#[SOLVED] How to set up traefik to serve another service alongside appwrite through a subdomain

I'm aware that this is more of a traefik question than appwrite but I figured since I'm modifying the bundled traefik configuration for my appwrite instance, might as well ask here.

So right now I have a self-hosted instance of appwrite under my domain.com tld. I want to host right beside appwrite another docker container called tautulli. And I want it to be accessible through tautulli.domain.com - basically just another service I am making available on my VM. I've been reading around and trying a bunch of things but I can't seem to get it to work. I'm having issues generating certificates for this other service but appwrite seems to be running just fine. Here's my updated docker-compose.yml file on the next message:

services:
  traefik:
    image: traefik:2.7
    container_name: appwrite-traefik
    <<: *x-logging
    command:
      - --log.level=DEBUG
      - --api.insecure=true
      - --providers.file.directory=/storage/config
      - --providers.file.watch=true
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --providers.docker.constraints=Label(`traefik.constraint-label-stack`,`appwrite`)
      - --entrypoints.appwrite_web.address=:80
      - --entrypoints.appwrite_websecure.address=:443
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - [email protected]
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
      - appwrite-config:/storage/config:ro
      - appwrite-certificates:/storage/certificates:ro
    depends_on:
      - appwrite
    networks:
      - gateway
      - appwrite
      - tautulli

...

...

  tautulli:
    image: ghcr.io/tautulli/tautulli
    container_name: tautulli
    restart: unless-stopped
    networks:
      - tautulli
    volumes:
      - tautulli-config:/config
    environment:
      - PUID=1001
      - PGID=1002
      - TZ=America/Edmonton
    labels:
      - traefik.enable=true
#      - traefik.http.routers.tautulli.tls=true
      - traefik.http.routers.tautulli.tls.certresolver=myresolver
      - traefik.http.routers.tautulli.entrypoints=websecure
      - traefik.http.routers.tautulli.rule=Host(`tautulli.domain.com`)
      - traefik.http.routers.tautulli.service=tautulli
      - traefik.http.services.tautulli.loadbalancer.server.port=8181
#    ports:
#      - 8181:8181

networks:
  gateway:
  appwrite:
  tautulli:
    internal: true
  runtimes:

volumes:
  appwrite-mariadb:
  appwrite-redis:
  appwrite-cache:
  appwrite-uploads:
  appwrite-certificates:
  appwrite-functions:
  appwrite-builds:
  appwrite-influxdb:
  appwrite-config:
  appwrite-executor:
  tautulli-config:

Btw, the error I get after restarting the services is NET::ERR_CERT_AUTHORITY_INVALID.

i highly recommend leaving appwrite's traefik container alone and using another proxy in frotn because upgrades will modify the appwrtie traefik and might wipe away any customizations you make.

I used nginx proxy manager (NPM) in front of my appwrite instance: https://medium.com/@stnguyen90/how-to-run-appwrite-behind-nginx-19348ed34243

Seems like a good read. I'll undo my changes for now and I'll read this after I have dinner. Thanks!

I'm not entirely sure I followed the guide but can you confirm if there are 3 files being discussed here? First would be my existing appwrite's docker-compose.yml file which I want to leave untouched. And then I'll create a docker-compose.override.yml to override some of the default network configurations of appwrite. And then create another docker-compose.yml file for NPM? Am I understanding this correctly? Sorry, I'm fairly new to reverse proxies.

Install NPM as per their instructions

On the appwrite side, you said to install using alternate ports like 8080 and 8443, but on your override settings, they are still on 80 and 443. Should I go ahead and change those to the alternate ports?

What do you mean? What exactly are you looking at?

The article says

Install Appwrite using non-standard ports like 8080 for HTTP and 8443 for HTTPS

But on the override file it shows:

- --entrypoints.appwrite_web.address=:80
- --entrypoints.appwrite_websecure.address=:443

This is correct because inside the container Appwrite runs on those ports

This is referring to the ports Appwrite is exposed on

So for my already running instance of appwrite on ports 80 and 443, I don't make any modifications, I'll just create an override file as shown on the article. And then create a separate docker compose file for NPM as also shown on the article. Then run docker compose up -d on both? And then do the GUI stuff after?

No. You need to look at the ports section of the Appwrite docker compose file

So I now have the NPM running. I'm able to access it either on <server_ip:81> or proxy.domain.com. That part is all good. Now I'm struggling to get appwrite to run. On my docker-compose.override.yml file on the same folder as the appwrite docker compose file, I have this:

version: '3'
services:
  traefik:
    command:
      - --accessLog=true
      - --providers.file.directory=/storage/config
      - --providers.file.watch=true
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --providers.docker.constraints=Label(`traefik.constraint-label-stack`,`appwrite`)
      - --entrypoints.appwrite_web.address=:80
      - --entrypoints.appwrite_websecure.address=:443
      - --entrypoints.appwrite_web.forwardedHeaders.trustedIPs=<server_id>
      - --entrypoints.appwrite_websecure.forwardedHeaders.trustedIPs=<server_id>
    ports:
      - 8080:80
      - 8443:443
networks:
  gateway:
    name: npm_gateway
    external: true

But when I restart the services I get:

Bind for 0.0.0.0:443 failed: port is already allocated

I tried 8080:8080 and 8443:8443 but I still got the same error. I'm not sure where it's getting the 443 binding from.

I was finally able to make it work.. but I had to modify the ports from the main docker-compose.yml file. I'm not sure why I couldn't override those settings with the docker-compose.override.yml file?

From the looks of it, docker-compose.override.yml doesn't override ports, it extends them. https://github.com/docker/compose/issues/3729

What's the best practice for running appwrite on non-standard ports? I'm guessing when an update comes along, it will override the port changes I made on the base docker-compose.yml file and I'll have to apply the changes again.

No, as part of the upgrade, you'll be asked what port you want Appwrite to run on. It will default to the previous values

Oh perfect, that means I don’t have to worry about it. Thanks!

@knotty rain Last week I was also struggling to handle multiple sites in my server. So I ended up using Nginx Proxy server. I have written a complete guide step by step that how you can configure Appwrite behind Nginx and same process can be done with other containers and as many sites as you want.
Do contact if you need any further assistance in vps configuration.
Guide
https://medium.com/@zia-ch/how-to-run-appwrite-with-nginx-professionally-5ba420789ef0

@knotty rain Is this completely solved?

Yes.