessible.

Note that most GUI web apps don’t like to be placed under a path, so separate (sub-)domains are highly recommended.

Maybe also check simple Traefik example.

3

I will look into removing the 80 and 443 port bindings on the Synology NAS. However, I have read it is extremely difficult to do so, or at least to do so in a permanent way.

I had read that some people use macvlan in the traefik container to solve this issue, but again, I have no idea how that works.

None of my current apps require HTTPS, so I am good there, but I have no issue with using it, assuming it doesn't complicate things.

I would definitely prefer subdomains to paths, so that's all good too.