So I tried for a third time to migrate to Traefik v2 in my docker swarm but I had to roll it all back again... the most annoying part is that 1.7 fulfills all my needs but I'm afraid it wont be supported in a while.
What I want to do is to register wildcard DNS domain "*.mydomain.com" with Letsencrypt + godaddy.
Then I want my containers to be reachable on container.mydomain.com (with https) and also container.internaldomain (with http).
I'm also doing some serving of content with a certificate coming from another traefik installation (in another docker swarm). Also I dont want to expose my "external" services on this traefik instance (i have another instance for that).
As I understand, the domain name for letsencrypt request comes now from each containers routing rules? But I want to use a wildcard cert, so I don't want it to request a cert for container1.mydomain.com, I want it to use *.mydomain.com. This is my current (obfuscated) config:
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
insecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/cert/otherdomain.crt"
keyFile = "/cert/otherdomain.key"
[metrics]
[metrics.prometheus]
[api]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "docker"
watch = true
swarmmode = true
constraints = ["tag!=exposed"]
network = "traefik-net"
[acme]
email = "xxxx"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 90
resolvers =["8.8.8.8:53"]
[[acme.domains]]
main = "*.mydomain.com"
sans = ["mydomain.com"]
Then on each container I have these labels:
Simple non ssl enabled:
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:website.internaldomain"
- "traefik.port=8080"
Published with non ssl, ssl and also on other domain:
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:grafana.internaldomain,grafana.mydomain.com,grafana.otherdomain.com"
- "traefik.port=3000"
Compose file for traefik:
version: '3.5'
services:
traefik:
image: traefik:1.7-alpine
ports:
- "80:80"
- "443:443"
- "8380:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/storage/traefik/traefik.toml:/traefik.toml
- /mnt/storage/traefik/toml:/toml
- /mnt/storage/traefik/cert:/cert
- /mnt/storage/traefik/acme.json:/acme.json
environment:
- "GODADDY_API_KEY=xxxx"
- "GODADDY_API_SECRET=yyyy"
networks:
- traefik-net
deploy:
update_config:
order: start-first
failure_action: rollback
restart_policy:
delay: 30s
placement:
constraints:
- node.role==manager
- node.labels.ingress==true
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.internaldomain,traefik.mydomain.com"
- "traefik.port=8080"
networks:
traefik-net:
external: true
If anyone could help me a bit on the way I would be grateful. This is also my simple traefik instance. The other one is "edge" routing from internet, with authentication from authelia, and I want to first understand my internal setup before I move on to the edge cluster.