Trouble getting Traefik play nice with HA in docker (using network_mode: host)

piotr · October 15, 2019, 12:27pm

In your traefik.toml configure your HA as a non container service. No need for labels in your HA docker-compose file.

# non-container services
[file]
[backends]
  [backends.backend-homeassistant]
    [backends.backend-homeassistant.servers]
      [backends.backend-homeassistant.servers.server-homeassistant-ext]
        url = "http://<ip of the docker machine>:port_number"
        weight = 0
[frontends]
  [frontends.frontend-homeassistant]
    backend = "backend-homeassistant"
    passHostHeader = true
    [frontends.frontend-homeassistant.routes]
      [frontends.frontend-homeassistant.routes.route-homeassistant-ext]
      rule = "Host:ha.somedomain.com"

giacomo93 · October 15, 2019, 12:31pm

How do I find my HA docker IP? I thought was the LAN one, but that not might be the case and I also Setup my HA docker to use network_mode: host so that might help! Thanks

piotr · October 15, 2019, 1:19pm

IP of the machine that is running docker.

noneangel · October 20, 2019, 9:55pm

Hi,
Did someone manage to get a configuration with home assistant in host mode using traefik v2 (with https) ?

noneangel · October 23, 2019, 6:35pm

I did it !

# docker-compose.yml
version: "3.7"

services:
  traefik:
    image: "traefik" # v2
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
    env_file:
      - "XXX" #envfile with credential for dns challenge
    networks:
      - traefik
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "traefik/traefik.toml:/etc/traefik/traefik.toml"
      - "traefik/dynamic_conf.toml:/etc/traefik/dynamic_conf.toml"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  homeassistant:
    container_name: home-assistant
    image: homeassistant/raspberrypi4-homeassistant
    volumes:
      - homeassistant/config:/config
    environment:
      - TZ=Europe/Paris
    restart: always
    network_mode: "host"

# traefik.toml
[global]
  checkNewVersion = true
  sendAnonymousUsage = true

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.web-secure]
    address = ":443"

[providers]
  [providers.docker]
    watch = true
    endpoint = "unix:///var/run/docker.sock"
    network = "traefik"
    exposedbydefault = false

  [providers.file]
    filename = "/etc/traefik/dynamic_conf.toml"

[certificatesResolvers]
  [certificatesResolvers.mydnschallenge.acme]
    email = "[email protected]"
    storage = "/letsencrypt/acme.json"
    [certificatesResolvers.mydnschallenge.acme.dnschallenge]
      provider = "XXX"

# dynamic_conf.toml
[http]
  [http.routers]
    [http.routers.redirect-to-https]
      entryPoints = ["web"]
      middlewares = ["https-redirect"]
      rule = "HostRegexp(`{host:.+}`)"
      service = "noop"

    [http.routers.hass]
      entrypoints = ["web-secure"]
      rule = "Host(`homeassistant.domaine.com`)" # you probably want to customize this rule
      service = "hass"
      [http.routers.hass.tls]
        certResolver = "mydnschallenge"
        [[http.routers.hass.tls.domains]]
          main = "domaine.com"
          sans = ["*.domaine.com"]

  [http.middlewares]
    [http.middlewares.https-redirect.redirectScheme]
      scheme = "https"
    [http.middlewares.auth.basicAuth]
      usersfile = "/etc/traefik/traefik.auth"

  [http.services]
    [http.services.hass.loadBalancer]
      [[http.services.hass.loadBalancer.servers]]
        url = "http://172.17.0.1:8123" # 172.17.0.1 is the docker0 interface: a way to communicate outside of docker (ie with home assistant on the host network)

    # noop service, the URL will be never called
    [http.services.noop.loadBalancer]
      [[http.services.noop.loadBalancer.servers]]
        url = "http://192.168.0.1"

RonnyAl · October 31, 2019, 8:56pm

Thanks for this. Was finally able to reach Home Assistant at my domain. For now I did that via http since I actually hit the LetsEncrypt rate limit while trying to get things working with https… Not gonna keep it up, and not gonna log in as long as I don’t have a valid SSL cert.

Still - I am only able to access Home Assistant using http://mydomain.com:8123. It doesn’t work without the port specified. Any idea why? Can share configs if necessary, but I mostly copied from yours.

noneangel · November 1, 2019, 8:57am

That is surprising. Could you share your config ? I suppose that somthing is wrong on the way you removed the https redirection. You can also check that the docker0 interface is indeed 172.17.0.1 with somting like this: (i don’t have access to a computer for the next 5 days to check the syntaxe)

sudo doker run alpine ip addr show

And correct the loadBalancer accordingly.
Lastly, the docker-compose.yml should not expose the port 8123 (traefik don’t need it, and home assistant expose it via network_mode: "host").

RonnyAl · November 2, 2019, 2:55pm

I eventually figured that it most likely had to do with the base_url entry (under http) in my configuration. For now I’m using the DuckDNS for external https access while waiting for the LetsEncrypt rate limit to reset. When that happens I’ll try again, either with nginx or Traefik.

