Develop Reference

Understanding docker compose port wiring for django, react app and haproxy

I came across a docker-compose.yml which has following port configuration:
wsgi:
ports:
- 9090 // ?? Is it by default mapped to host port 80 ??
nodejs
image: nodejs:myapp
ports:
- 9999:9999
environment:
BACKEND_API_URL: http://aa.bb.cc.dd:9854/api/
haproxy
ports:
- 9854:80
I am trying to understand how the port wiring is happening here.
nodejs UI app settings needs to specify backend port which is 9854 here. This port is exposed by haproxy setting and is mapped to port 80. I know that wsgi is a django backend app. From its entrypoint.sh (in PS below) and port specification in above docker-compose.yml, I get that django listens to port 9090. But I am unable to get how this port 9090 maps to port 80 (which is then exposed by haproxy at 9854, which in turn is specified in BACKEND_API_URL by nodejs settings).
PS:
Django wsgi app has following in \wsgi\entrypoint.sh:
nohup gunicorn myapp.wsgi --bind "0.0.0.0:9090"
And nodejs react app has following in its server.js file:
const port = process.env.PORT || 9999;
My whole docker compose file:
version: "3.8"
services:
postgres:
image: postgres:11
volumes:
- my_app_postgres_volume:/var/lib/postgresql/data
- type: tmpfs
target: /dev/shm
tmpfs:
size: 536870912 # 512MB
environment:
POSTGRES_DB: my_app_db
POSTGRES_USER: my_app
POSTGRES_PASSWORD: my_app123
networks:
- my_app_network
redis:
image: redis:6.2.4
volumes:
- my_app_redis_volume:/data
networks:
- my_app_network
wsgi:
image: wsgi:my_app3_stats
volumes:
- /my_app/frontend/static/
- ./wsgi/my_app:/my_app
- /my_app/frontend/clientApp/node_modules
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- postgres
- redis
ports:
- 9090
environment:
C_FORCE_ROOT: 'true'
SERVICE_PORTS: 9090
networks:
- my_app_network
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
max_attempts: 3
window: 120s
nodejs:
image: nodejs:my_app3_stats
volumes:
- ./nodejs/frontend:/frontend
- /frontend/node_modules
depends_on:
- wsgi
ports:
- 9999:9999
environment:
BACKEND_API_URL: http://aa.bb.cc.dd:9854/api/
networks:
- my_app_network
nginx:
image: isiq/nginx-brotli:1.21.0
volumes:
- ./nginx:/etc/nginx/conf.d:ro
- ./wsgi/my_app:/my_app:ro
- my_app_nginx_volume:/var/log/nginx/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
networks:
- my_app_network
haproxy:
image: haproxy:2.3.9
volumes:
- ./haproxy:/usr/local/etc/haproxy/:ro
- /var/run/docker.sock:/var/run/docker.sock
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- wsgi
- nodejs
- nginx
ports:
- 9854:80
networks:
- my_app_network
deploy:
placement:
constraints: [node.role == manager]
volumes:
my_app_postgres_volume:
my_app_redis_volume:
my_app_nginx_volume:
networks:
my_app_network:
driver: overlay

On your host, there are three ports visible:
http://aa.bb.cc.dd:9854 forwards to port 80 on the haproxy container.
http://aa.bb.cc.dd:9999 forwards to port 9999 on the nodejs container.
The port shown by docker-compose port wsgi 9090 forwards to port 9090 on the wsgi container.
You don't discuss the HAProxy configuration at all, but it is presumably configured to listen on port 80, and that may be the missing bit of configuration you're looking for.
Between these three containers (so not visible to your front-end application), assuming you don't have any networks: blocks in the Compose file, there are three obvious URLs: http://haproxy:80 (or just http://haproxy), http://nodejs:9999, and http://wsgi:9090 connect to their respective containers. Note that these use the "normal" ports for their service, and not the remapped port for haproxy or the randomly-chosen port for wsgi.
I'm guessing the HAProxy container is configured to do some sort of path-based routing to one or the other of the other containers. If you have this setup, you might be able to configure your React application to not include a host name in the URL at all (BACKEND_API_URL: /api/), which will make it easier to deploy. You do not need the ports: for connections between containers, and if you don't want a caller to be able to reach the back-end services without going via the proxy, you can delete their ports: blocks.

