Trying (unsuccessfully) to proxy traffic on port 5432 to a container within docker swarm

Dear community,

I am trying to expose the port 5432 of my DB container through traefik. That is something we could argue against :slight_smile: but I would like to understand where I fail...

I am using the base configuration from https://dockerswarm.rocks (which is great by the way). Traefik works perfectly on 80 and 443 ports. I can access for instance pgadmin container, which can access the DB container.

Now, for the purpose of my use case, I have made the following changes:

  • on traefik's side:
    • exposed 5432 on traefik container
      ports:
        ...
        - 5432:5432
      
    • created a dedicated entrypoint
      command: >
        ...
        --entrypoints='Name:db Address::5432'
      
  • on the db container's side:
    • added traefik labels and network
      db:
        deploy:
          labels:
            traefik.docker.network: traefik-public
            traefik.enable: "true"
            traefik.frontend.rule: Host:db.mocks.cortexia.io
            traefik.port: '5432'
            traefik.tags: traefik-public
            traefik.webservice.frontend.entryPoints: db
      

As a result, I can still access for instance pgadmin container, which can access the DB container (no surprise), I can see in traefik webmin the definitions of the frontend and backend.

But when I try to psql the swarm on the proper host:port... the connection timeouts, and I cannot see anything related to my request in traefik logs

I am kind of lost at this point... any help/idea is welcome.

Here is the detailed description of service for traefik container:


...

traefik:
    image: traefik:v1.7.12  #I also tried with 1.7.13 and 1.7.14
    ports:
      - 80:80
      - 443:443
      - 5432:5432
    deploy:
      replicas: ${TRAEFIK_REPLICAS:-3}
      placement:
        constraints:
          - node.role == manager
        preferences:
          - spread: node.id
      labels:
        - traefik.frontend.rule=Host:traefik.${DOMAIN}
        - traefik.enable=true
        - traefik.port=8080
        - traefik.tags=traefik-public
        - traefik.docker.network=traefik-public
        # Traefik service that listens to HTTP
        - traefik.redirectorservice.frontend.entryPoints=http
        - traefik.redirectorservice.frontend.redirect.entryPoint=https
        # Traefik service that listens to HTTPS
        - traefik.webservice.frontend.entryPoints=https
        - traefik.frontend.auth.basic.users=${USERNAME}:${HASHED_PASSWORD}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: >
      --docker
      --docker.swarmmode
      --docker.watch
      --docker.exposedbydefault=false
      --constraints=tag==traefik-public
      --entrypoints='Name:http Address::80'
      --entrypoints='Name:https Address::443 TLS'
      --entrypoints='Name:db Address::5432'
      --consul
      --consul.endpoint="consul-leader:8500"
      --acme
      --acme.email=${EMAIL}
      --acme.storage="traefik/acme/account"
      --acme.entryPoint=https
      --acme.httpChallenge.entryPoint=http
      --acme.onhostrule=true
      --acme.acmelogging=true
      --logLevel=INFO
      --accessLog
      --api
    networks:
      - default
      - traefik-public
    depends_on:
      - consul-leader

Thanks for your advice,
Manu

Hello,

don't follow dockerswarm.rocks on the labels definition: Segment labels and redirections by ldez · Pull Request #22 · tiangolo/dockerswarm.rocks · GitHub

I recommend to don't scale Traefik if your are using acme.

Indeed, I am already using TRAEFIK_REPLICAS=1 :slight_smile:

Any hints about the broken forward ?

anyone with an idea ?