Is there something like jwilder "separate container" nginx setup to prevent need to mount or expose docker.sock?

I've become increasing concerned with my recent approach of following guides that have docker.sock mounted as a volume for some exposed containers. I've found a couple of "separate container" approaches for nginx that seem to work well with straightforward guides and I wanted to see if anyone might have a similar approach they can share that works for Traefik to accomplish this. If you're unfamiliar with the concept, it basically uses one container with very limited permissions (can't POST by default, for example) for the primary gateway entrypoint, and other container for the other capabilities the reverse proxy normally provides. Here's to hoping i can learn how to do this with Traefik 2.0!

I have my Docker daemon exposed in a separate container using socat which I run on the manager node. This allows me to run traefik in the worker nodes. LetsEncrypt JSON file is not being stored

This is awesome, thank you for sharing - and for sharing your files in the other thread so I can see how this works. I've gotten pretty decent at basic docker and compose stuff (at least good enough to follow most guides), but swarm is new to me so I'm still trying to figure out the master-worker and deploy thing. Hopefully I'll understand that tonight well enough to create some examples here and I can get some testing in.

Don't bother much with the master worker unless you have the machines to go with it or you're experimenting. I just use swarm mode so I can potentially scale if needed, but a single machine with a master is usually enough for most needs I find.

If you want something with a bit more overengineering is a module I wrote for Terraform that sets up a swarm on AWS.

I think to the first part of your comment I could probably drop the swarm stuff altogether - except apparently it’s defined in one of the services so I get an error when I run compose. I think it’s really the sidecar architecture that’s addressing the core of the risk here for me, but it seemed easier to learn to set up a very basic swarm than to figure out how to address the deploy reference error in the Traefik container.....

1 Like

So after playing with this another couple of hours it's clear I can't get all the way through this - especially with swarm mode. Any chance you can post a basic docker compose version that has the separate poxy container and traefik without swarm mode, for those of us that are still too early in the process?