Hello, I've 1 traefik instance (v2.10) on my swarm manager, it works. Now i want start a new traefik instance, on nodeX, with a new configuration, other network-public, socket-proxy. I do that, but when I start this second instance, i have this error on first traefik: `
time="2024-06-12T09:09:15Z" level=error msg="Middleware defined multiple times with different configurations in [traefik-second-reverse-proxy-gjv39mywm6v4cqj1vxamzg3mi traefik-reverse-proxy-pyorfw970rtxrjodgswjs4ub0]" providerName=docker middlewareName=admin-auth
brablc
June 12, 2024, 9:46am
2
Did you change your traefik labels in the copy of the service? May be show the original and copy labels so we can see.
Different services/containers need different labels. Both Traefik instances are discovered via providers.docker and both probably have traefik.http.router.traefik….
Another option is to declare a different constraint (doc ) for each providers.docker and add dedicated labels.
My 2 docker-compose:
ON NODE MANAGER (WORK)
services:
reverse-proxy:
image: traefik:v2.10
command:
- --providers.docker
# Use the secure docker socket proxy
- --providers.docker.endpoint=tcp://socket-proxy:2375
- --providers.docker.exposedByDefault=false
- --providers.docker.swarmMode=true
- --providers.docker.network=cloud-public
- --providers.file.directory=/traefik_conf
- --providers.file.watch=true
# Entrypoints (ports) for the routers
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,...
- --entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,...
- --entrypoints.traefik.address=:8000
- --entrypoints.traefik.http.tls.certResolver=letsencrypt
# Create the certificate resolver "letsencrypt" for Let's Encrypt, uses the environment variable EMAIL
- --certificatesresolvers.letsencrypt.acme.email=vincent@site.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
#For dev
- --certificatesresolvers.letsencrypt-dev.acme.email=vincent@site.com
- --certificatesresolvers.letsencrypt-dev.acme.storage=/letsencrypt/acme-dev.json
- --certificatesresolvers.letsencrypt-dev.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.letsencrypt-dev.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
# Logging
- --accesslog=true
# Enable the dashboard
- --api
- --metrics
- --metrics.prometheus
- --metrics.prometheus.addEntryPointsLabels=true
- --metrics.prometheus.addServicesLabels=true
deploy:
restart_policy:
condition: on-failure
placement:
constraints:
- node.labels.cloud-public.traefik-certificates == true
- node.role == manager
labels:
# traefik.enable is required because we don't expose all containers automatically
- traefik.enable=true
- traefik.docker.network=cloud-public
- traefik.constraint-label=cloud-public
# Global redirection: HTTP to HTTPS
- traefik.http.routers.http-redirects.entrypoints=web
- traefik.http.routers.http-redirects.rule=hostregexp(`{host:(www\.)?.+}`)
- traefik.http.routers.http-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https
# Global redirection: HTTPS www to HTTPS non-www
- traefik.http.routers.www-redirects.entrypoints=websecure
- traefik.http.routers.www-redirects.rule=hostregexp(`{host:(www\.).+}`)
- traefik.http.routers.www-redirects.tls=true
- traefik.http.routers.www-redirects.tls.options=default
- traefik.http.routers.www-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https
# Middleware to redirect to bare https
- traefik.http.middlewares.redirect-to-non-www-https.redirectregex.regex=^https?://(?:www\.)?(.+)
- traefik.http.middlewares.redirect-to-non-www-https.redirectregex.replacement=https://$${1}
- traefik.http.middlewares.redirect-to-non-www-https.redirectregex.permanent=true
# Middlewre compression
- traefik.http.middlewares.compress_traefik.compress=true
- traefik.http.middlewares.compress_traefik.compress.excludedcontenttypes=text/event-stream
# Dashboard on port 8000
- traefik.http.routers.traefik.entrypoints=traefik
- traefik.http.routers.traefik.rule=Host(`traefik.site.com`)
- traefik.http.routers.traefik.service=api@internal
#- traefik.http.routers.api.tls=true
#- traefik.http.routers.api.tls.options=default
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
# middlewares: use IP whitelisting, ratelimit and basic authentication
- traefik.http.routers.traefik.middlewares=api-ipwhitelist,traefik-ratelimit,admin-auth
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
- traefik.http.middlewares.api-ipwhitelist.ipwhitelist.sourcerange=xxx.xxx.xxx.xxx,xxxx:xxxx...
- traefik.http.services.api.loadbalancer.server.port=8000
# Extra middleware (ratelimit, ip whitelisting)
- traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100
- traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50
ports:
- target: 80
published: 80
protocol: tcp
#mode: ingress
mode: host
- target: 443
published: 443
protocol: tcp
#mode: ingress
mode: host
- target: 8000
published: 8000
protocol: tcp
mode: host
volumes:
- traefik-certificates:/letsencrypt
- /opt/containers/traefik_conf:/traefik_conf
networks:
- cloud-public
- cloud-socket-proxy
socket-proxy:
image: tecnativa/docker-socket-proxy:latest
deploy:
restart_policy:
condition: on-failure
placement:
constraints: [node.role == manager]
environment:
NETWORKS: 1
SERVICES: 1
TASKS: 1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
cloud-socket-proxy:
aliases:
- socket-proxy
the second traefik instance on nodeX don't work, and stop dashboard on manager's traefik
services:
second-reverse-proxy:
image: traefik:v2.10
command:
- --providers.docker
# Use the secure docker socket proxy
- --providers.docker.endpoint=tcp://second-socket-proxy:2375
- --providers.docker.exposedByDefault=false
- --providers.docker.swarmMode=true
- --providers.docker.network=second-public
- --providers.file.directory=/traefik_conf
- --providers.file.watch=true
# Entrypoints (ports) for the routers
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,...
