Looking for the magic decoder ring for Docker Swarm, Traefik and other applications

doobs · December 14, 2025, 9:23pm

So,

I've been beating my head against this for literally a month.

Two machines (HP EliteDesk 705 G3), Ubuntu 24.04 server, Docker, one defined as the primary, the other the secondary. All good.

Portainer set up, Dashboard accessed locally.

Traefik 3.6.4 is set up per the instructions: [https://doc.traefik.io/traefik/setup/swarm/](https://Traefik%20Swarm%20Setup).

It works fine. I can connect to it through the URL. No errors in the logs, etc.

Nothing I attempt to attach to it will connect through Traefik..

The two I've got are Trilium and Mealie. Both have been set up per the instructions on their respective sites. I’ve tried a third, Nomie and am getting the same results.

The applications using Traefik seem to be continually stopping and starting.

I can attach to them locally, but not through the designated URL's.

Is there some mysterious secret to the universe on how this works, with the caveat that it needs to be in accordance with the latest? I've found plenty of stuff, that I haven't tried, for Traefik v1, v2 and older versions of v3.

Thank you in advance

Chris

bluepuma77 · December 14, 2025, 9:30pm

Enable Traefik debug log (doc) and Traefik access log in JSON format (doc).

You should share your Traefik static and dynamic config, and Docker compose file(s).

Maybe compare to simple Traefik Swarm example.

doobs · December 15, 2025, 2:30pm

Okay,

As indicated, this is almost verbatim from here

Static file:

tls:
certificates:

certFile: /certs/local.crt
keyFile: /certs/local.key

No Dynamic file

As this is a Swarm, it’s a Docker Stack file:

services:
  traefik:
    image: traefik:v3.6.4

    networks:
    # Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes
      - traefik_proxy

    ports:
        # Expose Traefik's entry points to the Swarm
        # Swarm requires the long syntax for ports.
      - target: 80 # Container port (Traefik web entry point)
        published: 80 # Host port exposed on the nodes
        protocol: tcp
        # 'host' mode binds directly to the node's IP where the task runs.
        # 'ingress' mode uses Swarm's Routing Mesh (load balances across nodes).
        # Choose based on your load balancing strategy. 'host' is often simpler if using an external LB.
        mode: host
      - target: 443 # Container port ( Traefik websecure entry point)
        published: 443 # Host port
        protocol: tcp
        mode: host

    volumes:
      # Mount the Docker socket for the Swarm provider
      # This MUST be run from a manager node to access the Swarm API via the socket.
      - /var/run/docker.sock:/var/run/docker.sock:ro   # Swarm API socket
      - /home/elitedesk/traefik/certs:/certs:ro
      - /home/elitedesk/traefik//dynamic:/dynamic:ro

    # Traefik Static configuration via command-line arguments
    command:
      # HTTP EntryPoint
      - "--entrypoints.web.address=:80"

      # Configure HTTP to HTTPS Redirection
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

      # HTTPS EntryPoint
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"

      # Attach dynamic TLS file
      - "--providers.file.filename=/dynamic/tls.yaml"
      
      # Providers

      # Enable the Docker Swarm provider (instead of Docker provider)
      - "--providers.swarm.endpoint=unix:///var/run/docker.sock"

      # Watch for Swarm service changes (requires socket access)
      - "--providers.swarm.watch=true"

      # Recommended: Don't expose services by default; require explicit labels
      - "--providers.swarm.exposedbydefault=false"

      # Specify the default network for Traefik to connect to services
      - "--providers.swarm.network=traefik_proxy"

      # API & Dashboard
      - "--api.dashboard=true" # Enable the dashboard
      - "--api.insecure=false" # Explicitly disable insecure API mod

      # Observability
      #- "--log.level=INFO" # Set the Log Level e.g INFO, DEBUG
      - "--log.level=DEBUG"
      - "--accesslog=true" # Enable Access Logs
      #- "--accesslog.format=json"
      - "--metrics.prometheus=true"  # Enable Prometheus

    deploy:
      mode: replicated
      replicas: 1
      
      placement:

      # Placement constraints restrict where Traefik tasks can run.
      # Running on manager nodes is common for accessing the Swarm API via the socket.
        constraints:
          - node.role == manager

      # Traefik Dynamic configuration via labels
      # In Swarm, labels on the service definition configure Traefik routing for that service.
      labels:
        - "traefik.enable=true"

        # Dashboard router
        - "traefik.http.routers.dashboard.rule=Host(`traefik.mydomain.com`)"
        - "traefik.http.routers.dashboard.entrypoints=websecure"
        - "traefik.http.routers.dashboard.service=api@internal"
        - "traefik.http.routers.dashboard.tls=true"

        # Basicâ€‘auth middleware
        - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$05$$.9hlW1NKIl6p...Bu6jNhlzHmOC"
        - "traefik.http.routers.dashboard.middlewares=dashboard-auth@swarm"

        # Service hint
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"

  # Deploy the Whoami application
  whoami:
    image: traefik/whoami
    networks:
      - traefik_proxy
    deploy:
      labels:
        # Enable Service discovery for Traefik
        - "traefik.enable=true"
        # Define the WHoami router rule
        - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
        # Expose Whoami on the HTTPS entrypoint
        - "traefik.http.routers.whoami.entrypoints=websecure"
        # Enable TLS
        - "traefik.http.routers.whoami.tls=true"
        # Expose the whoami port number to Traefik
        - traefik.http.services.whoami.loadbalancer.server.port=80


      
# Define the overlay network for Swarm
networks:
  traefik_proxy:
    driver: overlay
    attachable: true
    external: true

Sorry, I’m not smart enough for it to format correctly….

I’m getting a log of this in the logs:

‘‘‘2025-12-15T14:22:35Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:200 > Filtering disabled container container=portainer-agent-ad5pf56fk7ovgwydvl64ky57j providerName=swarm

2025-12-15T14:22:35Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:200 > Filtering disabled container container=portainer-agent-x30zfbytdkev4mjjn3cg9b6zc providerName=swarm

2025-12-15T14:22:35Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:200 > Filtering disabled container container=portainer-portainer-ecw3xlze7deybxmew0kex723p providerName=swarm’’’

Thanks in advance

bluepuma77 · December 15, 2025, 3:47pm

Please use 3 backticks before and after code/config to make it readable and preserve spacing.

bluepuma77 · December 16, 2025, 8:55pm

This is needed to enable services to be recognized:

Is whoami working for you?

doobs · December 16, 2025, 10:22pm

Yes it is.

I was able to get all my applications working properly.

Thank you

Topic		Replies	Views
Traefik as a service (standalone app, not started as docker compose) and swarm mode Traefik v3 (latest) docker-swarm	4	129	October 7, 2024
Swarm basic implementation not working Traefik v1 docker-swarm	8	674	August 14, 2019
[Need Help] Traefik + Docker Swarm Traefik v3 (latest) docker-swarm	2	96	June 28, 2025
Traefik 2.3 does not see my swarm services Traefik v2 docker-swarm	5	606	January 9, 2023
Traefik on docker swarm simple setup Traefik v2 docker-swarm	0	1487	January 3, 2022

Looking for the magic decoder ring for Docker Swarm, Traefik and other applications

Related topics