Using Docker Compose Container Cannot Find Port

I am running OMV (openmediavault v7.0) as a NAS and my Docker host.

I am trying to bring up a Traefik instance in a Docker container (non-swarm) using a macvlan network.
Compose works all the way through but docker container returns error.
I am stumped as to why it does not find a port.

2024-05-29T19:07:12-04:00 ERR error="service \"traefik-traefik\" error: port is missing" container=traefik-traefik-6fea6c225a0165f817bdb57c9cdc5d3a700fb234c3699e54a7243961e2bc3749 providerName=docker

docker-compose.

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      rwdmacvlan:
        ipv4_address: 192.168.50.200
    ports:
      - 80:80
      - 443:443
      - 8080:8080
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      # CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    # secrets:
      # - cf_api_token
    env_file: Traefik.env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - CHANGE_TO_COMPOSE_DATA_PATH/traefik/traefik.yml:/traefik.yml:ro
      - CHANGE_TO_COMPOSE_DATA_PATH/traefik/acme.json:/acme.json
      # - CHANGE_TO_COMPOSE_DATA_PATH/traefik/config.yml:/config.yml:ro
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.rwdevs.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.rwdevs.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.rwdevs.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.rwdevs.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

# secrets:
  # cf_api_token:
    # file: CHANGE_TO_COMPOSE_DATA_PATH/traefik/cf_api_token.txt

networks:
  rwdmacvlan:    
    name: rwdmacvlan
    external: true

Traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: realworlddevs@outlook.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

You can centralize http-to-https on entrypoint. So you don’t need any http/80 routers in labels.

Compare to simple Traefik example.

You don’t need X-Forwarded-Proto as that is set automatically by Traefik.

You don’t need tls=true when using a certresolver. It’s only needed for custom loaded TLS certs.

I would usually mount static config to /etc/traefik/traefik.yml, not into root. But as the error is about providers.docker, I would assume it is still read.

I have strip down the compose trying to isolate the issue. What I found was traefik.http.routers.traefik.entrypoints is the line causing the lost ports.

if I do not configure entry points, the container stays up... your thoughts?

entrypoint "http" already has redirection, so you don’t need any ".traefik." labels.

Enable and check Traefik debug log (doc).