Thanks for getting back to me, anyway. I might return with another question or five once I’m ready to give this another shot!

martinezpenya · April 20, 2020, 9:45am

Well I want it all:
Now I have HA + SSL + Traefik working with docker-compose.
I need to add bluetooth support to Home Assistant, so I need network_mode: “host”.
If I try your solution with traefik.toml I can’t do traefik and ssl work, but bluetooth on docker can scan devices.
There’s anyone having all the stuff working together?

sillyfrog · April 23, 2020, 11:01am

Hi,

TLDR above

I do have it all working together, below are snippets from my docker compose for reference. The solution for me was to not try and do anything with the automatic stuff from Traefik. Instead I have gone all in with a “macvlan” (details below, it’s not pretty) - but it helped me get all of the network broadcast features working correctly with HA (many more caveats below to make all of this work).

The actual HA config:

  homeassistant:
    image: homeassistant/home-assistant:stable
    command:
      [ "python3", "-m", "homeassistant", "--log-rotate-days", "600", "--log-file", "/logs/home-assistant.log", "--config", "/config" ]
    depends_on:
      - postgres
      - mqtt
    healthcheck:
      test: ["CMD", "ping", "-c", "2", "hass.sf"]
    volumes:
      - /tank/share/docker/hass/config:/config
      - /tank/share/logs/hass:/logs
      - "/etc/localtime:/etc/localtime:ro"
    environment:
      - TZ=Australia/Brisbane
    restart: always
    networks:
      macbridge:
        ipv4_address: 10.1.1.1

You can probably ignore the health check (note the hostname is something I have configured on my internal DNS server, it helps detect when DNS stops resolving in HA). I have also modified the command so my logs actually rotate (as I keep HA in full debug mode all the time). I then have an external tool do the log move/rotate and delete (hence the 600 days). Obviously all paths need to be setup to suit your server.

This is the Traefik config:

  traefik:
    image: "traefik:2.2"
    networks:
      - traefik-net
    ports:
      - "80:80"
      - "443:443"
      - "8888:8080"
    restart: always
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - /tank/share/docker/core/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /tank/share/docker/core/traefik/config/:/config/
      - /tank/share/store/traefik/certs/:/certs/
      - "/etc/localtime:/etc/localtime:ro"
    environment:
        XXX your config here for DNS auth of SSL certs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web-secure"
      - "traefik.http.services.traefik-service.loadbalancer.server.port=8080"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=magicauth@file"

Note I have a loopback config (via labels) to access the Traefik UI over HTTPS.

This in the config file (/config/hass.toml) I have in Traefik for HA,

[http]
  # Add the router
  [http.routers]
    [http.routers.router0]
      entryPoints = ["web-secure"]
      service = "hass"
      rule = "Host(`XXX`)"
      [http.routers.router0.tls]
        certResolver = "letsencrypt"

    # Add the service
    [http.services]
      [http.services.hass]
        [http.services.hass.loadBalancer]
          [[http.services.hass.loadBalancer.servers]]
            url = "http://hass.sf:8123/"

And in my main traefik.toml I have the following snippets:

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address = ":443"

[api]
  insecure = true

[file]
  watch = true

[providers]
  [providers.file]
    directory = "/config"
    watch = true

[log]
  level = "INFO"

[serversTransport.forwardingTimeouts]
  idleConnTimeout = "1s"

[certificatesResolvers.letsencrypt.acme]
  email = XXX
  storage = "/certs/acme.json"

  [certificatesResolvers.letsencrypt.acme.dnsChallenge]
    provider = "godaddy"

Again, note the internal DNS name (hass.sf), this could just be an IP address.

Now the real fun if working with a macvlan network (named macbridge) - it can not be on the same network interface as your Traefik/default interface. My server happens to have 2x NIC’s, and they are both plugged into the LAN. One does not have an IP address, rather it is just brought up at boot with out an IP. I then have this in my docker-compose file:

  macbridge:
    external:
      name: macbridge

And I manually created the macbridge network running the following command (you can’t have this in docker compose because… I don’t know - it was removed/never implemented in v3 compose files):

docker network create -d macvlan --subnet=10.1.0.0/16 --ip-range=10.1.1.0/24 --gateway=10.1.255.254 -o parent=enp4s0f1 macbridge

I have obviously sectioned off the 10.1.1.0/24 portion of the network for macvlan hosts - you’ll probably only need to allocate a couple of IP addresses.

My “default” network interface on the server is enp4s0f0, and any communication between Traefik and HA is done over the LAN.

Hope that helps / makes some sense (it was an utter nightmare to get it all going!) - let me know if anything does not make sense.

Good luck!

martinezpenya · April 24, 2020, 8:00am

Thank you for your detailed info and suggestions, but I have all the stuff working (traefik, portainer, hass on docker without host, mqtt)… but the bluetooth tracking. I can’t make it work on docker… so I moved to nmap tracker and solved the problem.

For me the traefik and hass configuration is almost “auto” I don’t need any .toml file. And I have also included som macvlan for pihole (as dhcp).

For SSL I’ve configured traefik to use my OVH domain and works pretty well.