I used the example configuration from https://doc.traefik.io/traefik/getting-started/docker/#deploy-a-sample-application which is quite straight-forward and worked. Then, I added an internal network. The resulting config is now:
services:
traefik:
image: traefik:v3.6
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- default
- traefik_backbone
whoami:
image: traefik/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
networks:
- traefik_backbone
whoami2:
image: traefik/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami2.localhost`)"
networks:
- default
- traefik_backbone
networks:
traefik_backbone:
internal: true
I wonder: why does traefik need an open network for just connecting to a backend service? note that the traefik service itself has a default network, otherwise the port exposure doesn’t work. And it can find all other services on the host, which are not in an internal network.
I can even reach it from inside the traefik container, so it’s not a name resolution problem:
$ docker compose exec -ti traefik sh -i
/ # ping whoami
PING whoami (172.20.0.2): 56 data bytes
64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.061 ms
64 bytes from 172.20.0.2: seq=1 ttl=64 time=0.041 ms
^C
On the other hand: whoami2 can be reached without problems:
$ curl http://whoami.localhost
404 page not found
$ curl http://whoami2.localhost
Hostname: f2f324118f8d
IP: 127.0.0.1
IP: ::1
IP: 172.20.0.4
IP: 172.19.0.3
RemoteAddr: 172.20.0.3:38520
...
