Swarm 2 traefik instance

Hello, I've 1 traefik instance (v2.10) on my swarm manager, it works. Now i want start a new traefik instance, on nodeX, with a new configuration, other network-public, socket-proxy. I do that, but when I start this second instance, i have this error on first traefik: `
time="2024-06-12T09:09:15Z" level=error msg="Router defined multiple times with different configurations in [traefik-second-reverse-proxy-gjv39mywm6v4cqj1vxamzg3mi traefik-reverse-proxy-pyorfw970rtxrjodgswjs4ub0]" providerName=docker routerName=traefik

time="2024-06-12T09:09:15Z" level=error msg="Middleware defined multiple times with different configurations in [traefik-second-reverse-proxy-gjv39mywm6v4cqj1vxamzg3mi traefik-reverse-proxy-pyorfw970rtxrjodgswjs4ub0]" providerName=docker middlewareName=admin-auth
`
And second instance don'work, and dashboard of first stop working too.

Did you change your traefik labels in the copy of the service? May be show the original and copy labels so we can see.

Different services/containers need different labels. Both Traefik instances are discovered via providers.docker and both probably have traefik.http.router.traefik….

Another option is to declare a different constraint (doc) for each providers.docker and add dedicated labels.

My 2 docker-compose:

ON NODE MANAGER (WORK)

services:
  reverse-proxy:
    image: traefik:v2.10
    command:
      - --providers.docker
      # Use the secure docker socket proxy
      - --providers.docker.endpoint=tcp://socket-proxy:2375
      - --providers.docker.exposedByDefault=false
      - --providers.docker.swarmMode=true
      - --providers.docker.network=cloud-public
      - --providers.file.directory=/traefik_conf
      - --providers.file.watch=true
      # Entrypoints (ports) for the routers
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,...
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,...

      

      - --entrypoints.traefik.address=:8000
      - --entrypoints.traefik.http.tls.certResolver=letsencrypt

       
      # Create the certificate resolver "letsencrypt" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.letsencrypt.acme.email=vincent@site.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      #For dev
      - --certificatesresolvers.letsencrypt-dev.acme.email=vincent@site.com
      - --certificatesresolvers.letsencrypt-dev.acme.storage=/letsencrypt/acme-dev.json
      - --certificatesresolvers.letsencrypt-dev.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencrypt-dev.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory

      # Logging
      - --accesslog=true
 
      # Enable the dashboard
      - --api
      - --metrics
      - --metrics.prometheus
      - --metrics.prometheus.addEntryPointsLabels=true
      - --metrics.prometheus.addServicesLabels=true
    deploy:
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.cloud-public.traefik-certificates == true
          - node.role == manager
      labels:
        # traefik.enable is required because we don't expose all containers automatically
        - traefik.enable=true
        - traefik.docker.network=cloud-public
        - traefik.constraint-label=cloud-public

        # Global redirection: HTTP to HTTPS
        - traefik.http.routers.http-redirects.entrypoints=web
        - traefik.http.routers.http-redirects.rule=hostregexp(`{host:(www\.)?.+}`)
        - traefik.http.routers.http-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https

        # Global redirection: HTTPS www to HTTPS non-www
        - traefik.http.routers.www-redirects.entrypoints=websecure
        - traefik.http.routers.www-redirects.rule=hostregexp(`{host:(www\.).+}`)
        - traefik.http.routers.www-redirects.tls=true
        - traefik.http.routers.www-redirects.tls.options=default
        - traefik.http.routers.www-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https

        # Middleware to redirect to bare https
        - traefik.http.middlewares.redirect-to-non-www-https.redirectregex.regex=^https?://(?:www\.)?(.+)
        - traefik.http.middlewares.redirect-to-non-www-https.redirectregex.replacement=https://$${1}
        - traefik.http.middlewares.redirect-to-non-www-https.redirectregex.permanent=true

        # Middlewre compression
        - traefik.http.middlewares.compress_traefik.compress=true
        - traefik.http.middlewares.compress_traefik.compress.excludedcontenttypes=text/event-stream

        # Dashboard on port 8000
        - traefik.http.routers.traefik.entrypoints=traefik
        - traefik.http.routers.traefik.rule=Host(`traefik.site.com`)
        - traefik.http.routers.traefik.service=api@internal
        #- traefik.http.routers.api.tls=true
        #- traefik.http.routers.api.tls.options=default
        - traefik.http.routers.traefik.tls.certresolver=letsencrypt
        # middlewares: use IP whitelisting, ratelimit and basic authentication
        - traefik.http.routers.traefik.middlewares=api-ipwhitelist,traefik-ratelimit,admin-auth

        - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
        - traefik.http.middlewares.api-ipwhitelist.ipwhitelist.sourcerange=xxx.xxx.xxx.xxx,xxxx:xxxx...
        - traefik.http.services.api.loadbalancer.server.port=8000

        # Extra middleware (ratelimit, ip whitelisting)
        - traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100
        - traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50
       ports:
      - target: 80
        published: 80
        protocol: tcp
        #mode: ingress
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        #mode: ingress
        mode: host
      - target: 8000
        published: 8000
        protocol: tcp
        mode: host




    volumes:
      - traefik-certificates:/letsencrypt
      - /opt/containers/traefik_conf:/traefik_conf
    networks:
     - cloud-public
      - cloud-socket-proxy

  socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    deploy:
      restart_policy:
        condition: on-failure
      placement:
        constraints: [node.role == manager]
    environment:
      NETWORKS: 1
      SERVICES: 1
      TASKS: 1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      cloud-socket-proxy:
        aliases:
          - socket-proxy

the second traefik instance on nodeX don't work, and stop dashboard on manager's traefik

services:
  second-reverse-proxy:
    image: traefik:v2.10
    command:
      - --providers.docker
      # Use the secure docker socket proxy
      - --providers.docker.endpoint=tcp://second-socket-proxy:2375
      - --providers.docker.exposedByDefault=false
      - --providers.docker.swarmMode=true
      - --providers.docker.network=second-public
      - --providers.file.directory=/traefik_conf
      - --providers.file.watch=true
      # Entrypoints (ports) for the routers
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,...
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,....

