Docker Swarm mode and File Configuration

I'm using docker swarm with portainer (similar to what is outlined at Traefik Proxy with HTTPS - Docker Swarm Rocks). I need to use a file provider to take care of TLS issues and trying to forward traffic to another host on my network.

Traefik sees that there is a file available but I don't see evidence that this is working.

Is this enabled/allowed using docker swarm?

Sure does. Its how I set TLS options.

@cakiwi Can you show me an example of how it works? Everything I've tried doesn't work.

1 Like

Hi @gmalenko

This is a somewhat complete example:

stack.yaml
version: "3.8"

networks:
  traefik:
    attachable: true
    name: traefik

configs:
  dynamic-file.yaml:
    file: ./dynamic-file.yaml

volumes:
  letsencrypt:

services:
  traefik:
    image: "traefik:v2.5"
    command:
    - --accesslog.format=json
    - --accesslog=true
    - --api
    - --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
    - --certificatesresolvers.le.acme.tlschallenge=true
    - --certificatesresolvers.le.acme.email=foo.bar@example.com
    - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    - --entrypoints.web.address=:80
    - --entrypoints.web.http.redirections.entryPoint.scheme=https
    - --entrypoints.web.http.redirections.entryPoint.to=websecure
    - --entrypoints.web.http.redirections.entrypoint.permanent=true
    - --entrypoints.websecure.address=:443
    - --entrypoints.websecure.http.tls=true
    - --entrypoints.websecure.http.tls.certResolver=le
    - --entrypoints.websecure.http.tls=true
    - --log.format=json
    - --providers.docker.exposedbydefault=false
    - --providers.docker.swarmMode=true
    - --providers.docker=true
    - --providers.file.filename=/dynamic-file.yaml
    - --providers.file=true
    configs:
      - dynamic-file.yaml
    deploy:
      placement:
        constraints:
        - node.id == b4v173oy5bxy37otxio628da5
      labels:
        traefik.enable: "true"
        traefik.http.routers.dashboard.rule: Host(`traefik.localhost`)
        traefik.http.routers.dashboard.service: api@internal
        traefik.http.routers.dashboard.middlewares: dashboard-auth
        traefik.http.services.dummy.loadBalancer.server.port: 65535
        traefik.http.middlewares.dashboard-auth.basicauth.users: test:$$2b$$12$$6maAfNLC6L6RPMWR10Uo2.I.gg7rbOMGXZ1bzAsVTJFK3x4n7v2oW
    networks:
      - traefik
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt

  whoami:
    image: traefik/whoami
    command: --name swarm
    deploy:
      replicas: 2
      labels:
        traefik.enable: "true"
        traefik.http.routers.whoami.rule: Host(`whoami.localhost`)
        traefik.http.services.whoami.loadBalancer.server.port: 80
    networks:
      - traefik


dynamic-file.yaml
http:
  routers:
    some-name:
      rule: Host(`legacyapp.localhost`)
      service: some-name
      tls:
        options: compatible
  services:
    some-name:
      loadBalancer:
        servers:
          - url: http://192.168.202.202


tls:
  options:
    # modern
    default:
      minVersion: VersionTLS13
    # intermediate
    compatible:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    old:
      minVersion: VersionTLS10
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        - TLS_RSA_WITH_AES_128_GCM_SHA256
        - TLS_RSA_WITH_AES_256_GCM_SHA384
        - TLS_RSA_WITH_AES_128_CBC_SHA256
        - TLS_RSA_WITH_AES_128_CBC_SHA
        - TLS_RSA_WITH_AES_256_CBC_SHA
        - TLS_RSA_WITH_3DES_EDE_CBC_SHA

1 Like