Intro
HI everyone. I’ve been busy configuring my homelab and have run into issues with Traefik and Vaultwarden running within Podman. I’ve already successfully set up Home Assistant and Homepage but for the life of me cannot get things working. I’m hoping a fresh pair of eyes would be able to spot something I missed or provide some advice. I’ve tried to provide all the information and logs relevant to the situation.
Expected Behavior:
- Requests for
*.fenndev.network
are sent to my Traefik server. - Incoming HTTPS requests to
vault.fenndev.network
are forwarded to Vaultwarden- HTTP requests are upgraded to HTTPS
- Vaultwarden is accessible via
https://vault.fenndev.network
and utilizes the wildcard certificates generated by Traefik.
Quick Facts
Overview
- I’m running Traefik and Vaultwarden in Podman, using Quadlet
- Traefik and Vaultwarden, along with all of my other services, are part of the same
fenndev_default
network - Traefik is working correctly with Home assistant, Adguard Home, and Homepage, but returns a
502 Bad Gateway
error with Vaultwarden - I’ve verified that port
8081
is open on my firewall and my service is reachable at{SERVER_IP}:8081
. 10.89.0.132
is the internal Podman IP address of the Vaultwarden container
Versions
Server: AlmaLinux 9.4
Podman: 4.9.4-rhel
Traefik: v3
Vaultwarden: alpine-latest (1.30.5-alpine I believe)
Error Logs
Traefik Log:
2024-05-11T22:09:53Z DBG github.com/traefik/traefik/v3/pkg/server/service/proxy.go:100 > 502 Bad Gateway error="dial tcp 10.89.0.132:8081: connect: connection refused"
cURL to URL:
[fenndev@bastion ~]$ curl -v https://vault.fenndev.network * Trying 192.168.1.169:443... * Connected to vault.fenndev.network (192.168.1.169) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22):
Config Files
vaultwarden.container file:
[Unit] Description=Password After=network-online.target [Service] Restart=always RestartSec=3 [Install] # Start by default on boot WantedBy=multi-user.target default.target [Container] Image=ghcr.io/dani-garcia/vaultwarden:latest-alpine Exec=/start.sh EnvironmentFile=%h/.config/vault/vault.env ContainerName=vault Network=fenndev_default # Security Options SecurityLabelType=container_runtime_t NoNewPrivileges=true # Volumes Volume=%h/.config/vault/data:/data:Z # Ports PublishPort=8081:80 # Labels Label=traefik.enable=true Label=traefik.http.routers.vault.entrypoints=web Label=traefik.http.routers.vault-websecure.entrypoints=websecure Label=traefik.http.routers.vault.rule=Host(`vault.fenndev.network`) Label=traefik.http.routers.vault-websecure.rule=Host(`vault.fenndev.network`) Label=traefik.http.routers.vault-websecure.tls=true Label=traefik.http.routers.vault.service=vault Label=traefik.http.routers.vault-websecure.service=vault Label=traefik.http.services.vault.loadbalancer.server.port=8081 Label=homepage.group="Services" Label=homepage.name="Vaultwarden" Label=homepage.icon=vaultwarden.svg Label=homepage.description="Password Manager" Label=homepage.href=https://vault.fenndev.network
vault.env file:
LOG_LEVEL=debug DOMAIN=https://vault.fenndev.network
Dalraz@lemmy.ca 6 months ago
Your entry point says, web should you not also have web-secure as well. I’m in my phone to forgive me if I missed some details
fenndev@leminal.space 6 months ago
I have both
web
andwebsecure
set up as entrypoints.Dalraz@lemmy.ca 6 months ago
I did a ninja edit about ports, but in your labels I only see web as an entrypoint