Can't Access Traefik dashboard outside server

I am learning traefik and I am trying to connect to Ubuntu server hosted on a raspberry pi, Traefik is running on Docker. Currently I just want to access the dashboard, however am unable to access it outside my server but can ping it from inside the server itself,
This is how my traefik.yml file looks like
api:
dashboard: true
insecure: true
entryPoints:
http:
address: ":80"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
docker-compose file
services:
proxy:
image: traefik
networks:
- traefik
ports:
- "80:80"
- "8080:8080"
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--providers.docker"
- "--log.level=DEBUG"
- "--configFile=/home/ubuntu/traefik/traefik.yml"
volumes:
- $PWD/traefik.yml:/home/ubuntu/traefik/traefik.yml
- $PWD/acme.json:/home/ubuntu/traefik/acme.json
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
networks:
traefik:
external:
name: traefik
I have docker network registered called traefik
NETWORK ID NAME DRIVER SCOPE
...
ef66....... traefik bridge local

Jhipster registry not working on localhost

thanks in advance for this awesome stack platform that is jhipster.
I have a question, I am trying to run a microservice directly with:
./mvnw -Pdev -DskipTests
And I am getting (UnknownHostException -- 'http://admin:admin#jhipster-registry:8761/eureka/):
2021-09-16 10:06:26.225 INFO 6762 --- [ restartedMain] c.n.d.s.t.d.RedirectingEurekaHttpClient : Request execution error. endpoint=DefaultEndpoint{ serviceUrl='http://admin:admin#jhipster-registry:8761/eureka/}, exception=I/O error on GET request for "http://admin:admin#jhipster-registry:8761/eureka/apps/": jhipster-registry: Name or service not known; nested exception is java.net.UnknownHostException: jhipster-registry: Name or service not known stacktrace=org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http://admin:admin#jhipster-registry:8761/eureka/apps/": jhipster-registry: Name or service not known; nested exception is java.net.UnknownHostException: jhipster-registry: Name or service not known
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:711)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:602)
at org.springframework.cloud.netflix.eureka.http.RestTemplateEurekaHttpClient.getApplic
My doubt is, why is trying to use the domain jhipster-registry:8761 instead of what I have in the dev configurations, "localhost"?
eureka:
instance:
prefer-ip-address: true
client:
service-url:
defaultZone: http://admin:${jhipster.registry.password}#localhost:8761/eureka/
Right now I am using docker-compose in order to run the needed services, like the registry:
services:
jhipster-registry:
image: jhipster/jhipster-registry:v6.8.0
volumes:
- ./central-server-config:/central-config
# By default the JHipster Registry runs with the "dev" and "native"
# Spring profiles.
# "native" profile means the filesystem is used to store data, see
# http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
environment:
- _JAVA_OPTIONS=-Xmx512m -Xms256m
- JHIPSTER_SLEEP=20
- SPRING_PROFILES_ACTIVE=dev,oauth2
- SPRING_SECURITY_USER_PASSWORD=admin
- JHIPSTER_REGISTRY_PASSWORD=admin
- SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_TYPE=native
- SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_SEARCH_LOCATIONS=file:./central-config
# - SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_TYPE=git
# - SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_URI=https://github.com/jhipster/jhipster-registry/
# - SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_SEARCH_PATHS=central-config
# For Keycloak to work, you need to add '127.0.0.1 keycloak' to your hosts file
- SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI=http://keycloak:9080/auth/realms/jhipster
- SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID=jhipster-registry
- SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET=jhipster-registry
ports:
- 8761:8761
keycloak:
image: jboss/keycloak:12.0.4
command:
[
"-b",
"0.0.0.0",
"-Dkeycloak.migration.action=import",
"-Dkeycloak.migration.provider=dir",
"-Dkeycloak.migration.dir=/opt/jboss/keycloak/realm-config",
"-Dkeycloak.migration.strategy=OVERWRITE_EXISTING",
"-Djboss.socket.binding.port-offset=1000",
"-Dkeycloak.profile.feature.upload_scripts=enabled",
]
volumes:
- ./realm-config:/opt/jboss/keycloak/realm-config
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=h2
ports:
- 9080:9080
- 9443:9443
- 10990:10990
test-mysql:
container_name: test-mysql
restart: always
image: mysql:8.0.25
environment:
MYSQL_ROOT_PASSWORD: 'root'
ports:
# <Port exposed> : < MySQL Port running inside container>
- '3306:3306'
expose:
# Opens port 3306 on the container
- '3306'
volumes:
- test-datavolume:/var/lib/mysql
volumes:
test-datavolume:
I know that if I add into the /etc/hosts the entry "127.0.0.1 jhipster-registry" is going to work, but I cant find/understand why is trying to use jhipster-registry instead of localhost?
Thanks!