      - --entrypoints.ssh.address=:2222

      - --entrypoints.traefik.address=:8000
      - --entrypoints.traefik.http.tls.certResolver=letsencrypt
  
      # Create the certificate resolver "letsencrypt" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.letsencrypt.acme.email=vincent@site.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      #For dev
      - --certificatesresolvers.letsencrypt-dev.acme.email=vincent@site.com
      - --certificatesresolvers.letsencrypt-dev.acme.storage=/letsencrypt/acme-dev.json
      - --certificatesresolvers.letsencrypt-dev.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencrypt-dev.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory

      # Logging
      - --accesslog=true
#      - --log.level=DEBUG
      # Enable the dashboard
      - --api
       
    deploy:
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.traefik-second-public.traefik-public-certificates == true
          - node.labels.second-traefik == true
      labels:
        # traefik.enable is required because we don't expose all containers automatically
        - traefik.enable=true
               - traefik.docker.network=second-public
        - traefik.constraint-label=second-public

        # Global redirection: HTTP to HTTPS
        - traefik.http.routers.http-redirects.entrypoints=web
        - traefik.http.routers.http-redirects.rule=hostregexp(`{host:(www\.)?.+}`)
        - traefik.http.routers.http-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https

        # Global redirection: HTTPS www to HTTPS non-www
        - traefik.http.routers.www-redirects.entrypoints=websecure
        - traefik.http.routers.www-redirects.rule=hostregexp(`{host:(www\.).+}`)
        - traefik.http.routers.www-redirects.tls=true
        - traefik.http.routers.www-redirects.tls.options=default
        - traefik.http.routers.www-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https

        # Middleware to redirect to bare https
        - traefik.http.middlewares.redirect-to-non-www-https.redirectregex.regex=^https?://(?:www\.)?(.+)
        - traefik.http.middlewares.redirect-to-non-www-https.redirectregex.replacement=https://$${1}
        - traefik.http.middlewares.redirect-to-non-www-https.redirectregex.permanent=true

        # Middlewre compression
        - traefik.http.middlewares.compress_traefik.compress=true
        - traefik.http.middlewares.compress_traefik.compress.excludedcontenttypes=text/event-stream

        # Dashboard on port 8000
        - traefik.http.routers.traefik.entrypoints=traefik
        - traefik.http.routers.traefik.rule=Host(`traefik.site2.fr`)
        - traefik.http.routers.traefik.service=api@internal
        #- traefik.http.routers.api.tls=true
        #- traefik.http.routers.api.tls.options=default
        - traefik.http.routers.traefik.tls.certresolver=letsencrypt
        # middlewares: use IP whitelisting, ratelimit and basic authentication
        - traefik.http.routers.traefik.middlewares=api-ipwhitelist,traefik-ratelimit,admin-auth

        - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
 
        - traefik.http.middlewares.api-ipwhitelist.ipwhitelist.sourcerange=xxx.xxx.xxx.xxx,xxxx:xxx:xxxx:...
        - traefik.http.services.api.loadbalancer.server.port=8000

        # Extra middleware (ratelimit, ip whitelisting)
        - traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100
        - traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50
    
    ports:
      - target: 80
        published: 80
        protocol: tcp
        #mode: ingress
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        #mode: ingress
        mode: host
      - target: 8000
      volumes:
      # storage for the SSL certificates
      - traefik-certificates:/letsencrypt
      - /mnt/v1-gfs/traefik-second_conf:/traefik_conf
      # bind mount the directory for your traefik configuration
    networks:
      - second-public
      - second-socket-proxy

  second-socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    deploy:
      restart_policy:
        condition: on-failure
      placement:
        constraints: [node.labels.second-traefik == true]
    environment:
     NETWORKS: 1
      SERVICES: 1
      TASKS: 1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      second-socket-proxy:
        aliases:
          - socket-proxy

I try with provider constraint, but now nodeX, constraint label second:

time="2024-06-12T13:02:08Z" level=error msg="Failed to list services for docker swarm mode, error Error response from daemon: This node is not a swarm manager. Worker nodes can't be used to view or modify cluster state. Please run this command on a manager node or promote the current node to a manager." providerName=docker

time="2024-06-12T13:02:08Z" level=error msg="Provider connection error Error response from daemon: This node is not a swarm manager. Worker nodes can't be used to view or modify cluster state. Please run this command on a manager node or promote the current node to a manager., retrying in 3.304181656s" providerName=docker

problem with

 - --providers.docker.endpoint=tcp://second-socket-proxy:2375  ???

on nodeX is not manager whats the proper way ? with tecnativa/docker-socket-proxy

Traefik or at least the docker-socket-proxy need to run on manager node, when you want to use Swarm.

You can use the same socket proxy with two Traefik instances.

Overall, you still haven’t communicated the big picture. What do you want to achieve with 2 differently configured Traefik instances in Swarm?

I want the second traefik serv services from other server/ip than the manager.

You want to target only local containers or Docker Swarm services?

Yes exactely, local services and from particular node.