this post was submitted on 21 Jul 2025

23 points (92.6% liked)

Selfhosted

49951 readers

146 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

How do I manage docker&Traefik behind a reverse proxy not on docker. (feddit.org)

submitted 1 week ago* (last edited 1 week ago) by needanke@feddit.org to c/selfhosted@lemmy.world

17 comments fedilink hide all child comments

Fors off: I am a total beginner when it comes to docker. I do have some self hosting experience, but run pretty much everything in its on lxc and treat it like a full linux system.

Recently I installed immich in a container and was surprised to see how well it worked.

This lead my to finally tackle something I have been putting off for way to long; installing nightscout (a self hosten glucose monitoring&reporting utility).

For that I followed their guide. Everything worked well up untill the point where I wanted to connect to the web interface. I started of by entering my domain into the nightscout containers arguments (in the form subdomain.domain.tld). Then I used my reverse proxy (nginx, not inside docker) to forward the subdomain to the docker IP on Ports 443, then 80 and lastly the one displayed at the container when listing them with docker ps. None of those worked (I was not able to get a certificate using letsEncrypt and got a 404 when connecting without tls).

I then entered nighscout.[docker-IP] and tried to access it dkrectly which did not work either.

When googling I only find comparisons on how to set up nginx in Docker, or comparisons between the two.

docker-compose file

  GNU nano 7.2                                                                                                 docker-compose.yml                                                                                                          
version: '3'

x-logging:
  &default-logging
  options:
    max-size: '10m'
    max-file: '5'
  driver: json-file

services:
  mongo:
    image: mongo:4.4
    volumes:
      - ${NS_MONGO_DATA_DIR:-./mongo-data}:/data/db:cached
    logging: *default-logging

  nightscout:
    image: nightscout/cgm-remote-monitor:latest
    container_name: nightscout
    restart: always
    depends_on:
      - mongo
    labels:
      - 'traefik.enable=true'
      # Change the below Host from `localhost` to be the web address where Nightscout is running.
      # Also change the email address in the `traefik` service below.
      - 'traefik.http.routers.nightscout.rule=Host(`localhost`)'
      - 'traefik.http.routers.nightscout.entrypoints=websecure'
      - 'traefik.http.routers.nightscout.tls.certresolver=le'
    logging: *default-logging
    environment:
      ### Variables for the container
      NODE_ENV: production
      TZ: [removed]

      ### Overridden variables for Docker Compose setup
      # The `nightscout` service can use HTTP, because we use `traefik` to serve the HTTPS
      # and manage TLS certificates
      INSECURE_USE_HTTP: 'true'

      # For all other settings, please refer to the Environment section of the README
      ### Required variables
      # MONGO_CONNECTION - The connection string for your Mongo database.
      # Something like mongodb://sally:sallypass@ds099999.mongolab.com:99999/nightscout
      # The default connects to the `mongo` included in this docker-compose file.
      # If you change it, you probably also want to comment out the entire `mongo` service block
      # and `depends_on` block above.
      MONGO_CONNECTION: mongodb://mongo:27017/nightscout

      # API_SECRET - A secret passphrase that must be at least 12 characters long.
      API_SECRET: [removed]

      ### Features
      # ENABLE - Used to enable optional features, expects a space delimited list, such as: careportal rawbg iob
      # See https://github.com/nightscout/cgm-remote-monitor#plugins for details
      ENABLE: careportal rawbg iob

      # AUTH_DEFAULT_ROLES (readable) - possible values readable, denied, or any valid role name.
      # When readable, anyone can view Nightscout without a token. Setting it to denied will require
      # a token from every visit, using status-only will enable api-secret based login.
      AUTH_DEFAULT_ROLES: denied

      # For all other settings, please refer to the Environment section of the README
      # https://github.com/nightscout/cgm-remote-monitor#environment

  traefik:
    image: traefik:latest
    container_name: 'traefik'
    command:
      - '--providers.docker=true'
      - '--providers.docker.exposedbydefault=false'
      - '--entrypoints.web.address=:80'
      - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
      - '--entrypoints.websecure.address=:443'
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
      - '--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json'
      # Change the below to match your email address
      - '--certificatesresolvers.le.acme.email=[removed]'
    ports:
      - '443:443'
      - '80:80'
    volumes:
      - './letsencrypt:/letsencrypt'
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    logging: *default-logging

top 17 comments

sorted by: hot top controversial new old

[–] JASN_DE@feddit.org 13 points 1 week ago (2 children)

There is no need to run Traefik if you already have a working reverse proxy. Also, unless your nginx is running on non-standard ports, the ports 80 and 443 should not be available for traefik, which will prevent it from working correctly.

[–] needanke@feddit.org 1 points 1 week ago (1 children)

How do I connect to the container without traefik (from my local network)?

When I remove all the traefic references and then run docker ps I get

CONTAINER ID   IMAGE                                                            COMMAND                  CREATED         STATUS                  PORTS                                         NAMES
[removed]   nightscout/cgm-remote-monitor:latest                             "docker-entrypoint.s…"   6 seconds ago   Up 5 seconds            1337/tcp                                      nightscout
[removed]   mongo:4.4                                                        "docker-entrypoint.s…"   37 hours ago    Up 5 seconds            27017/tcp                                     docker-mongo-1

But I can't reach it under dockerIP:1337.

With Immich it had 0.0.0.0:port as its IP and I was able to reach it that way.

[–] MysteriousSophon21@lemmy.world 1 points 1 week ago

You need to add a ports section to your compose file like ports: - "1337:1337" - the container exposes 1337 internally but you haven't mapped it to the host so it's not accessible from outside the container.

