Traefik 2.0 Docker Swarm

Hi,
I have 3 node Docker Swarm that I have various services running on. I want to use Traefik to proxy all the web traffic.

I have the following docker compose stack file:

version: "3.3"

services:

  traefik:
    image: "traefik:latest"
    command:
      - --log.level=DEBUG
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.swarmMode=true
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.address=:80
      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.mytlschallenge.acme.email=postmaster@user@email.com
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik_network
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)
    ports:
      - "443:443"
      - "80:80"
      - "8040:8080"
    volumes:
      - letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik_network
    deploy:
      mode: global
      placement:
        constraints: [node.role == manager]

networks:
  traefik_network:
    external: true
  
volumes:
  letsencrypt:
    driver: local
    driver_opts:
      type: nfs
      o: addr=10.0.0.200,rw,nolock
      device: ":/srv/nfs/letsencrypt"

I am not trying to get Let's Encrypt working just yet, but am leaving it in for completeness. As you can see I'm dog-fooding traefik on itself, but it does not produce a route. I have this from the debug:

time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" container=nextcloud-app-dbhc1sgxm53qpy9ti7dp3zwls providerName=docker
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=mailserver-redis-qzi3d04zogzgh28a2d8u41m6f
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" container=portainer-portainer-hvjmfuz8rbuo18f5e41expadg providerName=docker
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=nsd-nsd-b5dvun6mqinjj8edxs43ael4n
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=portainer-agent-ibm426fq93l2l5x6qizkitbje
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=portainer-agent-ks02px3y8577fyd4jg89ae5w3
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=portainer-agent-qh1t1sbwgt93pd4v7rmc47m68
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=ghost-ghost-kwbql2gnovqswwihmesf1xogu
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=mailserver-mailserver-y54ahg4t9stjyxarzge2f5ztz
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-traefik-filib5drkhyivjv9lay8b8bya
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=ghost-db-9k9vre6gne26997wts0sryzrl
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=bitwarden-bitwarden-l5lo6y2b0jatboh0avwf7dl8j
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=mailserver-mariadb-wmpbhgux6j4ngisi0xcty9hdh
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=mailserver-rainloop-s99rldk74d3xynbxedmt9i72y
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=nextcloud-db-xt5au6sjc1vcmouj3mu35x0ne
time="2019-10-31T15:30:40Z" level=debug msg="Filtering disabled container" providerName=docker container=mailserver-postfixadmin-alwm4esmc64kirkx8tyumh7hn
time="2019-10-31T15:30:40Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
time="2019-10-31T15:30:40Z" level=info msg="Skipping same configuration for provider docker" providerName=docker

Any help is appreciated.

Hello,

with Swarm the labels must placed inside the section deploy:

https://docs.traefik.io/v2.0/providers/docker/#configuration-examples

version: "3.3"

services:

  traefik:
    image: "traefik:latest"
    command:
      - --log.level=DEBUG
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.swarmMode=true
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.address=:80
      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.mytlschallenge.acme.email=postmaster@user@email.com
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
    ports:
      - "443:443"
      - "80:80"
      - "8040:8080"
    volumes:
      - letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik_network
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik_network
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)
      mode: global
      placement:
        constraints: [node.role == manager]

networks:
  traefik_network:
    external: true
  
volumes:
  letsencrypt:
    driver: local
    driver_opts:
      type: nfs
      o: addr=10.0.0.200,rw,nolock
      device: ":/srv/nfs/letsencrypt"

Before I saw this response, I stripped down the command config, and redeploying suddenly populated traefik which near everything I have a container for, which I thought is not right either.

Continuing my attempt to get the traefik dashboard proxied, I continued with the following adjusted config.

version: "3.3"

services:

  traefik:
    image: "traefik:latest"
    command:
      - --api.insecure
      - --providers.docker
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

    ports:
      - "443:443"
      - "80:80"
      - "8040:8080"
    volumes:
      - letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
     - traefik_network
    deploy:
      mode: global
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik_network
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)
        - traefik.http.services.traefik.loadbalancer.server.port=8040

networks:
  traefik_network:
    external: true
  
volumes:
  letsencrypt:
    driver: local
    driver_opts:
      type: nfs
      o: addr=10.0.0.200,rw,nolock
      device: ":/srv/nfs/letsencrypt"

Now I get a 404 when visiting traefik.domain.com (domain.com an example zone only).

If you are using Swarm, you have to:

  • set --providers.docker.swarmMode=true
  • add labels in the deploy section

also the port ser by traefik.http.services.traefik.loadbalancer.server.port must be 8080.

version: "3.3"

services:

  traefik:
    image: "traefik:v2.0.4"
    command:
      - --api.insecure
      - --providers.docker
      - --providers.docker.swarmMode=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

    ports:
      - "443:443"
      - "80:80"
      - "8040:8080"
    volumes:
      - letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
     - traefik_network
    deploy:
      mode: global
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik_network
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)
        - traefik.http.services.traefik.loadbalancer.server.port=8080

networks:
  traefik_network:
    external: true
  
volumes:
  letsencrypt:
    driver: local
    driver_opts:
      type: nfs
      o: addr=10.0.0.200,rw,nolock
      device: ":/srv/nfs/letsencrypt"

Having added swarmMode to command and port 8080 to the label, that at the very least has cleared up all the discoveries I didn't want displayed, https://traefik.domain.com still 404s.

The 404 messages I'm getting now is because I'm wanting to use HTTPS but without it having configured correctly. I just assumed it would automatically create and use a self-signed cert -- I'll get around to letsencrypt next. Changing the entrypoint to HTTP now works as expected. Learning the basics of traefik along the way.

I'd say this issue is now resolved, I have HTTPS requests working -- albeit the certs are still producing errors, but it is unrelated to the OP.