Can not access dashboard with traefik in docker swarm

Traefik Traefik v2
1

I am unable to access the dashboard with the following docker-compose.yaml

version: '3.9'

services:
  traefik:
    image: traefik:v2.4
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
      - target: 8080
        published: 8080
        mode: host
    deploy:
      placement:
        constraints:
          - node.labels.traefik.traefik-certificates == true

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    env_file:
      - ./.env.traefik
    command:
      - "--providers.docker.constraints=Label(`traefik.constraint-label`, `traefik`)"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.swarmMode=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.email=first.last@email.com"
      - "--certificatesresolvers.le.acme.storage=/certificates/acme.json"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api=true"
      - "--api.dashboard=true"
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.constraint-label=traefik"
      #- "traefik.http.routers.traefik-http.rule=Host(`proxy.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-http.rule=Host(`proxy.example.com`)"
      - "traefik.http.routers.traefik-http.entrypoints=http"
      - "traefik.http.routers.traefik-http.middlewares=https-redirect"
      - "traefik.http.routers.traefik-https.middlewares=admin-auth"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.admin-auth.basicauth.users=test1:$$apr1$$rd0qto3i$$mWrcrfrRfrEkgPVZ3w1,test2:$$apr1$$1smybfkx$$qsrcrfTyejEn12LKmbNMC."
      #- "traefik.http.routers.traefik-https.rule=Host(`proxy.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-https.rule=Host(`proxy.example.com`)"
      - "traefik.http.routers.traefik-https.entrypoints=https"
      - "traefik.http.routers.traefik-https.tls=true"
      - "traefik.http.routers.traefik-https.service=api@internal"
      - "traefik.http.routers.traefik-https.tls.certresolver=le"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    networks:
      - traefik_network

volumes:
  traefik-certificates:

networks:
  traefik_network:
    external: 
      name: traefik_network

letsencrypt works fine but here are the few issues going on

  1. redirect from http to https not working

  2. can not access dashboard on proxy.example.com or proxy.example.com/dashboard or proxy.example.com:8080/dashboard everything all showing 404 page

what do i have wrong and how do i fix?

2

Hi @decypher_the_world

You have put all the label in the command: block instead of under labels:

It looks okay to me once you have done that. If you intend to be https only then using entrypoint redirection will reduce the amount of labels you are using.

https://doc.traefik.io/traefik/routing/entrypoints/#redirection

3

i had them separate and had same issue...so am not sure if its because of command with label
i ended up combining them because that worked in a docker setup i had, but this is docker swarm

i will split back to command and labels and repost with same issue

4

ok here is command and labels split and same error

version: '3.9'

services:
  traefik:
    image: traefik:v2.4
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
      - target: 8080
        published: 8080
        mode: host
    deploy:
      placement:
        constraints:
          - node.labels.traefik.traefik-certificates == true

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    env_file:
      - ./.env.traefik
    command:
      - "--providers.docker.constraints=Label(`traefik.constraint-label`, `traefik`)"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.swarmMode=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.email=first.last@email.com"
      - "--certificatesresolvers.le.acme.storage=/certificates/acme.json"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api=true"
      - "--api.dashboard=true"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_network"
      - "traefik.constraint-label=traefik"
      #- "traefik.http.routers.traefik-http.rule=Host(`proxy.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-http.rule=Host(`proxy.example.com`)"
      - "traefik.http.routers.traefik-http.entrypoints=http"
      - "traefik.http.routers.traefik-http.middlewares=https-redirect"
      - "traefik.http.routers.traefik-https.middlewares=admin-auth"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.admin-auth.basicauth.users=test1:$$apr1$$rd0qto3i$$mWrcrfrRfrEkgPVZ3w1,test2:$$apr1$$1smybfkx$$qsrcrfTyejEn12LKmbNMC."
      #- "traefik.http.routers.traefik-https.rule=Host(`proxy.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-https.rule=Host(`proxy.example.com`)"
      - "traefik.http.routers.traefik-https.entrypoints=https"
      - "traefik.http.routers.traefik-https.tls=true"
      - "traefik.http.routers.traefik-https.service=api@internal"
      - "traefik.http.routers.traefik-https.tls.certresolver=le"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    networks:
      - traefik_network

