Trouble getting Traefik play nice with HA in docker (using network_mode: host)

Correct. When you follow the guide then discovery won’t work. You have to remove the traefik labels, add network mode “host” and edit your traefik.toml

Tx again Piotr, conclusion I’m not stupid just have tried to copy something that wont work with discovery function. A little bit funny though, been using Nginx before but your comment about traefik made me change it is easier but was frustrated when discovery didn’t work

Glad it worked out for you. Traefik is really great.

hi, wondered if you could assist…

I have various sonos speakers, but have focused on trying to send tts to a sonos beam, the difference in my setup is I have two pc’s - 1 running docker with traefik & the other running home assistant - both on the same network and using the traefik backend to send data.

the sonos never “speaks” the tts, after much testing I can only assume its something to do with the traefik setup - but I have the traefik.toml backend setup as you described…only difference being there is no docker-compose entry as it runs on a different pc which runs hassio docker on ubuntu server.

I use letsencrypt and have a registered domain, everything else works great inc the IOS app using these details.

I thought maybe there was a particular encryption type I needed to add to traefik for it to work with sonos…but am at a loss.

Any help very much appreciated :slight_smile:

have this in docker-compose:

networks:
traefik_proxy:
external:
name : traefik_proxy
default:
driver: bridge

and the same [backends] as quoted with my details.

Is your HA running in a Docker container ?

its hassio so yes uses docker…but not the same docker as traefik due to them being on separate PC’s

@piotr could you please help me?? I think you might be the only one able to help me

Thanks man, I’m trying to solve this problem but I can’t

What exact problem are you trying to solve ? I have configure HA as a non-docker service in Traefik.toml (I’m on Traefik 1.7, 2.0 is a whole different story)

I have 1.7 as well and I’m trying to setup HA to use Traefik but I really can’t figured out how to do it properly

In your traefik.toml configure your HA as a non container service. No need for labels in your HA docker-compose file.

# non-container services
[file]
[backends]
  [backends.backend-homeassistant]
    [backends.backend-homeassistant.servers]
      [backends.backend-homeassistant.servers.server-homeassistant-ext]
        url = "http://<ip of the docker machine>:port_number"
        weight = 0
[frontends]
  [frontends.frontend-homeassistant]
    backend = "backend-homeassistant"
    passHostHeader = true
    [frontends.frontend-homeassistant.routes]
      [frontends.frontend-homeassistant.routes.route-homeassistant-ext]
      rule = "Host:ha.somedomain.com"

1 Like

How do I find my HA docker IP? I thought was the LAN one, but that not might be the case and I also Setup my HA docker to use network_mode: host so that might help! Thanks

IP of the machine that is running docker.

Hi,
Did someone manage to get a configuration with home assistant in host mode using traefik v2 (with https) ?

I did it !

# docker-compose.yml
version: "3.7"

services:
  traefik:
    image: "traefik" # v2
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
    env_file:
      - "XXX" #envfile with credential for dns challenge
    networks:
      - traefik
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "traefik/traefik.toml:/etc/traefik/traefik.toml"
      - "traefik/dynamic_conf.toml:/etc/traefik/dynamic_conf.toml"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  homeassistant:
    container_name: home-assistant
    image: homeassistant/raspberrypi4-homeassistant
    volumes:
      - homeassistant/config:/config
    environment:
      - TZ=Europe/Paris
    restart: always
    network_mode: "host"
# traefik.toml
[global]
  checkNewVersion = true
  sendAnonymousUsage = true

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.web-secure]
    address = ":443"

[providers]
  [providers.docker]
    watch = true
    endpoint = "unix:///var/run/docker.sock"
    network = "traefik"
    exposedbydefault = false

  [providers.file]
    filename = "/etc/traefik/dynamic_conf.toml"

[certificatesResolvers]
  [certificatesResolvers.mydnschallenge.acme]
    email = "[email protected]"
    storage = "/letsencrypt/acme.json"
    [certificatesResolvers.mydnschallenge.acme.dnschallenge]
      provider = "XXX"
# dynamic_conf.toml
[http]
  [http.routers]
    [http.routers.redirect-to-https]
      entryPoints = ["web"]
      middlewares = ["https-redirect"]
      rule = "HostRegexp(`{host:.+}`)"
      service = "noop"

    [http.routers.hass]
      entrypoints = ["web-secure"]
      rule = "Host(`homeassistant.domaine.com`)" # you probably want to customize this rule
      service = "hass"
      [http.routers.hass.tls]
        certResolver = "mydnschallenge"
        [[http.routers.hass.tls.domains]]
          main = "domaine.com"
          sans = ["*.domaine.com"]

  [http.middlewares]
    [http.middlewares.https-redirect.redirectScheme]
      scheme = "https"
    [http.middlewares.auth.basicAuth]
      usersfile = "/etc/traefik/traefik.auth"

  [http.services]
    [http.services.hass.loadBalancer]
      [[http.services.hass.loadBalancer.servers]]
        url = "http://172.17.0.1:8123" # 172.17.0.1 is the docker0 interface: a way to communicate outside of docker (ie with home assistant on the host network)

    # noop service, the URL will be never called
    [http.services.noop.loadBalancer]
      [[http.services.noop.loadBalancer.servers]]
        url = "http://192.168.0.1"
3 Likes

Thanks for this. Was finally able to reach Home Assistant at my domain. For now I did that via http since I actually hit the LetsEncrypt rate limit while trying to get things working with https… Not gonna keep it up, and not gonna log in as long as I don’t have a valid SSL cert.

Still - I am only able to access Home Assistant using http://mydomain.com:8123. It doesn’t work without the port specified. Any idea why? Can share configs if necessary, but I mostly copied from yours.

