Traefik Bad Gateway

 Posted on June 10, 2024  |  4 minutes  |  765 words  |  Tamela Phillippe

I've got some strange issue. I have following setup: one docker-host running traefik as LB serving multiple sites. sites are most php/apache. HTTPS is managed by traefik. Each site is started using a docker-compose YAML containing the following:

version: '2.3' services: redis: image: redis:alpine container_name: ${PROJECT}-redis networks: - internal php: image: registry.gitlab.com/OUR_NAMESPACE/docker/php:${PHP_IMAGE_TAG} environment: - APACHE_DOCUMENT_ROOT=${APACHE_DOCUMENT_ROOT} container_name: ${PROJECT}-php-fpm volumes: - ${PROJECT_PATH}:/var/www/html:cached - .docker/php/php-ini-overrides.ini:/usr/local/etc/php/conf.d/99-overrides.ini ports: - 80 networks: - proxy - internal labels: - traefik.enable=true - traefik.port=80 - traefik.frontend.headers.SSLRedirect=false - traefik.frontend.rule=Host:${PROJECT} - "traefik.docker.network=proxy" networks: proxy: external: name: proxy internal:

(as PHP we use 5.6.33-apache-jessie or 7.1.12-apache f.e.)

Additionally to above, some sites get following labels:

traefik.docker.network=proxy traefik.enable=true traefik.frontend.headers.SSLRedirect=true traefik.frontend.rule=Host:example.com, www.example.com traefik.port=80 traefik.protocol=http

what we get is that some requests end in 502 Bad Gateway traefik debug output shows:

time="2018-03-21T12:20:21Z" level=debug msg="vulcand/oxy/forward/http: Round trip: http://172.18.0.8:80, code: 502, Length: 11, duration: 2.516057159s"

can someone help with that? it's completely random when it happens our traefik.toml:

debug = true checkNewVersion = true logLevel = "DEBUG" defaultEntryPoints = ["https", "http"] [accessLog] [web] address = ":8080" [web.auth.digest] users = ["admin:traefik:some-encoded-pass"] [entryPoints] [entryPoints.http] address = ":80" # [entryPoints.http.redirect] # had to disable this because HTTPS must be enable manually (not my decission) # entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [retry] [docker] endpoint = "unix:///var/run/docker.sock" domain = "example.com" watch = true exposedbydefault = false [acme] email = "[email protected]" storage = "acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http"

Could the issue be related to using the same docker-compose.yml?

2

10 Answers

Another reason can be that you might be accidentally mapping to the vm's port instead of the container port.

I made a change to my port mapping on the docker-compose file and forgot to update the labeled port so it was trying to map to a port on the machine that was not having any process attached to it

Wrong way:

ports: - "8080:8081" labels: - "traefik.http.services.front-web.loadbalancer.server.port=8080"

Right way

ports: - "8080:8081" labels: - "traefik.http.services.front-web.loadbalancer.server.port=8081"

Also in general don't do this, instead of exposing ports try docker networks they are much better and cleaner. I made my configuration documentation like a year ago and this was more of a beginner mistake on my side but might help someone :)

3

For anyone getting the same issue:

After recreating the network (proxy) and restarting every site/container it seems to work now. I still don't know where the issue was from.

10

If you see Bad Gateway with Traefik chances are you have a Docker networking issue. First have a look at this issue and consider this solution. Then take a look at providers.docker.network (Traefik 2.0) or, in your case, the docker.network setting (Traefik 1.7).

You could add a default network here:

[docker] endpoint = "unix:///var/run/docker.sock" domain = "example.com" watch = true exposedbydefault = false network = "proxy"

Or define/override it for a given service using the traefik.docker.network label.

Got the same problem and none of the above mentioned answers solved it for me. In my case a wrong loadbalancer was added. Removing the label or changing it to the correct port made the trick.

 - "traefik.http.services.XXX.loadbalancer.server.port=XXX"

In your example you don't have traefik enabled:

traefik.enable=false

Make sure to enable it first and then test your containers.

1

The error "bad gateway" is returned when the web server in the container doesn't allow traffic from traefik e.g. because of wrong interface binding like localhost instead of 0.0.0.0.

Take Ruby on Rails for example. Its web server puma is configured by default like this (see config/puma.rb):

port ENV.fetch("PORT") { 3000 }

But in order to allow access from traefik puma must bind to 0.0.0.0 like so:

bind "tcp://0.0.0.0:#{ ENV.fetch("PORT") { 3000 } }"

This solved the problem for me.

Another cause can be exposing a container at a port that Traefik already uses.

I forgot to expose the port in my Dockerfile thats why traefik did not find a port to route to. So expose the port BEFORE you start the application like node:

#other stuff before... EXPOSE 3000 CMD ["node", "dist/main" ]

Or if you have multiple ports open you have to specify which port traefik should route the domain to with:

- "traefik.http.services.myservice.loadbalancer.server.port=3000"

Or see docs

I faced very close issue to this exception my problem was not related to network settings or config, after time we figured out that the exposed port from the backend container is not like the port we mapping to to access form outside the service port was 5000 and we mapped 9000:9000 the solution was to fix the port issue first 9000:5000.

Expose port 80 for traefik

services: php: expose: - "80"

ncG1vNJzZmirpJawrLvVnqmfpJ%2Bse6S7zGiorp2jqbawutJoa3JsYGuEdIOOramanZaeuG6uwJ1koJmkmsSixQ%3D%3D