volumes:
  traefik-certificates:

networks:
  traefik_network:
    external: 
      name: traefik_network

here are other details

# docker service ls

ID             NAME              MODE         REPLICAS   IMAGE          PORTS
yxmg1s9jho81   traefik_traefik   replicated   1/1        traefik:v2.4

# docker service ps traefik_traefik

ID             NAME                    IMAGE          NODE       DESIRED STATE   CURRENT STATE                 ERROR     PORTS
r8kc69tjagxx   traefik_traefik.1       traefik:v2.4   swarm-00   Running         Running about a minute ago              *:443->443/tcp,*:443->443/tcp,*:80->80/tcp,*:80->80/tcp,*:8080->8080/tcp,*:8080->8080/tcp

# docker ps

CONTAINER ID   IMAGE          COMMAND                  CREATED         STATUS         PORTS                                                                                                                 NAMES
cf6c53466dd9   traefik:v2.4   "/entrypoint.sh '--pā€¦"   4 minutes ago   Up 4 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   traefik_traefik.1.r8kc69tjagxxw0evpv1500tul

and some of the logs

# docker service logs -f traefik_traefik


| time="2021-09-10T12:15:29Z" level=info msg="Skipping same configuration" providerName=docker
| time="2021-09-10T12:15:44Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-traefik-r8kc69tjagxxw0evpv1500tul
| time="2021-09-10T12:15:44Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
| time="2021-09-10T12:15:44Z" level=info msg="Skipping same configuration" providerName=docker
| time="2021-09-10T12:15:59Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-traefik-r8kc69tjagxxw0evpv1500tul
| time="2021-09-10T12:15:59Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
| time="2021-09-10T12:15:59Z" level=info msg="Skipping same configuration" providerName=docker
| time="2021-09-10T12:16:14Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-traefik-r8kc69tjagxxw0evpv1500tul
| time="2021-09-10T12:16:14Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
| time="2021-09-10T12:16:14Z" level=info msg="Skipping same configuration" providerName=docker
| time="2021-09-10T12:16:29Z" level=debug msg="Filtering disabled container" container=traefik-traefik-r8kc69tjagxxw0evpv1500tul providerName=docker
| time="2021-09-10T12:16:29Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
| time="2021-09-10T12:16:29Z" level=info msg="Skipping same configuration" providerName=docker
| time="2021-09-10T12:16:44Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-traefik-r8kc69tjagxxw0evpv1500tul
| time="2021-09-10T12:16:44Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
| time="2021-09-10T12:16:44Z" level=info msg="Skipping same configuration" providerName=docker
5

I'm pretty sure this is going to be related to the --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik`)

Can you test without it? I've only really tried it once, and I think that was without swarm mode.

6

ok will try with that

by the way following this setup, not exactly same but that is what am following
https://dockerswarm.rocks/traefik/

you can see --providers.docker.constraints=Label(traefik.constraint-label, traefik) under the Getting the client IP section

7

ok commented --providers.docker.constraints=Label(traefik.constraint-label, traefik) and still 404
i am seeing requests made in logs so certainly the routing works, just not sure why dashboard or anything is not working

