Unable to define mixed http/udp service using docker labels

I’m trying to get a container with mixed http/udp services tagged using docker labels but always end up in 404 Bad Gateway:

  evcc-prod-keba:
    image: andig/evcc:latest
    container_name: evcc-prod-keba
    ports:
    - 7071:7070
    - 7090:7090/udp
    volumes:
    - /volume1/data/docker/evcc/evcc-prod.yaml:/etc/evcc.yaml
    command: evcc --log trace
    restart: on-failure
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.keba.rule=Host(`keba.domain.io`)"
    - "traefik.http.routers.keba.middlewares=traefik-forward-auth-keba"
    - "traefik.http.routers.keba.tls=true"
    - "traefik.http.routers.keba.certResolver=dode"
    - "traefik.http.routers.keba.domains[0].main=domain.io"
    - "traefik.http.routers.keba.domains[0].sans=*.domain.io"
    - "traefik.http.routers.keba.service=keba"
    - "traefik.http.services.keba.loadbalancer.server.port=7070"
    - "traefik.udp.routers.keba.service=keba"
    - "traefik.udp.services.keba.loadbalancer.server.port=7090"

Defining the same setup (or I think its the same) using the file provider works fine.

Hello @andig, try separating the configuration with different identifiers to avoid confusion and potential merge issues. Its also a good practice to specify the entrypoint used for UDP routing. Example:

#[...]
 labels:
    - "traefik.enable=true"

    # HTTP routing
    - "traefik.http.routers.keba-http.rule=Host(`keba.domain.io`)"
    - "traefik.http.routers.keba-http.middlewares=traefik-forward-auth-keba"
    - "traefik.http.routers.keba-http.tls=true"
    - "traefik.http.routers.keba-http.certResolver=dode"
    - "traefik.http.routers.keba-http.domains[0].main=domain.io"
    - "traefik.http.routers.keba-http.domains[0].sans=*.domain.io"
    - "traefik.http.routers.keba-http.service=keba-http"
    - "traefik.http.services.keba-http.loadbalancer.server.port=7070"

    # UDP routing
    - "traefik.udp.routers.keba-udp.entrypoints=udp"
    - "traefik.udp.routers.keba-udp.service=keba-udp"
    - "traefik.udp.services.keba-udp.loadbalancer.server.port=7090"
1 Like

Thanks @douglasdtm. It helps analyzing, but didn't solve it. One problem was that the certResolver/domains keys must be below tls. Fixing those took care of the UI access.

Unfortunately, and although referencing the udp entrypoint which is

  keba-udp:
    address: ":7090/udp"

I'm still not able to receive the UDP replies inside the container. I do see the UDP server created (neither with file provider nor docker):

time="2020-08-09T15:22:19Z" level=debug msg="Creating UDP server 0 at evcc-prod-keba:7090" routerName=evcc-prod-keba@file serviceName=evcc-prod-keba serverName=0 entryPointName=keba-udp

Traefik log file doesn't show anything else related to UDP, as it does for TCP, e.g.:

time="2020-08-09T15:30:01Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/health\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"application/json, text/plain, */*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-us\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"_forward_auth=5UmsL4x5661qpOmCmN4XsvCcIQOBeK1nb0vvQg76R10=|1597028302|cpuidle@gmail.com\"],\"Referer\":[\"https://keba.evcc.io/\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15\"],\"X-Forwarded-Host\":[\"keba.evcc.io\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"0dd013b73010\"],\"X-Forwarded-User\":[\"cpuidle@gmail.com\"],\"X-Real-Ip\":[\"172.19.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"keba.evcc.io\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.19.0.1:40466\",\"RequestURI\":\"/api/health\",\"TLS\":null}" ForwardURL="http://evcc-prod-keba:7070"

Should I see this kind of forwarding log entries for udp, too?

You show 7090/udp exposed on the evcc-prod-keba container, this needs to be exposed on the traefik container instead.

1 Like

You show 7090/udp exposed on the evcc-prod-keba container, this needs to be exposed on the traefik container instead.

Argh.. I feel stupid. Corrected that but the UDP part is still not working.

It seems my baseline alpine image does not work with UDP for whatever reason. See https://stackoverflow.com/questions/63328454/howto-receive-udp-messages-in-alpine-docker-container and https://gitlab.alpinelinux.org/alpine/aports/-/issues/11835. I can repro the same locally even without Traefik.

Much appreciated,
Thank you!

I used alpine/socat with no problem, so I don't think it is an alpine problem per se.

version: "3.8"

services:
  traefik:
    image: traefik:v2.2
    command:
      - --log.level=DEBUG
      # entrypoint echo is port 7
      - --entrypoints.echo.address=:7/udp
      - --providers.docker=true
      # insecure dashboard
      - --api.insecure
    ports:
      - "7:7/udp"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  echo:
    # echo back what is received after EOL
    image: alpine/socat
    command: udp-l:7,fork exec:'/bin/cat'
    labels:
      traefik.enable: true
      traefik.udp.services.echo.loadbalancer.server.port: 7
      traefik.udp.routers.echo.entrypoints: echo

traefik_1 | time="2020-08-15T16:42:21Z" level=debug msg="Handling connection from 172.29.0.1:37101"

Thank you- the "Handling connection" log statements brought me on the right track. Might be helpful if the log was showing "handling tcp/udp connection from" to make this more explicit.

In the end it turned out to be an application error. Question why the test in https://stackoverflow.com/questions/63328454/howto-receive-udp-messages-in-alpine-docker-container is faulty remains open.

Thank you very much!

Kind regards,
Andreas