That is surprising. Could you share your config ? I suppose that somthing is wrong on the way you removed the https redirection. You can also check that the docker0 interface is indeed 172.17.0.1 with somting like this: (i don’t have access to a computer for the next 5 days to check the syntaxe)

sudo doker run alpine ip addr show

And correct the loadBalancer accordingly.
Lastly, the docker-compose.yml should not expose the port 8123 (traefik don’t need it, and home assistant expose it via network_mode: "host").

I eventually figured that it most likely had to do with the base_url entry (under http) in my configuration. For now I’m using the DuckDNS for external https access while waiting for the LetsEncrypt rate limit to reset. When that happens I’ll try again, either with nginx or Traefik.

Thanks for getting back to me, anyway. I might return with another question or five once I’m ready to give this another shot! :slight_smile:

Well I want it all:
Now I have HA + SSL + Traefik working with docker-compose.
I need to add bluetooth support to Home Assistant, so I need network_mode: “host”.
If I try your solution with traefik.toml I can’t do traefik and ssl work, but bluetooth on docker can scan devices.
There’s anyone having all the stuff working together?

Hi,

TLDR above :slight_smile:

I do have it all working together, below are snippets from my docker compose for reference. The solution for me was to not try and do anything with the automatic stuff from Traefik. Instead I have gone all in with a “macvlan” (details below, it’s not pretty) - but it helped me get all of the network broadcast features working correctly with HA (many more caveats below to make all of this work).

The actual HA config:

  homeassistant:
    image: homeassistant/home-assistant:stable
    command:
      [ "python3", "-m", "homeassistant", "--log-rotate-days", "600", "--log-file", "/logs/home-assistant.log", "--config", "/config" ]
    depends_on:
      - postgres
      - mqtt
    healthcheck:
      test: ["CMD", "ping", "-c", "2", "hass.sf"]
    volumes:
      - /tank/share/docker/hass/config:/config
      - /tank/share/logs/hass:/logs
      - "/etc/localtime:/etc/localtime:ro"
    environment:
      - TZ=Australia/Brisbane
    restart: always
    networks:
      macbridge:
        ipv4_address: 10.1.1.1

You can probably ignore the health check (note the hostname is something I have configured on my internal DNS server, it helps detect when DNS stops resolving in HA). I have also modified the command so my logs actually rotate (as I keep HA in full debug mode all the time). I then have an external tool do the log move/rotate and delete (hence the 600 days). Obviously all paths need to be setup to suit your server.

This is the Traefik config:

  traefik:
    image: "traefik:2.2"
    networks:
      - traefik-net
    ports:
      - "80:80"
      - "443:443"
      - "8888:8080"
    restart: always
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - /tank/share/docker/core/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /tank/share/docker/core/traefik/config/:/config/
      - /tank/share/store/traefik/certs/:/certs/
      - "/etc/localtime:/etc/localtime:ro"
    environment:
        XXX your config here for DNS auth of SSL certs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web-secure"
      - "traefik.http.services.traefik-service.loadbalancer.server.port=8080"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=magicauth@file"

Note I have a loopback config (via labels) to access the Traefik UI over HTTPS.

This in the config file (/config/hass.toml) I have in Traefik for HA,

[http]
  # Add the router
  [http.routers]
    [http.routers.router0]
      entryPoints = ["web-secure"]
      service = "hass"
      rule = "Host(`XXX`)"
      [http.routers.router0.tls]
        certResolver = "letsencrypt"

    # Add the service
    [http.services]
      [http.services.hass]
        [http.services.hass.loadBalancer]
          [[http.services.hass.loadBalancer.servers]]
            url = "http://hass.sf:8123/"

And in my main traefik.toml I have the following snippets:

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address = ":443"

[api]
  insecure = true

[file]
  watch = true

[providers]
  [providers.file]
    directory = "/config"
    watch = true

[log]
  level = "INFO"

[serversTransport.forwardingTimeouts]
  idleConnTimeout = "1s"

[certificatesResolvers.letsencrypt.acme]
  email = XXX
  storage = "/certs/acme.json"

  [certificatesResolvers.letsencrypt.acme.dnsChallenge]
    provider = "godaddy"

Again, note the internal DNS name (hass.sf), this could just be an IP address.

Now the real fun if working with a macvlan network (named macbridge) - it can not be on the same network interface as your Traefik/default interface. My server happens to have 2x NIC’s, and they are both plugged into the LAN. One does not have an IP address, rather it is just brought up at boot with out an IP. I then have this in my docker-compose file:

  macbridge:
    external:
      name: macbridge

And I manually created the macbridge network running the following command (you can’t have this in docker compose because… I don’t know - it was removed/never implemented in v3 compose files):

docker network create -d macvlan --subnet=10.1.0.0/16 --ip-range=10.1.1.0/24 --gateway=10.1.255.254 -o parent=enp4s0f1 macbridge

I have obviously sectioned off the 10.1.1.0/24 portion of the network for macvlan hosts - you’ll probably only need to allocate a couple of IP addresses.

My “default” network interface on the server is enp4s0f0, and any communication between Traefik and HA is done over the LAN.

Hope that helps / makes some sense (it was an utter nightmare to get it all going!) - let me know if anything does not make sense.

Good luck!

Thank you for your detailed info and suggestions, but I have all the stuff working (traefik, portainer, hass on docker without host, mqtt)… but the bluetooth tracking. I can’t make it work on docker… so I moved to nmap tracker and solved the problem.

For me the traefik and hass configuration is almost “auto” I don’t need any .toml file. And I have also included som macvlan for pihole (as dhcp).

For SSL I’ve configured traefik to use my OVH domain and works pretty well.