I run a small docker swarm cluster wit 4 nodes (1 manager/leader, 3 workers). The manager node has Traefik2 installed. I've wanted to add a new node, a server already running an apache server with a couple of websites secured with let's encrypt certificates. Immediately after adding the node with docker swarm join, traefik takes over and replaces all the certificates with his own self signed certificate. I know this is expected behavior, but can I somehow prevent it and run an existing webserver with traefik ?
this tag was made on the node so it always deploys on the same manager node.
The web server is on a worker node. According to your explanation the flow is like that ?
node1 - master/leader with traefik, IP 1.1.1.1
node2 - worker node , IP 2.2.2.2
DNS A record for www.example.com points to 2.2.2.2. There is an apache2 webserver outside of docker. On the worker node a request on port 80 or 443 comes in. It doesn't reach the apache webserver, it's forwarded to the manager, traefik hasn't any rules about that domain and forwards the request back to node2. It reaches the external webserver on node2, but with a self signed Traefik certificate. Is there a workaround, some kind of whitelist, blacklist ? Or did I misunderstood your answer ?
ve traefik
apache2 web server run on worker node with ip 2.2.2.2 and publish ports 80:80;443:443 (certificate is correct)
DNS A record points to 1.1.1.1 master node
It it working correct ?
BTW
use volumes in docker swarm is not good idea.
can be better to use mounted nfs share for example mounted to /external folder
Nice, thanks for the doc. WIll look into it.
So, I've added node2 to the swarm and i got the certificate error, then I removed the traefik stack and the hp's outside docker work fine, of course dockerized applications don;t work anymore. DNS points to 2.2.2.2 though.
To remove the possibility of misunderstanding. Here is my complete environment (I will change that according to your recommedation though)
node1 : master node, leader, 1.1.1.1
dockerized traefik, grafana, prometheus and portainer with agents.
One vpn server that's not dockerized
node2: worker node, ip 2.2.2.2
no dockerized apps at the moment since the problem with the certificate shows ass soon as I add it to the swarm
existing server with db, apache webserver dns, webserver listening on 80,443 tcp
node3: worker node, ip 3.3.3.3
dockerized gitlab
existing mailserver and openvpn server, since they don't use ports 80 and 443, everything works fine with traefik
all domains/subdomains like grafana, git portrainer work fine since they are dockerized and they run thru traefik and the stacks have according labels
domain A record for www.new-example.com points to ip 2.2.2.2 (since there is the existing webserver). The webserver handles https and certificates. When activating traefik, apparently everything on port 80,443, that comes in on node2 is forwarded to the manager node1 with traefik on it. Traefik doesn't find a configuration for www.new-example.com since there is nothing there because it's outside docker and it forwards the request back to node2 but with traefik's own selfsigned certificate. The homepage works, but I get a warning about the site is not secure and I have to add an exception if I want to see it. With HTST I can't even do that because it doesn't allow adding exceptions.
I happen to have a couple of servers with existing services on it. I've wanted to try out docker in swarm mode with a convenient reverse proxy like Traefik and I used those servers to play around with it. I know it's not a common configuration to mix dockerized apps and existing services (or at least I don;t think it is common). SO if it doesn't work that way I'll use only clean servers for docker and traefik in the future.
The solution to get traefik working with existing webservers is to make Traefik listen directly, not through Docker Swarm mode.
As @SkazochnikZlodey already pointed it out in his first reply and I made a mess in the thread after that , you need to publish the ports in host mode.
This is not a general rule, this is only true in the specific circumstance where a node in the swarm is also running a singleton container that is publishing a port that you are publishing with Traefik.