[–] needanke@feddit.org 1 points 1 week ago* (last edited 1 week ago)

My Nginx is running in the same local network but on a different IP so there should not be a collision with the traefik ports.

[–] mhzawadi@lemmy.horwood.cloud 6 points 1 week ago (1 children)

Hello

could you update this with your compose file please?

my first guess is that maybe traefik does not know about nightscout or nightscout is still listening on its own ports

[–] needanke@feddit.org 4 points 1 week ago* (last edited 1 week ago) (2 children)

I Updated the post.

      - 'traefik.http.routers.nightscout.rule=Host(`localhost`)'

is my current attempt. I used my domain before.

[–] mhzawadi@lemmy.horwood.cloud 2 points 1 week ago

'traefik.http.routers.nightscout.rule=Host(localhost)'

so traefik will be looking for the host header localhost and only route requests to the service if it matches, sh when you use your real domain that should be what you use as the host header from nginx

[–] mhzawadi@lemmy.horwood.cloud 1 points 1 week ago

side note, I would expose traefik on 127.0.0.1 if its on the same host as nginx. as traefik is visible on all network interfaces.

[–] SheeEttin@lemmy.zip 5 points 1 week ago (1 children)

Why are you using both nginx and traefik?

[–] needanke@feddit.org 2 points 1 week ago (2 children)

Because I don't know how docker works, the .yaml given by nightscout is using traefik and I don't know how to remove it without breakting the nightscout container.

[–] hedgehog@ttrpg.network 1 points 1 week ago (1 children)

To run it with Nginx instead of Traefik, you need to figure out what port Nightscout’s web server runs on, then expose that port, e.g.,

services:
  nightscout:
    ports:
      - 3000:3000

You can remove the labels as those are used by Traefik, as well as the Traefik service itself.

Then just point Nginx to that port (e.g., 3000) on your local machine.

—-

Traefik has to know the port, too, but it will auto detect the port that a local Docker service is running on. It looks like your config is relying on that feature as I don’t see the label that explicitly specifies the port.

[–] hedgehog@ttrpg.network 1 points 1 week ago

This is what I would try first. It looks like 1337 is the exposed port, per https://github.com/nightscout/cgm-remote-monitor/blob/master/Dockerfile

x-logging:
  &default-logging
  options:
    max-size: '10m'
    max-file: '5'
  driver: json-file

services:
  mongo:
    image: mongo:4.4
    volumes:
      - ${NS_MONGO_DATA_DIR:-./mongo-data}:/data/db:cached
    logging: *default-logging

  nightscout:
    image: nightscout/cgm-remote-monitor:latest
    container_name: nightscout
    restart: always
    depends_on:
      - mongo
    logging: *default-logging
    ports:
      - 1337:1337
    environment:
      ### Variables for the container
      NODE_ENV: production
      TZ: [removed]

      ### Overridden variables for Docker Compose setup
      # The `nightscout` service can use HTTP, because we use `nginx` to serve the HTTPS
      # and manage TLS certificates
      INSECURE_USE_HTTP: 'true'

      # For all other settings, please refer to the Environment section of the README
      ### Required variables
      # MONGO_CONNECTION - The connection string for your Mongo database.
      # Something like mongodb://sally:sallypass@ds099999.mongolab.com:99999/nightscout
      # The default connects to the `mongo` included in this docker-compose file.
      # If you change it, you probably also want to comment out the entire `mongo` service block
      # and `depends_on` block above.
      MONGO_CONNECTION: mongodb://mongo:27017/nightscout

      # API_SECRET - A secret passphrase that must be at least 12 characters long.
      API_SECRET: [removed]

      ### Features
      # ENABLE - Used to enable optional features, expects a space delimited list, such as: careportal rawbg iob
      # See https://github.com/nightscout/cgm-remote-monitor#plugins for details
      ENABLE: careportal rawbg iob

      # AUTH_DEFAULT_ROLES (readable) - possible values readable, denied, or any valid role name.
      # When readable, anyone can view Nightscout without a token. Setting it to denied will require
      # a token from every visit, using status-only will enable api-secret based login.
      AUTH_DEFAULT_ROLES: denied

      # For all other settings, please refer to the Environment section of the README
      # https://github.com/nightscout/cgm-remote-monitor#environment

[–] SheeEttin@lemmy.zip 0 points 1 week ago (1 children)

Then drop nginx and just use traefik.

[–] needanke@feddit.org 2 points 1 week ago (3 children)

Thats what all my other services use though and I don't know how I'd connect them to traefic.

[–] SheeEttin@lemmy.zip 0 points 1 week ago

There's no time to learn like the present! Your existing compose file has an example, but if that doesn't work, the traefik docs are useful too.

[–] MaggiWuerze@feddit.org 0 points 1 week ago* (last edited 1 week ago)

If they all run on docker, you just have to add labels to them, telling them what domain and port they use, etc (look at the labels from your compose). Then you add the traefik base network to them and presto. Traefik recognizes the labels and automatically routes incoming requests to them and creates certificates for them.

I would recommend a single compose stack for traefik and then one compose file per context (e.g. NextCloud, its DB, documentServer in one stack)

[–] DarkSirrush@lemmy.ca 0 points 1 week ago* (last edited 1 week ago)

I recently posted most of my traefik configs, you can use it as a base to learn how traefik works:

https://lemmy.ca/comment/17702205

Note that I might not be much help with troubleshooting, as this took me a lot of trial and error and googling to make work.