Traefik: all subdirectories return 404

First, thank you in advance for taking a look. I think I have a very basic mistake somewhere, but I have searched for hours with no result. I am trying to run a proof of concept to expose a container behind a traefik 2.4 reverse proxy at a subdirectory. My DDNS does not allow for subdomains, so I am stuck with subdirectories until I can prove this works.
My problem is every container I stand up is dynamically picked up by traefik and shows up in the dashboard, but the subdirectory gives a 404 error. I have even used PathPrefix with a regex to prevent the ending / error.
Here is my configuration.
Traefik's docker-compose:
version: '3'
services:
traefik:
image: traefik:v2.4
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/log:/var/log
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`domain.host.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=user:password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`domain.host.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
# - /var/log:/var/log:ro
- ./fail2ban/data:/data
- ./data/log:/var/log:ro
networks:
t2_proxy:
external: true
Here is my traefik.yml configuration file:
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: email#email.com
storage: acme.json
httpChallenge:
entrypoint: http
log:
filePath: "/var/log/traefik.log"
level: DEBUG
accessLog:
filePath: "var/log/access.log"
filters:
statusCodes:
- "400-499"
retryAttempts: true
Here is the first proof-of-concept container I'm trying to expose. It's just portainer in a separate docker-compose:
version: '3'
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
ports:
- "9000:9000"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
#web routers
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.rule=Host(`domain.host.com`) && PathPrefix(`/portainer`)"
#- "traefik.http.routers.portainer.rule=Host(`domain.host.com`) && PathPrefix(`/portainer{regex:$$|/.*}`)"
#- "traefik.http.routers.portainer.rule=Path(`/portainer`)"
#- "traefik.http.routers.portainer.rule=PathPrefix(`/portainer{regex:$$|/.*}`)"
#middlewares
#- "traefik.http.routers.portainer.middlewares=portainer-stripprefix"
#- "traefik.http.middlewares.portainer-stripprefix.stripprefix.prefixes=/portainer"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
#web secure rpiters
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`domain.host.com`) && PathPrefix(`/portainer`)"
#- "traefik.http.routers.portainer-secure.rule=Host(`domain.host.com`) && PathPrefix(`/portainer{regex:$$|/.*}`)"
#- "traefik.http.routers.portainer-secure.rule=Path(`/portainer`)"
#- "traefik.http.routers.portainer-secure.rule=PathPrefix(`/portainer{regex:$$|/.*}`)"
#- "traefik.http.routers.portainer-secure.middlewares=chain-basic-auth#users"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.tls.certresolver=http"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.docker.network=t2_proxy"
networks:
t2_proxy:
external: true
In summary, I navigate to domain.host.com, and it behaves properly by redirecting me to domain.host.com/dashboard. However, when I go to domain.host.com/portainer it gives a 404 error.
Please let me know if I should post any other details. I sense I am missing a very obvious bit of configuration, as this is my first time using Traefik. Thanks again for any help!

For future googlers
Alright, I figured it out tonight. Thank you, reddit.com/traefik user /u/Quafeinum for trying to help! I actually read the guide here: https://spad.uk/practical-configuration-of-traefik-as-a-reverse-proxy-for-docker/ by spad on linuxserver.io which helped me understand the labels better. The crux of the problem was
traefik.http.services.whoami-whoami.loadbalancer.server.scheme=https
Whatever that does, it was in all the examples, and I mindlessly copied it (there's a cautionary tale here). After removing it, the containers are properly exposed on HTTPS now. Verified with portainer and whoami.
Here is a link to a pastebin of the relevant docker-composes and yamls. This will get a functioning traefik that dynamically loads docker container whoami over HTTPS.
https://pastebin.com/AfBdz6Qm

Communication between microservices with docker-compose and traefik

I have a microservice based node app. I am using docker, docker-compose and traefik for service discovery.
I have 2 microservices at this moment:
the server app: running at node-app.localhost:8000
the search microservice running at search-microservice.localhost:8002
The issue I can't make a request from one microservice to another.
Here are my docker compose config:
# all variables used in this file are defined in the .env file
version: "2.2"
services:
node-app-0:
container_name: node-app
restart: always
build: ./backend/server
links:
- ${DB_HOST}
depends_on:
- ${DB_HOST}
ports:
- "8000:3000"
labels:
- "traefik.port=80"
- "traefik.frontend.rule=Host:node-app.localhost"
reverse-proxy:
image: traefik # The official Traefik docker image
command: --api --docker # Enables the web UI and tells Traefik to listen to docker
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock
search-microservice:
container_name: ${CONTAINER_NAME_SEARCH}
restart: always
build: ./backend/search-service
links:
- ${DB_HOST}
depends_on:
- ${DB_HOST}
ports:
- "8002:3000"
labels:
- "traefik.port=80"
- "traefik.frontend.rule=Host:search-microservice.localhost"
volumes:
node-ts-app-volume:
external: true
Both the node-app and the search-microservice expose the port 3000.
Why can't I call http://search-microservice.localhost:8002 from the node app ? calling it from the browser works though.

Because node-app is a container and to access other containers it has to use service name and internal port.
In your case it is search-microservice:3000.
To access host PC and exposed ports, you have to use host.docker.internal name for all services and external port.

If you want to access other services from in a different container with their hostnames, you can use the "extra_hosts" parameter in your docker-compose.yml file. Also, you have to use the "ipv4_address" parameter under the network parameter for each all services.
For example;
services:
node-app-1:
container_name: node-app
networks:
apps:
ipv4_address: 10.1.3.1
extra_hosts:
"search-microservice.localhost:10.1.3.2"
node-app-2:
container_name: search-microservice
networks:
apps:
ipv4_address: 10.1.3.2
extra_hosts:
"node-app.localhost:10.1.3.1"
Extra hosts in docker-compose