Uploading to a traefik instance

I have a synology nas behind my traefik instance, but im getting error http status 502 using the synology photos app when uploading to nas, if i visit the web app it works fine.
here my config

services:
  # Traefik 3 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:3.1
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    profiles: ["core", "all"]
    depends_on:
      - socket-proxy
    networks:
      t3_proxy:
        ipv4_address: 192.168.90.254 # You can specify a static IP
      socket_proxy:
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      - --entrypoints.web-external.address=:81
      - --entrypoints.web-internal.address=:80
      - --entrypoints.websecure-external.address=:444
      - --entrypoints.websecure-internal.address=:443
      # - --entrypoints.traefik.address=:8080
      - --entrypoints.web-external.http.redirections.entrypoint.to=websecure-external
      - --entrypoints.web-external.http.redirections.entrypoint.scheme=https
      - --entrypoints.web-external.http.redirections.entrypoint.permanent=true
      - --entrypoints.web-internal.http.redirections.entrypoint.to=websecure-internal
      - --entrypoints.web-internal.http.redirections.entrypoint.scheme=https
      - --entrypoints.web-internal.http.redirections.entrypoint.permanent=true
      - --api=true
      - --api.dashboard=true
      # - --api.insecure=true
      # - --serversTransport.insecureSkipVerify=true
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.websecure-external.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --entrypoints.websecure-internal.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --log=true
      - --log.filePath=/logs/traefik.log
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      # - --providers.docker.endpoint=unix:///var/run/docker.sock # Disable for Socket Proxy. Enable otherwise.
      - --providers.docker.endpoint=tcp://socket-proxy:2375 # Enable for Socket Proxy. Disable otherwise.
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t3_proxy 
      # - --providers.docker.swarmMode=false # Traefik v2 Swarm
      # - --providers.swarm.endpoint=tcp://127.0.0.1:2377 # Traefik v3 Swarm
      - --entrypoints.websecure-external.http.tls=true
      - --entrypoints.websecure-external.http.tls.options=tls-opts@file
      - --entrypoints.websecure-internal.http.tls=true
      - --entrypoints.websecure-internal.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.websecure-external.http.tls.certresolver=dns-cloudflare
      - --entrypoints.websecure-external.http.tls.domains[0].main=$DOMAINNAME_1
      - --entrypoints.websecure-external.http.tls.domains[0].sans=*.$DOMAINNAME_1
      - --entrypoints.websecure-internal.http.tls.certresolver=dns-cloudflare
      - --entrypoints.websecure-internal.http.tls.domains[0].main=$DOMAINNAME_1
      - --entrypoints.websecure-internal.http.tls.domains[0].sans=*.$DOMAINNAME_1
      # - DOMAINS-PLACEHOLDER-DO-NOT-DELETE
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=120 # To delay DNS check and reduce LE hitrate
      #- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.disablePropagationCheck=true
      # - METRICS-PLACEHOLDER-DO-NOT-DELETE
    ports:
      - "80:80"
      - "81:81"
      - "443:443"
      - "444:444"
      # - "8080:8080"
    volumes:
      - $DOCKERDIR/appdata/traefik3/rules/$HOSTNAME:/rules 
      # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/traefik3/acme/acme.json:/acme.json 
      - $DOCKERDIR/logs/$HOSTNAME/traefik:/logs
    environment:
      - TZ=$TZ
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token    
      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
      - DOMAINNAME_1 # Passing the domain name to traefik container to be able to use the variable in rules. 
      # - TRAEFIK_AUTH_BYPASS_KEY
    secrets:
      - cf_dns_api_token
      - basic_auth_credentials
    labels:
      - "traefik.enable=true"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=websecure-internal"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_1`)"
      # Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      # Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Basic HTTP Authentication

nas.yml

http:
  routers:
    nas-rtr:
      rule: "Host(`nas.{{env "DOMAINNAME_1"}}`)" 
      entryPoints:
        - websecure-external
        - websecure-internal
      middlewares:
        - chain-no-auth
      service: nas-svc
      tls:
        certResolver: dns-cloudflare
        options: tls-opts@file
  services:
    nas-svc:
      loadBalancer:
        passHostHeader: true
        serversTransport: "nas-st"
        servers:
          - url: "https://192.168.10.254:6501"  # https://IP-ADDRESS:PORT
  serversTransports:
    nas-st:
      insecureSkipVerify: true

any ideias? Thanks

Http status 502 is "bad gateway". It usually happens when you use multiple Docker networks but don’t set docker.network to indicate which one to use.

Or the set name is wrong, because compose can prefixes the network name for a project if you don’t set name: or use external.

where to set that, and how?

Compare to simple Traefik example.