Serve rclone webdav in k3s/kubernetes with traefik: 502 Bad Gateway

What is the problem you are having with rclone?

I am trying to run rclone webdav in a k3s Kubernetes container with traefik as proxy. However I keep getting following error in traefik (10.42.0.152 in this case is the ip of rclone webdav container):

'502 Bad Gateway' caused by: dial tcp 10.42.0.152:8080: connect: connection refused"

I can kubectl port-forward the webdav-service, and it is accessible that way. So the container itself is running fine, which means it could be one of following issue:

  • issue with traefik -- pass headers or something?
  • issue with rclone where it is detecting proxy (requests coming from someplace else) and therefore blocks it -- some rclone config change?

Following are my traefik & rclone deployment files:

traefik
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
      - name: traefik
        image: traefik:latest
        args:
        - --api.insecure=true
        - --accesslog=true
        - --log.level=DEBUG
        - --global.sendAnonymousUsage=false
        - --providers.kubernetescrd=true
        - --providers.kubernetescrd.allowCrossNamespace=true

        # Entrypoints 
        - --entrypoints.web.address=:80
        - --entrypoints.vpn.address=:81/udp
        - --entrypoints.mqtt.address=:83
        - --entrypoints.netbios.address=:139/udp
        - --entrypoints.samba.address=:445

        ports:
        - name: web
          containerPort: 80
          protocol: TCP
        - name: vpn
          containerPort: 81
          protocol: UDP
        - name: mqtt
          containerPort: 83
          protocol: TCP
        - name: netbios
          containerPort: 139
          protocol: UDP
        - name: samba
          containerPort: 445
          protocol: TCP
        - name: admin
          containerPort: 8080
          protocol: TCP
        env:
        - name: TZ
          value: America/New_York
        - name: PGID
          value: "1000"
        - name: PUID
          value: "1000"
        volumeMounts:
        - name: traefik-volume
          mountPath: /config
      volumes:
      - name: traefik-volume
        hostPath:
          path: /data/raid/kube/traefik
rclone
kind: Deployment
apiVersion: apps/v1
metadata:
  name: webdav
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webdav
  template:
    metadata:
      labels:
        app: webdav
    spec:
      containers:
      - name: webdav
        image: rclone/rclone:latest
        args: ["serve", "webdav",  "/data/media", "--read-only", "--addr", "127.0.0.1:8080", "--log-level", "DEBUG"]
        ports:
        - containerPort: 8080
        env:
        - name: TZ
          value: America/New_York
        volumeMounts:
        - name: data-volume
          mountPath: /data/media
          readOnly: true
      volumes:
      - name: data-volume
        hostPath:
          path: /data/media

---
apiVersion: v1
kind: Service
metadata:
  name: webdav-service
  labels:
    app: webdav
spec:
  ports:
  - name: http
    targetPort: 8080
    port: 80
  selector:
    app: webdav

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: webdav-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`webdav.local.example.com`)
    kind: Rule
    services:
    - name: webdav-service
      port: 80

Run the command 'rclone version' and share the full output of the command.

v1.64.0

Which cloud storage system are you using? (eg Google Drive)

None (use rclone as webdav server)

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone serve webdav /data/media -vv --read-only --addr 127.0.0.1:8080

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

N/A

A log from the command that you were trying to run with the -vv flag

following are the logs from container:

2023/09/22 07:09:43 DEBUG : rclone: Version "v1.64.0" starting with parameters ["rclone" "serve" "webdav" "/data/media" "-vv" "--read-only" "--addr" "127.0.0.1:8080"]
2023/09/22 07:09:43 DEBUG : Creating backend with remote "/data/media"
2023/09/22 07:09:43 NOTICE: Config file "/config/rclone/rclone.conf" not found - using defaults
2023/09/22 07:09:43 INFO  : Local file system at /data/media: poll-interval is not supported by this remote
2023/09/22 07:09:43 NOTICE: Local file system at /data/media: WebDav Server started on [http://127.0.0.1:8080/]

Given that log you posted is complete it indicates issues with your proxy as there is no sign of any connection attempt.

First I would check if I can connect to webdav without proxy.

Then with proxy capturing all logs from both proxy and rclone (you can add flag --dump headers to have more details).

One thing to watch out for with proxies for webdav is that it uses a whole list of very unusual HTTP methods which may not be passed through.

Method Specifications Description
COPY WebDAV Copies the resource.
DELETE HTTP 1.1/WebDAV Deletes the resource.
GET HTTP 1.1 Gets the contents of the resource.
HEAD HTTP 1.1 Returns the message headers from a message sent to the server.
LOCK WebDAV Locks the resource.
MKCOL WebDAV Creates the collection specified.
MOVE WebDAV Moves the resource.
OPTIONS HTTP 1.1 Performs an option call to the server.
POST HTTP 1.1 Action defined by the server.
PROPFIND WebDAV Performs a property find on the server.
PROPPATCH WebDAV Sets or removes properties on the server.
PUT HTTP 1.1/WebDAV Puts the contents of the resource to the server in the specified location.
TRACE HTTP 1.1 Does a trace call to the server.
UNLOCK WebDAV Unlocks the resource.

(From this page)

BTW - I used rclone serve webdav behind nginx reverse proxy and it works without any issues and no special config is required.

1 Like

Yes, I can connect to rclone webdav without proxy using kubectl port-forward -- it does increasingly looks like a traefik problem.

Thanks for the heads-up. Right now it is not even showing the web-page -- which I believe is GET/HTTP 1.1

maybe time to ditch traefik in favour of nginx :metal:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.