Hi,
I've been labbing around with traefik for a few weeks now and got everything working perfectly fine, aside from one last quirk!
The problem is that when I run traefik in HA (mode: global or replicated) and when traefik is taking requests on host01 and the container it's loadbalancing to lives on e.g. host02, I get capped DL/UL speeds to ~3mbit/s.
It works as expected in case I move the container to the host that traefik is currently taking requests on, but it obviosuly isn't HA if I manually have to move around containers like that...
I bet this is something quite easy to fix if you understand the problem and something obvious I'm missing and would appreciate to get pointed in the right direction. If there's any tests I can do do make it easier to help me, please let me know.
traefik.yml:
version: '3.3'
services:
traefik:
image: traefik:v2.2
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
deploy:
mode: global
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.routers.traefik-public-http.rule=Host(`traefik.example.com`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=httpsRedirect@file
- traefik.http.routers.traefik-public-https.middlewares=sslHeaders@file, localNetworkOnly@file
- traefik.http.routers.traefik-public-https.rule=Host(`traefik.example.com`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
- traefik.http.routers.traefik-public-https.service=api@internal
- traefik.http.routers.traefik-public-https.tls.certresolver=le
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/data/traefik/traefik-public-certificates:/certificates
- /var/data/traefik/dynamic/dynamic.yml:/etc/traefik/dynamic/dynamic.yml
command:
- --providers.docker
- --providers.docker.watch
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmmode
- --providers.file.filename=/etc/traefik/dynamic/dynamic.yml
- --providers.file.watch=true
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.email=my@email.com
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
# Use Let's Encrypt Staging Server (dry-run) to avoid getting rate limited
#- --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --accesslog
- --log
- --api
#- --log.level=DEBUG
networks:
- traefik-public
volumes:
traefik-public-certificates:
networks:
traefik-public:
attachable: true
external: true
Dynamic.yml
serversTransport:
forwardingTimeouts:
dialTimeout: 120s
responseHeaderTimeout: 0s
idleConnTimeout: 300s
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
minVersion: VersionTLS12
sniStrict: true
http:
middlewares:
sslHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
sslRedirect: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15768000
sslHeadersXframeAllow:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: false
sslRedirect: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15768000
httpsRedirect:
redirectScheme:
scheme: https
pemanent: true
localNetworkOnly:
ipWhiteList:
sourceRange:
- 10.0.0.0/16