I'm using docker swarm with portainer (similar to what is outlined at Traefik Proxy with HTTPS - Docker Swarm Rocks ). I need to use a file provider to take care of TLS issues and trying to forward traffic to another host on my network.
Traefik sees that there is a file available but I don't see evidence that this is working.
Is this enabled/allowed using docker swarm?
cakiwi
September 21, 2021, 7:48pm
2
Sure does. Its how I set TLS options.
@cakiwi Can you show me an example of how it works? Everything I've tried doesn't work.
1 Like
cakiwi
September 24, 2021, 12:52pm
4
Hi @gmalenko
This is a somewhat complete example:
stack.yaml
version: "3.8"
networks:
traefik:
attachable: true
name: traefik
configs:
dynamic-file.yaml:
file: ./dynamic-file.yaml
volumes:
letsencrypt:
services:
traefik:
image: "traefik:v2.5"
command:
- --accesslog.format=json
- --accesslog=true
- --api
- --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.email=foo.bar@example.com
- --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=le
- --entrypoints.websecure.http.tls=true
- --log.format=json
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmMode=true
- --providers.docker=true
- --providers.file.filename=/dynamic-file.yaml
- --providers.file=true
configs:
- dynamic-file.yaml
deploy:
placement:
constraints:
- node.id == b4v173oy5bxy37otxio628da5
labels:
traefik.enable: "true"
traefik.http.routers.dashboard.rule: Host(`traefik.localhost`)
traefik.http.routers.dashboard.service: api@internal
traefik.http.routers.dashboard.middlewares: dashboard-auth
traefik.http.services.dummy.loadBalancer.server.port: 65535
traefik.http.middlewares.dashboard-auth.basicauth.users: test:$$2b$$12$$6maAfNLC6L6RPMWR10Uo2.I.gg7rbOMGXZ1bzAsVTJFK3x4n7v2oW
networks:
- traefik
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- letsencrypt:/letsencrypt
whoami:
image: traefik/whoami
command: --name swarm
deploy:
replicas: 2
labels:
traefik.enable: "true"
traefik.http.routers.whoami.rule: Host(`whoami.localhost`)
traefik.http.services.whoami.loadBalancer.server.port: 80
networks:
- traefik
dynamic-file.yaml
http:
routers:
some-name:
rule: Host(`legacyapp.localhost`)
service: some-name
tls:
options: compatible
services:
some-name:
loadBalancer:
servers:
- url: http://192.168.202.202
tls:
options:
# modern
default:
minVersion: VersionTLS13
# intermediate
compatible:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
old:
minVersion: VersionTLS10
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
1 Like