# docker service logs -f traefik_traefik

| time="2021-09-10T13:57:52Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
| time="2021-09-10T13:57:52Z" level=info msg="Skipping same configuration" providerName=docker
| 172.18.0.1 - - [10/Sep/2021:13:57:53 +0000] "GET / HTTP/2.0" - - "-" "-" 1 "-" "-" 0ms
| 172.18.0.1 - - [10/Sep/2021:13:57:58 +0000] "GET /dashboard HTTP/2.0" - - "-" "-" 2 "-" "-" 0ms
8

dashboard needs to be suffixed with /

9

still same 404

| 172.18.0.1 - - [10/Sep/2021:14:41:29 +0000] "GET /dashboard/ HTTP/2.0" - - "-" "-" 4 "-" "-" 0ms
| 172.18.0.1 - - [10/Sep/2021:14:41:34 +0000] "GET /dashboard/ HTTP/1.1" - - "-" "-" 5 "-" "-" 0ms

also redirect from http to https is not working as can be seen above "GET /dashboard/ HTTP/1.1" is http and "GET /dashboard/ HTTP/2.0" is https

10

Sorry missed the most common one for swarm mode: Your labels are not nested under deploy:

Also consider changing the acceslog format to json. There is more rich infocation there.(CLF can be customised but json is easier to parse)

11

Where is docs for swarm mode to next labels under deploy? There seems to be limited doc on swarm mode

How do i use JSON for access logs? Mind pointing me to the lines to change and from what to what? Will really appreciate it...thanks in advance

12

The labels are in the site you linked earlier too.

  deploy:
     placement:
       constraints:
         # Make the traefik service run only on the node with this label
         # as the node with it has the volume for the certificates
         - node.labels.traefik-public.traefik-public-certificates == true
     labels:
       # Enable Traefik for this service, to make it available in the public network
       - traefik.enable=true
       # Use the traefik-public netwo

Swarm labels:

Access Log Format:

The option is missing in the doc though. Look in the static reference section.

--accesslog.format :
Access log format: json | common (Default: common )

13

works now!!!
didn't realize the labels had to be nested under the deploy..thanks a lot for pointing that out..dashboard works now

thanks a lot...again

1 Like
14

@cakiwi

one last issue

i am only seeing this with the docker swarm setup

image
image1296Ɨ618 30.5 KB

not seeing the 8080 traefik port

like the one here used for docker

image
image1496Ɨ632 39.1 KB

not sure what else i missed

here is latest yaml

version: '3.9'

services:
  traefik:
    image: traefik:v2.4
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
      - target: 8080
        published: 8080
        mode: host
    deploy:
      placement:
        constraints:
          - node.labels.traefik.traefik-certificates == true
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_network"
        - "traefik.constraint-label=traefik"
        - "traefik.http.routers.traefik-http.rule=Host(`proxy.example.com`)"
        - "traefik.http.routers.traefik-http.entrypoints=http"
        - "traefik.http.routers.traefik-http.middlewares=https-redirect"
        - "traefik.http.routers.traefik-https.middlewares=admin-auth"
        - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
        - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
        - "traefik.http.middlewares.admin-auth.basicauth.users=test1:$$apr1$$rd0qto3i$$mWrcrfrRfrEkgPVZ3w1,test2:$$apr1$$1smybfkx$$qsrcrfTyejEn12LKmbNMC."
        - "traefik.http.routers.traefik-https.rule=Host(`proxy.example.com`)"
        - "traefik.http.routers.traefik-https.entrypoints=https"
        - "traefik.http.routers.traefik-https.tls=true"
        - "traefik.http.routers.traefik-https.service=api@internal"
        - "traefik.http.routers.traefik-https.tls.certresolver=le"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    env_file:
      - ./.env.traefik
    command:
      - "--providers.docker.constraints=Label(`traefik.constraint-label`, `traefik`)"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.swarmMode=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.email=first.last@email.com"
      - "--certificatesresolvers.le.acme.storage=/certificates/acme.json"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--accesslog.format=json"
      - "--api=true"
      - "--api.dashboard=true"
    networks:
      - traefik_network

volumes:
  traefik-certificates:

networks:
  traefik_network:
    external: 
      name: traefik_network
15

You'd need to add it alongside these ones, if you used --api.insecure that automatically creates the entrypoint.

16

perfect - "--api.insecure=true" did the trick

thanks

17

Of course it also makes it.... insecure :supervillain: :smiley:

18

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.