Trouble getting Traefik play nice with HA in docker (using network_mode: host)

aetjansen · December 14, 2018, 9:45am

Hi All,

I am running HA (not hassio) on an intel Nuc using docker, with some additional stuff like influxdb, grafana and nodered. Additionally, I am using Traefik as a reverse proxy, which is where I run into issues.

When I configure HA in docker-compose with the networks: option, to make it part of the traefik_proxy network I have setup, I can access HA on the specified domain. But, auto-discovery does not work in HA, nor can it find chromecast or sonos devices I have in my house.

homeassistant:
    hostname: homeassistant
    image: homeassistant/home-assistant:latest
    container_name: "hass"
    restart: always
    depends_on:
      - influxdb
      - mqtt
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8123"]
      interval: 30s
      timeout: 10s
      retries: 6
    ports:
      - "8123:8123"
    volumes:
      - ${USERDIR}/docker/hass/config:/config
      - /etc/timezone:/etc/timezone
    devices:
      - /dev/smartmeter:/dev/smartmeter
      - /dev/zwave:/dev/zwave
    environment:
      - TZ=${TZ}
    networks:
     - default
     - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.backend=homeassistant"
      - "traefik.frontend.rule=Host:hass.${DOMAINNAME}"
      - "traefik.port=8123"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"

When I remove the networks: part and replace it with “network_mode: host”, auto-discovery works, and it finds all devices on my network. But traefik no longer seems to be able to connect frontend to backend. I notice in the first setup, the home assistant backend has an IP address in the docker network range, and in the host network mode, the backend has IP 127.0.0.1, all seems ok, but it won’t route correctly.

I am not sure how to debug this, anybody have a guess where I am screwing things up?

gpbenton · December 14, 2018, 10:29am

I don’t know about traefik, but if you don’t use the host network for HA, you will need to map the ports used for discovery into HA.

UPNP uses port 1900, so you should try that, but there are probably others you need.

ha_steve · December 14, 2018, 6:37pm

Your labels are still pointing Traefik to the poxy network.

aetjansen · December 15, 2018, 2:39pm

good catch @ha_steve, have read over those lines dozens of times and got blind to it I guess However, when I set it to =host, no homeassistant backend shows up at all in traefik, and if I leave out the label completely, the backend shows up, but still traffic is not correctly routed to the backend. From the traefik documentation, I get none the wiser, have you got any tips?

ha_steve · December 15, 2018, 4:35pm

I run with both Traefik and Home Assistant in host network mode. Here’s my docker-compose for Traefik:

version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik
    restart: unless-stopped
    network_mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/homeserver/traefik/traefik.toml:/traefik.toml
      - /var/homeserver/traefik/acme.json:/acme.json
      - /var/homeserver/traefik/.htpasswd:/.htpasswd
    environment:
      - CLOUDFLARE_EMAIL=<myemail>
      - CLOUDFLARE_API_KEY=<mycloudflarekey>
      - TZ="America/Los_Angeles"
      - PUID=1000
      - GUID=999

and for home assistant, I use this (snippet from my docker-compose file):

    network_mode: host
    labels: 
      - traefik.enable=true
      - traefik.frontend.rule=Host:hass.myserver.com
      - traefik.frontend.headers.STSSeconds=15552000
      - traefik.port=8123
      - traefik.protocol=http

and the relevant parts of my traefik.toml file:

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    minVersion = "VersionTLS12"
    sniStrict = true

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedByDefault = false

aetjansen · December 15, 2018, 7:19pm

Thanks for sharing that, @ha_steve

I have copied over most your settings and adapted to my domain, but no luck so far. Does your frontend/backend settings in Traefik look similar to this?

I notice you run traefik in host network mode as well. Assuming you have more services defined in your docker-compose (maybe influxdb and grafana), do you run all of those in network_mode host then?

ha_steve · December 16, 2018, 3:17pm

Yep:

I have a total of 8 containers I run behind Traefik, HA is the only one I run in host mode (for the same reason you want to use host mode) and the rest I just forward the port to the container. I have never set up a network for them.

piotr · March 18, 2019, 10:52am

Use

  network_mode: "host"

and remove all traefik labels in your docker-compose file.

In Traefik.toml add a [file] section that looks like this:

[file]
[backends]
  [backends.backend-homeassistant]
    [backends.backend-homeassistant.servers]
      [backends.backend-homeassistant.servers.server-homeassistant-ext]
        url = "http://<IP OF HOST>:8123"
        weight = 0
[frontends]
  [frontends.frontend-homeassistant]
    backend = "backend-homeassistant"
    passHostHeader = true
    [frontends.frontend-homeassistant.routes]
      [frontends.frontend-homeassistant.routes.route-homeassistant-ext]
      rule = "Host:hass.<YOUR DOMAIN>"

Reason is that HA needs to be on the host network for discovery etc. to work.

Banditen01 · March 18, 2019, 11:43am

Piotr, you are the Man, tx a lot this made da shit

piotr · March 18, 2019, 1:05pm

This is how you would normally add non-dockerized services. You could also use it to add your NAS etc to Traefik.

Banditen01 · March 18, 2019, 4:46pm

I’ve been reading the guide https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/#Smart_Home_Apps for days and what is the difference, he (author) seems to have made it without host mode … maybe I’m blind (our to novice to see it)!?

piotr · March 18, 2019, 6:53pm

Correct. When you follow the guide then discovery won’t work. You have to remove the traefik labels, add network mode “host” and edit your traefik.toml

Banditen01 · March 18, 2019, 7:57pm

Tx again Piotr, conclusion I’m not stupid just have tried to copy something that wont work with discovery function. A little bit funny though, been using Nginx before but your comment about traefik made me change it is easier but was frustrated when discovery didn’t work

piotr · March 18, 2019, 8:54pm

Glad it worked out for you. Traefik is really great.

partymike · April 3, 2019, 1:26pm

hi, wondered if you could assist…

I have various sonos speakers, but have focused on trying to send tts to a sonos beam, the difference in my setup is I have two pc’s - 1 running docker with traefik & the other running home assistant - both on the same network and using the traefik backend to send data.

the sonos never “speaks” the tts, after much testing I can only assume its something to do with the traefik setup - but I have the traefik.toml backend setup as you described…only difference being there is no docker-compose entry as it runs on a different pc which runs hassio docker on ubuntu server.

I use letsencrypt and have a registered domain, everything else works great inc the IOS app using these details.

I thought maybe there was a particular encryption type I needed to add to traefik for it to work with sonos…but am at a loss.

Any help very much appreciated

have this in docker-compose:

networks:
traefik_proxy:
external:
name : traefik_proxy
default:
driver: bridge

and the same [backends] as quoted with my details.

piotr · April 5, 2019, 12:31pm

Is your HA running in a Docker container ?

partymike · April 5, 2019, 1:03pm

its hassio so yes uses docker…but not the same docker as traefik due to them being on separate PC’s

giacomo93 · October 14, 2019, 7:28pm

@piotr could you please help me?? I think you might be the only one able to help me

Thanks man, I’m trying to solve this problem but I can’t

piotr · October 15, 2019, 10:22am

What exact problem are you trying to solve ? I have configure HA as a non-docker service in Traefik.toml (I’m on Traefik 1.7, 2.0 is a whole different story)

giacomo93 · October 15, 2019, 10:34am

I have 1.7 as well and I’m trying to setup HA to use Traefik but I really can’t figured out how to do it properly