Traefik 2.0 Swarm not working with Services on Ports

Hello there,

i try to setup traefik 2.0 on my swarm for a while now, but cant get it running.
the swarm constists of 5 VPS nodes, 3 manager 2 workers, all based on debian10 with docker ce 19.03.2 running.
Whenever i wanna access a service with a port like traefik 8080 i do get 404 page not found.
When i do the same with the whoami serivce all works as wanted.

Toml: https://pastebin.com/raw/EriUZvNH
Compose: https://pastebin.com/raw/SVMJxRX9

Adding Log, cause cant do more than 2 links as new user:
Log: https://pastebin.com/raw/VAkF4LAn

Would be glad if anyone could help me out, tried different basic configs already like:

hello,

with your configuration:

• the dashboard is accessible on the port 80 (and 443) with the path /dashboard.
• whoami is accessible on the port 80 (and 443) with the path /whoami.

I fixed some errors:

version: "3"

services:

  traefik:
    image: traefik:v2.0
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /gluster/global/data/traefik/acme.json:/acme.json:rw
      - /gluster/global/data/traefik/traefik.toml:/traefik.toml:ro
    environment:
      - API_KEY=bla
      - API_PASSWORD=bla
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
       - "traefik.enable=true"
       
       - "traefik.http.routers.traefik_https.rule=Path(`/dashboard`)"
       - "traefik.http.routers.traefik_https.entrypoints=websecure"
       - "traefik.http.routers.traefik_https.tls=true"
       - "traefik.http.routers.traefik_https.tls.certResolver=letsencrypt"
       - "traefik.http.routers.traefik_https.tls.domains[0].main=example.tld"
       - "traefik.http.routers.traefik_https.service=api@internal"
       - "traefik.http.routers.traefik_https.middlewares=traefik-auth"

       - "traefik.http.services.noop.loadbalancer.server.port=888"

       - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$iNdRs1II$$Qdw59WFY6y0Oaf0JaZTip0"

       - "traefik.http.routers.http_traefik.entrypoints=web"
       - "traefik.http.routers.http_traefik.rule=Path(`/dashboard`)"
       - "traefik.http.routers.http_traefik.middlewares=https_redirect"

       - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
       - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

  whoami:
    image: containous/whoami
    networks:
      - proxy
    deploy:
      labels:
       - "traefik.enable=true"
       
       - "traefik.http.routers.whoami_http.rule=Path(`/whoami`)"
       - "traefik.http.routers.whoami_http.entrypoints=web"
       - "traefik.http.routers.whoami_http.middlewares=redirect-https-whoami"

       - "traefik.http.middlewares.redirect-https-whoami.redirectscheme.scheme=https"

       - "traefik.http.routers.whoami_https.rule=Path(`/whoami`)"
       - "traefik.http.routers.whoami_https.entrypoints=websecure"
       - "traefik.http.routers.whoami_https.tls=true"
       - "traefik.http.routers.whoami_https.tls.certResolver=letsencrypt"
       - "traefik.http.routers.whoami_https.service=whoami"
       
       - "traefik.http.services.whoami.loadbalancer.server.port=80"

networks:
  proxy:
    external: true

[global]
  checkNewVersion = true
  sendAnonymousUsage = true

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[log]
  level = "DEBUG"

[api]

[certificatesResolvers.letsencrypt.acme]
  email = "email@example.tld"
  storage = "acme.json"

  [certificatesResolvers.letsencrypt.acme.dnsChallenge]
    provider = "netcup"

[ping]

[providers]
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    defaultRule = "Host(`{{ normalize .Name }}.example.tld`)"
    watch = true
    exposedByDefault = false
    swarmMode = true

if you want to use the defaultRule you have to remove traefik.http.routers.xxx.rule labels.

https://docs.traefik.io/v2.0/providers/docker/#defaultrule

hey there,

first off thanks for the help, i disabled the defaultRule and changed everything to your corrected version, sadly i still get 404 at example.tld/dashboard and same on https one.
New Logs:
https://pastebin.com/raw/Ka9EXNUt

404 simply means that your request did not match any rule. What exactly your request was and which rule did you expect it to match?

i want my traefik dashboard to show up when i type:
http://domain.tld/dashboard or https://domain.tld/dashboard
or another service like portainer:
http://domain.tld/portainer or https://domain.tld/portainer

but all i get is 404 every time, posted my config above, already apply'd fixes suggested by Idez

version: "3"

services:

  traefik:
    image: traefik:v2.0
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /gluster/global/data/traefik/acme.json:/acme.json:rw
      - /gluster/global/data/traefik/traefik.toml:/traefik.toml:ro
    environment:
      - API_KEY=bla
      - API_PASSWORD=bla
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
       - "traefik.enable=true"
       
       - "traefik.http.routers.traefik_https.rule=Host(`dashboard.example.tld`) && (Path(`/dashboard`) || Path(`/api`)"
       - "traefik.http.routers.traefik_https.entrypoints=websecure"
       - "traefik.http.routers.traefik_https.tls=true"
       - "traefik.http.routers.traefik_https.tls.certResolver=letsencrypt"
       - "traefik.http.routers.traefik_https.tls.domains[0].main=example.tld"
       - "traefik.http.routers.traefik_https.service=api@internal"
       - "traefik.http.routers.traefik_https.middlewares=traefik-auth"

