I run a small Docker Swarm setup with Traefik and Authelia for authentication, along with several services such as Immich, HedgeDoc, and others.

I am currently trying to integrate OAuth2 properly with HedgeDoc. My domain auth.example.com points via internal DNS to the Swarm (swarm:443 / swarm:80). However, containers running inside the Swarm cannot simply reach the host IP from within their network. DNS resolution works, but the host does not respond. From what I understand, this is a security feature of Docker itself.

My current workaround is to add an extra_hosts entry to the HedgeDoc Docker Compose configuration:

extra_hosts:
  - "auth.example.com:10.10.10.10"

I manually determine the Traefik IP beforehand, but that IP changes whenever the Swarm is rebooted because container IP addresses are assigned dynamically. As a result, I would have to update the extra_hosts entry every time i reboot the machine. Assigning static IP addresses does not seem to be supported in this scenario.

I am not sure what the cleanest solution would be to make the OAuth2 callbacks work properly. I have exactly the same issue with Immich.

Paperless was much easier because it simply accepts authentication headers and does not rely on OAuth2 login buttons with redirects.

Directly connecting to authelia:9091 is also not an option, since Authelia itself does not provide HTTPS and rejects anything that does not communicate with it over HTTPS through the reverse proxy.

Does anyone have a solution for this without heavily restructuring the setup or disabling Docker’s default security restrictions?

Thanks in advance!