Hi everyone,
I’m using Traefik as a Docker container in my setup, and I’ve encountered a situation that I need help with. My firewall is blocking a request originating from the Traefik container’s internal Docker IP address to one of my devices over port 443.
I’m unsure what this request is for and why it’s happening. Could it be related to:
- Health checks performed by Traefik?
- ACME/Let’s Encrypt certificate validation or renewal?
- Some misconfiguration in my setup?
I’ve already checked my Traefik configuration but couldn’t pinpoint the exact source of this request. Has anyone experienced a similar issue or knows what might be causing this problem?
Here are some additional details about my setup:
- Traefik version: v3.2.2
- Docker version: v27.3.1
Any guidance or suggestions on how to debug or resolve this would be greatly appreciated!
Thanks in advance!
It's not clear. What is that screenshot, what system are you running on?
The screenshot shows a Ubiquiti router with a firewall configuration that includes a "Drop all" rule. However, the network where Traefik is running has an "Allow any" rule. The issue arises because requests are being sent from Traefik's internal Docker IP address, which is being blocked by the firewall since it’s not part of the Ubiquiti network.
172.20.0.1 is the internal Docker IP address of Traefik.
My question is: Why does Traefik send requests externally via port 443 using the internal IP in the first place?
I would think this is not Traefik specific, but rather a question for Docker Community Forums.
I understand your point, but based on the port and IP address, it’s clear that the request must originate from the Traefik container. The Raspberry Pi has a different IP address, and the container is the only entity sending requests using the 172.20.0.1 address.
For further clarification, here’s the ifconfig output from the Traefik container:
/ # ifconfig
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:172.20.0.2 Bcast:172.20.255.255 Mask:255.255.0.0
Would this still be a Docker-specific issue, or could it be something related to Traefik's configuration in the container?
That seems like a typical Docker-assigned IP.
Share you full Traefik static and dynamic config, and docker-compose.yml if used.
docker-compose.yml:
services:
proxy:
restart: always
image: traefik:v3
command:
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http3
- --certificatesresolvers.cloudflare.acme.email=my.mail@gmail.com
- --certificatesresolvers.cloudflare.acme.storage=/etc/traefik/ACME/acme.json
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --api=true
- --api.dashboard=true
- --api.disabledashboardad=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.filename=/etc/traefik/dynamic.yml
- --log=true
- --log.filepath=/etc/traefik/log/traefik.log
- --log.level=ERROR
- --experimental.plugins.plugin-log4shell.modulename=github.com/traefik/plugin-log4shell
- --experimental.plugins.plugin-log4shell.version=v0.1.2
labels:
- traefik.enable=true
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=cloudflare
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.rule=Host(`traefik.local.my.host`)
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=ipallowlist@file,secHeaders@file,log4shell@file,cors@file
- com.centurylinklabs.watchtower.enable=true
ports:
- 80:80
- 443:443/tcp
- 443:443/udp
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config:/etc/traefik
networks:
- intern
- extern
environment:
- CF_API_KEY_FILE=/run/secrets/cf_api_key
- CF_API_EMAIL_FILE=/run/secrets/cf_api_email
secrets:
- cf_api_key
- cf_api_email
secrets:
cf_api_key:
file: ./secrets/cf_api_key.secret
cf_api_email:
file: ./secrets/cf_api_email.secret
networks:
intern: {}
extern: {}
dynamic.yml:
tls:
certificates:
- certFile: /etc/traefik/certs/my_host.crt
keyFile: /etc/traefik/certs/my_host.key
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/my_host.crt
keyFile: /etc/traefik/certs/my_host.key
options:
default:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
curvePreferences:
- X25519
- CurveP521
- CurveP384
cloudflare:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
curvePreferences:
- X25519
- CurveP521
- CurveP384
clientAuth:
caFiles:
- /etc/traefik/certs/authenticated_origin_pull_ca.pem
clientAuthType: RequireAndVerifyClientCert
mintls13:
minVersion: VersionTLS13
http:
middlewares:
log4shell:
plugin:
plugin-log4shell:
errorCode: "200"
cors:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlAllowHeaders: "*"
accessControlAllowOriginList:
- https://homer.local.my.host
accessControlMaxAge: 100
addVaryHeader: true
secHeaders:
headers:
forceSTSHeader: true
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
customResponseHeaders:
server: ""
x-powered-by: ""
ipallowlist:
ipAllowList:
sourceRange:
- "XXX.XXX.XXX.XXX/XX"
routers:
homeassistant:
entryPoints:
- "websecure"
rule: "Host(`ha.local.my.host`)"
service: "homeassistant"
middlewares:
- "log4shell"
- "secHeaders"
- "cors"
tls:
certresolver: cloudflare
services:
homeassistant:
loadBalancer:
servers:
- url: "http://XXX.XXX.XXX.XXX:8123"
