Using Docker Compose Container Cannot Find Port

Traefik Traefik v3 (latest)
1

I am running OMV (openmediavault v7.0) as a NAS and my Docker host.

I am trying to bring up a Traefik instance in a Docker container (non-swarm) using a macvlan network.
Compose works all the way through but docker container returns error.
I am stumped as to why it does not find a port.

2024-05-29T19:07:12-04:00 ERR error="service \"traefik-traefik\" error: port is missing" container=traefik-traefik-6fea6c225a0165f817bdb57c9cdc5d3a700fb234c3699e54a7243961e2bc3749 providerName=docker

docker-compose.

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      rwdmacvlan:
        ipv4_address: 192.168.50.200
    ports:
      - 80:80
      - 443:443
      - 8080:8080
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      # CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    # secrets:
      # - cf_api_token
    env_file: Traefik.env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - CHANGE_TO_COMPOSE_DATA_PATH/traefik/traefik.yml:/traefik.yml:ro
      - CHANGE_TO_COMPOSE_DATA_PATH/traefik/acme.json:/acme.json
      # - CHANGE_TO_COMPOSE_DATA_PATH/traefik/config.yml:/config.yml:ro
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.rwdevs.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.rwdevs.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.rwdevs.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.rwdevs.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

# secrets:
  # cf_api_token:
    # file: CHANGE_TO_COMPOSE_DATA_PATH/traefik/cf_api_token.txt

networks:
  rwdmacvlan:    
    name: rwdmacvlan
    external: true

Traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: realworlddevs@outlook.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
2

You can centralize http-to-https on entrypoint. So you don’t need any http/80 routers in labels.

Compare to simple Traefik example.

You don’t need X-Forwarded-Proto as that is set automatically by Traefik.

You don’t need tls=true when using a certresolver. It’s only needed for custom loaded TLS certs.

I would usually mount static config to /etc/traefik/traefik.yml, not into root. But as the error is about providers.docker, I would assume it is still read.

3

I have strip down the compose trying to isolate the issue. What I found was traefik.http.routers.traefik.entrypoints is the line causing the lost ports.

if I do not configure entry points, the container stays up... your thoughts?

4

entrypoint "http" already has redirection, so you don’t need any ".traefik." labels.

Enable and check Traefik debug log (doc).

5

@bluepuma77 I have made some progress.

 I can get the dashboard to display
 I am loading with no errors (including Traefik Debug Log)
 I am getting a cert back from the staging url

 I cannot get the prompt to log in for the dashboard.
 I cannot get any of https urls to work.

not working 'cant find traefik-dashboard.local.domain.com'

http://traefik-dashboard.local.domain.com

not working 'cant find traefik-dashboard.local.domain.com'

https://traefik-dashboard.local.domain.com

not working 'cant find traefik-dashboard.local.domain.com'

http://traefik-dashboard.local.domain.com:8080

not working 'cant find traefik-dashboard.local.domain.com'

https://traefik-dashboard.local.domain.com:8080

not working 404

https://192.168.50.10:8080

only url working

http://192.168.50.10:8080

latest compose file

services:
  reverse-proxy:
    image: traefik:v3.0
    command:
      - --log.level=DEBUG
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --api.dashboard=true
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedbydefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.web.http.redirections.entryPoint.to=websecure
      - --entryPoints.web.http.redirections.entryPoint.scheme=https
      - --entryPoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entryPoints.websecure.http.tls.certResolver=cloudflare
      - --entryPoints.websecure.http.tls.domains[0].main=local.domain.com
      - --entryPoints.websecure.http.tls.domains[0].sans=*.local.domain.com
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53
      - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.0.0.1:53
      - --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      #- --certificatesresolvers.cloudflare.acme.caserver=https://acme.v02.api.letsencrypt.org/directory
      - --certificatesresolvers.cloudflare.acme.email=email@email.com
      - --certificatesresolvers.cloudflare.acme.storage=acme.json
      - --serversTransport.insecureSkipVerify=true
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - proxy
    environment:
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} 
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    env_file: fromWeb.env 
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      #- CHANGE_TO_COMPOSE_DATA_PATH/traefik/traefik.yml:/traefik.yml:ro
      - CHANGE_TO_COMPOSE_DATA_PATH/traefik/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      #- "traefik.http.routers.traefik.entrypoints=web"
      #- "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      #- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=websecure"
      #- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      #- "traefik.http.routers.traefik-secure.entrypoints=websecure"
      #- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))""
      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      #- "traefik.http.routers.traefik-secure.tls=true"
      #- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      #- "traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.com"
      #- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.com"
      #- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
  proxy:
    name: proxy
    external: true
6

What’s that??? :laughing:

Using insecure, Traefik will skip all your router/middleware/service, remove it:

Compare to simple Traefik example.