Just getting 404 for the dashboard and would like a spot check of my config

Hi all, I think i kinda have my instance figured out in my swarm. Piecing together a lot of examples and some trial and error I got it to deploy the way I wanted it to. But for some reason it's only returning 404 when I try to hit the dashboard. I can see the requests in the logs but just 404 responses. I'm not sure I understand what I am doing wrong and I'm sure its just something dumb in my config here. Help? Kindly?

#
# Deployment command for the stack into the swarm
# docker stack deploy -c traefik-host.yml traefik

services:

  traefik:
    # Use the latest Traefik image
    image: traefik:v3.1
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 80
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 443
        mode: host
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label "traefik.constraint-label=traefik-public"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the environment variables USERNAME and HASHED_PASSWORD
        - traefik.http.middlewares.admin-auth.basicauth.users=user:$$2y$$05$$a5/1OiIinRtr52s79Y92AORs68dCOVTc5th4jsgCBZsP1mrytRlUW
        # https-redirect middleware to redirect HTTP to HTTPS
        # It can be re-used by other stacks in other Docker Compose files
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        # traefik-http set up only to use the middleware to redirect to https
        - traefik.http.routers.traefik-public-http.rule=Host('traefik.home.whootis.com')
        - traefik.http.routers.traefik-public-http.entrypoints=http
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        # traefik-https the actual router using HTTPS
        - traefik.http.routers.traefik-public-https.rule=Host('traefik.home.whootis.com')
        - traefik.http.routers.traefik-public-https.entrypoints=https
        - traefik.http.routers.traefik-public-https.tls=true
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store the certificates
      - traefik-public-certificates:/certificates
    command:
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # Enable Docker Swarm mode
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      # Create an entrypoint "http" listening on address 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on address 443
      - --entrypoints.https.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      # TO BE CHANGED
      - --certificatesresolvers.le.acme.email='test@test'
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public

volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:

networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    driver: overlay

Note that providers.docker and providers.swarm are two different things in Traefik v3. So make sure to use the right provider for your settings.

If you use:

networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    driver: overlay

you need to configure it as external: true or it will be created new with the project prefix.

Place http-to-https redirect and certResolver on entrypoint, reduces config lines a lot.

Check best practice simple Traefik Swarm example.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc). What URL do you request? What is logged during a request?

Regarding the network: the examples you pointed to don't have that in it. And when I add the external: true statement it says its referencing a network that doesn't exist. So is the expectation here that it should be hand cranked before using this confic? Seems like it kinda defeats the purpose of the infrastructure as code. Wouldn't it be easier to just just declare the name in the network description so it doesn't get the prefix?

networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    driver: overlay
    name: traefik-public

Is is there something unique that has to be done on the command line?

Using name: is perfect.

I just wrote this because of the comment:

Thanks for sharing informative content.
It helps me a lot.