From a58f5a3406779d4178aff272e687c3335e82a5c9 Mon Sep 17 00:00:00 2001 From: Gbanyan Date: Wed, 12 Nov 2025 15:13:47 +0800 Subject: [PATCH] Document host networking rationale --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index dbeb9e3..b21a7ac 100644 --- a/README.md +++ b/README.md @@ -94,3 +94,12 @@ PS: Because I access my traefik dashboard through my local network. I commented - 2025.4.21 Fix the trusted IP settings; later replaced by an internal updater instead of the traefik-plugin-cloudflare. - 2025.4.18 Add Souin HTTP Cache Middleware (in feature branch, not merge into main) - 2025.4.18 Temp disable the compression middleware. It has MIME type bugs. + +## Notes on Host Networking + +Traefik currently runs with `network_mode: host` so it can bind directly to both `10.0.0.225` (public) and `192.168.50.4` (internal) entrypoints. Moving back to bridge mode would break that dual-IP isolation because Docker cannot publish the same container port on two different host interfaces. Host networking also means: + +- Traefik reaches app containers like any other host process, ignoring `traefik.docker.network` labels. +- Linux handles firewalling/routing between the two interfaces; Docker’s conntrack optimizations aren’t used. + +If you ever want to switch to bridge networking, you’d need either separate Traefik instances (one per subnet) or an external L4 proxy in front of a single Traefik that listens on generic `:80/:443` ports. For now the host-mode trade-off is intentional to keep the internal/external split simple.