Swarm deployment: TLS settings needed on the router?

urbaman · August 1, 2025, 6:06am

Hi,

Having already put tls settings at the command level:

command: # CLI arguments
  - --global.checkNewVersion=true
  - --global.sendAnonymousUsage=true
  - --entrypoints.web.address=:80
  - --entrypoints.web.http.redirections.entrypoint.to=websecure
  - --entrypoints.web.http.redirections.entrypoint.scheme=https
  - --entrypoints.web.http.redirections.entrypoint.permanent=true
  - --entryPoints.web.proxyProtocol.insecure=true
  - --entryPoints.web.forwardedHeaders.insecure=true
    #- --entrypoints.web.http.middlewares=traefik-bouncer@file
  - --entrypoints.websecure.address=:443
  - --entrypoints.websecure.http.tls=true
  - --entrypoints.websecure.http.tls.options=tls-opts@file
  - --entrypoints.websecure.http.tls.certresolver=dns-cloudflare
    #- --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
  - --entryPoints.websecure.forwardedHeaders.insecure=true
  - --entryPoints.websecure.proxyProtocol.insecure=true
    #- --entrypoints.websecure.http.middlewares=traefik-bouncer@file

I thought I would not need them on the labels (did not need them on previous docker deployment and on kubernetes deployment), but without them the certresolver would not start for the router's domain.

deploy:
  mode: replicated
  replicas: 1
  labels:
    - "org.label-schema.group=monitoring"
    - "traefik.enable=true"
    - "traefik.swarm.network=traefik"
    # HTTP Routers
    - "traefik.http.routers.traefik-router.entrypoints=websecure"
    - "traefik.http.routers.traefik-router.rule=Host(`traefik.domain.com`)"
    - "traefik.http.routers.traefik-router.tls=true"
    - "traefik.http.routers.traefik-router.tls.options=tls-opts@file"
    - "traefik.http.routers.traefik-router.tls.certresolver=dns-cloudflare"
    #Services - API
    - "traefik.http.routers.traefik-router.service=api@internal"
    - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    # Middlewares
    - "traefik.http.routers.traefik-router.middlewares=secure-headers@file"

Is there something I am missing or is it a swarm thing?

Thank you.

bluepuma77 · August 1, 2025, 10:52am

Correct, no need for TLS on labels, best to handle it centrally.

Check simple Traefik Swarm examples (single, multiple with dnsChallenge).

urbaman · August 1, 2025, 11:22am

That's what I knew, but apparently didn't work out till I added the labels... the cloudflare acme mechanism did not trigger.

Anyway, removed the deployment and re-deployed after some config clearing and it actually seems to work as expected. Probably a provider.swarm.watch=true helped in the way.

bluepuma77 · August 2, 2025, 5:45am

Watch defaults to true anyway, so that shouldn't make a difference (doc).

system · August 5, 2025, 5:46am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Force TLS/SSL on all Docker Swarm discovered services? Traefik v2 docker , docker-swarm	3	546	September 19, 2022
Traefik 2.5.2 TLS 1.0 1.1 disable Traefik v2 docker-swarm	3	2830	September 14, 2021
Config from labels on swarm Traefik v2 docker , docker-swarm	2	914	October 9, 2019
Creating a TCP Router for Docker Swarm Traefik v2 docker-swarm , tcp	1	1337	June 20, 2023
Poor rating on ssl labs Traefik v2 docker-swarm	6	3512	January 15, 2020

Swarm deployment: TLS settings needed on the router?

Related topics