- --entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,....
- --entrypoints.ssh.address=:2222
- --entrypoints.traefik.address=:8000
- --entrypoints.traefik.http.tls.certResolver=letsencrypt
# Create the certificate resolver "letsencrypt" for Let's Encrypt, uses the environment variable EMAIL
- --certificatesresolvers.letsencrypt.acme.email=vincent@site.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
#For dev
- --certificatesresolvers.letsencrypt-dev.acme.email=vincent@site.com
- --certificatesresolvers.letsencrypt-dev.acme.storage=/letsencrypt/acme-dev.json
- --certificatesresolvers.letsencrypt-dev.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.letsencrypt-dev.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
# Logging
- --accesslog=true
# - --log.level=DEBUG
# Enable the dashboard
- --api
deploy:
restart_policy:
condition: on-failure
placement:
constraints:
- node.labels.traefik-second-public.traefik-public-certificates == true
- node.labels.second-traefik == true
labels:
# traefik.enable is required because we don't expose all containers automatically
- traefik.enable=true
- traefik.docker.network=second-public
- traefik.constraint-label=second-public
# Global redirection: HTTP to HTTPS
- traefik.http.routers.http-redirects.entrypoints=web
- traefik.http.routers.http-redirects.rule=hostregexp(`{host:(www\.)?.+}`)
- traefik.http.routers.http-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https
# Global redirection: HTTPS www to HTTPS non-www
- traefik.http.routers.www-redirects.entrypoints=websecure
- traefik.http.routers.www-redirects.rule=hostregexp(`{host:(www\.).+}`)
- traefik.http.routers.www-redirects.tls=true
- traefik.http.routers.www-redirects.tls.options=default
- traefik.http.routers.www-redirects.middlewares=traefik-ratelimit,redirect-to-non-www-https
# Middleware to redirect to bare https
- traefik.http.middlewares.redirect-to-non-www-https.redirectregex.regex=^https?://(?:www\.)?(.+)
- traefik.http.middlewares.redirect-to-non-www-https.redirectregex.replacement=https://$${1}
- traefik.http.middlewares.redirect-to-non-www-https.redirectregex.permanent=true
# Middlewre compression
- traefik.http.middlewares.compress_traefik.compress=true
- traefik.http.middlewares.compress_traefik.compress.excludedcontenttypes=text/event-stream
# Dashboard on port 8000
- traefik.http.routers.traefik.entrypoints=traefik
- traefik.http.routers.traefik.rule=Host(`traefik.site2.fr`)
- traefik.http.routers.traefik.service=api@internal
#- traefik.http.routers.api.tls=true
#- traefik.http.routers.api.tls.options=default
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
# middlewares: use IP whitelisting, ratelimit and basic authentication
- traefik.http.routers.traefik.middlewares=api-ipwhitelist,traefik-ratelimit,admin-auth
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
- traefik.http.middlewares.api-ipwhitelist.ipwhitelist.sourcerange=xxx.xxx.xxx.xxx,xxxx:xxx:xxxx:...
- traefik.http.services.api.loadbalancer.server.port=8000
# Extra middleware (ratelimit, ip whitelisting)
- traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100
- traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50
ports:
- target: 80
published: 80
protocol: tcp
#mode: ingress
mode: host
- target: 443
published: 443
protocol: tcp
#mode: ingress
mode: host
- target: 8000
volumes:
# storage for the SSL certificates
- traefik-certificates:/letsencrypt
- /mnt/v1-gfs/traefik-second_conf:/traefik_conf
# bind mount the directory for your traefik configuration
networks:
- second-public
- second-socket-proxy
second-socket-proxy:
image: tecnativa/docker-socket-proxy:latest
deploy:
restart_policy:
condition: on-failure
placement:
constraints: [node.labels.second-traefik == true]
environment:
NETWORKS: 1
SERVICES: 1
TASKS: 1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
second-socket-proxy:
aliases:
- socket-proxy
I try with provider constraint, but now nodeX, constraint label second:
time="2024-06-12T13:02:08Z" level=error msg="Failed to list services for docker swarm mode, error Error response from daemon: This node is not a swarm manager. Worker nodes can't be used to view or modify cluster state. Please run this command on a manager node or promote the current node to a manager." providerName=docker
time="2024-06-12T13:02:08Z" level=error msg="Provider connection error Error response from daemon: This node is not a swarm manager. Worker nodes can't be used to view or modify cluster state. Please run this command on a manager node or promote the current node to a manager., retrying in 3.304181656s" providerName=docker
problem with
- --providers.docker.endpoint=tcp://second-socket-proxy:2375 ???
on nodeX is not manager whats the proper way ? with tecnativa/docker-socket-proxy
Traefik or at least the docker-socket-proxy need to run on manager node, when you want to use Swarm.
You can use the same socket proxy with two Traefik instances.
Overall, you still haven’t communicated the big picture. What do you want to achieve with 2 differently configured Traefik instances in Swarm?
I want the second traefik serv services from other server/ip than the manager.
You want to target only local containers or Docker Swarm services?
Yes exactely, local services and from particular node.