Hi, I’m running Home Assistant in Docker, and hoping to put it behind a Docker traefik reverse proxy.
I’m having issues due to (I assume) HA operating in host network mode, and not on the traefik network. When visiting hass.example.com, I get a gateway timeout.
My traefik setup in Docker is based on this amazing guide.
My HA configuration (below) was built based on this discussion.
Something that may be relevant - I added this line to my traefik configuration:
extra_hosts:
- host.docker.internal:172.17.0.1
but I noticed in Portainer that 172.17.0.1 actually refers to a system bridge network - but the system host network does not have a gateway address…
Other info: I also tried to add a dynamic router via .toml file, as per this guide, but couldn’t get it working.
Would appreciate any help - thanks in advance!
docker-compose.yml
######################### NETWORKS
networks:
t2_proxy:
name: t2_proxy
driver: bridge
ipam:
config:
- subnet: 172.18.0.0/16
default:
driver: bridge
######################### SERVICES
services:
# traefik 2 - reverse proxy
traefik:
container_name: traefik
image: traefik:2.2.1 # breaking change in 2.2.2
restart: unless-stopped
command:
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198>
- --entryPoints.traefik.address=:8080
- --api=true
- --log=true
- --log.level=WARN
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules
- --providers.file.watch=true
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
networks:
t2_proxy:
ipv4_address: 172.18.0.4
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json
- $DOCKERDIR/traefik2/traefik.log:/traefik.log
- $DOCKERDIR/shared:/shared
extra_hosts:
- host.docker.internal:172.17.0.1
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
# Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
# Home Assistant
homeassistant:
container_name: homeassistant
image: ghcr.io/home-assistant/home-assistant:stable
restart: unless-stopped
network_mode: host
privileged: true
ports:
- "8123:8123"
expose:
- 8123
volumes:
- $DOCKERDIR/homeassistant:/config
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
# HTTP Routers
- "traefik.http.routers.hass-rtr.entrypoints=https"
- "traefik.http.routers.hass-rtr.rule=Host(`hass.$DOMAINNAME`)"
- "traefik.http.routers.hass-rtr.tls=true"
# HTTP Services
- "traefik.http.routers.hass-rtr.service=hass-svc"
- "traefik.http.services.hass-svc.loadbalancer.server.port=8123"
# Middlewares
- "traefik.http.routers.hass-rtr.middlewares=chain-no-auth@file"