       - "traefik.http.services.noop.loadbalancer.server.port=888"

       - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$iNdRs1II$$Qdw59WFY6y0Oaf0JaZTip0"

       - "traefik.http.routers.http_traefik.rule=Host(`dashboard.example.tld`) && (Path(`/dashboard`) || Path(`/api`)"
       - "traefik.http.routers.http_traefik.entrypoints=web"
       - "traefik.http.routers.http_traefik.middlewares=https_redirect"

       - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
       - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

  whoami:
    image: containous/whoami
    networks:
      - proxy
    deploy:
      labels:
       - "traefik.enable=true"
       
       - "traefik.http.routers.whoami_http.rule=Host(`whoami.example.tld`) && Path(`/whoami`)"
       - "traefik.http.routers.whoami_http.entrypoints=web"
       - "traefik.http.routers.whoami_http.middlewares=redirect-https-whoami"

       - "traefik.http.middlewares.redirect-https-whoami.redirectscheme.scheme=https"

       - "traefik.http.routers.whoami_https.rule=Host(`whoami.example.tld`) && Path(`/whoami`)"
       - "traefik.http.routers.whoami_https.entrypoints=websecure"
       - "traefik.http.routers.whoami_https.tls=true"
       - "traefik.http.routers.whoami_https.tls.certResolver=letsencrypt"
       - "traefik.http.routers.whoami_https.service=whoami"
       
       - "traefik.http.services.whoami.loadbalancer.server.port=80"

networks:
  proxy:
    external: true

with this the redirect from http to https does not work anymore but also 404 isnt gone still comes up at /dashboard or /api

I created a simple working example (no swarm, no let's encrypt, no file):

version: "3"

services:

  traefik:
    image: traefik:v2.0.0
    ports:
      - "80:80"
      - "443:443"
    command:
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --log.level=DEBUG
      - --api
      - --ping
      # - --certificatesResolvers.letsencrypt.acme.email="email@example.tld"
      # - --certificatesResolvers.letsencrypt.acmestorage="acme.json"
      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge.provider="netcup"
      - --providers.docker.exposedByDefault=false
      # - --providers.docker.watch=true
      # - --providers.docker.swarmMode=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.enable=true"
      
      - "traefik.http.routers.traefik_https.rule=Host(`dashboard.docker.localhost`)"
      - "traefik.http.routers.traefik_https.entrypoints=websecure"
      - "traefik.http.routers.traefik_https.tls=true"
      # - "traefik.http.routers.traefik_https.tls.certResolver=letsencrypt"
      - "traefik.http.routers.traefik_https.service=api@internal"
      - "traefik.http.routers.traefik_https.middlewares=traefik-auth"

      # - "traefik.http.services.noop.loadbalancer.server.port=888" # required only for swarm

      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$iNdRs1II$$Qdw59WFY6y0Oaf0JaZTip0"

      - "traefik.http.routers.http_traefik.rule=Host(`dashboard.docker.localhost`)"
      - "traefik.http.routers.http_traefik.entrypoints=web"
      - "traefik.http.routers.http_traefik.middlewares=https_redirect"

      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

  whoami:
    image: containous/whoami:v1.3.0
    labels:
      - "traefik.enable=true"
      
      - "traefik.http.routers.whoami_http.rule=Host(`whoami.docker.localhost`)"
      - "traefik.http.routers.whoami_http.entrypoints=web"
      - "traefik.http.routers.whoami_http.middlewares=redirect-https-whoami"

      - "traefik.http.middlewares.redirect-https-whoami.redirectscheme.scheme=https"

      - "traefik.http.routers.whoami_https.rule=Host(`whoami.docker.localhost`)"
      - "traefik.http.routers.whoami_https.entrypoints=websecure"
      - "traefik.http.routers.whoami_https.tls=true"
      # - "traefik.http.routers.whoami_https.tls.certResolver=letsencrypt"
      
      - "traefik.http.services.whoami.loadbalancer.server.port=80"

• dashboard.docker.localhost serve the Traefik dashboard with auto-signed certificates
• whoami.docker.localhost serve the whoami with auto-signed certificates

tried to inspire you with that.

@ldez sould it be PathPrefix instead of Path for /dashboard and /api?

yes PathPrefix instead of Path is the right anwser.

without swarm it works, but whats the mistake then?

another update, got it running now with swarm, mistake was:

       - "traefik.http.routers.http_traefik.rule=Host(`dashboard.example.tld`) && (Path(`/dashboard`) || Path(`/api`)"

missing the closing ")". after that i got it running on the subdomain.
Is it possible that i add additional labels that i can access like:
domain.tld/traefik (redirects to dashboard but still shows /traefik)
domain.tld/portainer (redirects to portainer)

n so on? cause thats my final setup i wanna archive

thanks a lot so far!

I don't know if it would work for traefik dashboard or not, but many applications are not written to support to be accessed on a different path than intended. In many cases, if apps expects to be found on /checkout and you serve it on /shop it won't work because it's not what the app expects and was never designed to support. You can redirect the particular request, but all dependencies may be wrong, which would make the app unusable.

oh so this picture from the guide seems a bit misleading then:
https://docs.traefik.io/v2.0/routing/providers/docker/

It's not really misleading, it's just that Traefik's dashboard along with a few others like Portainer just didn't design themselves to work nicely in that sort of environment.

For Traefik, you may need to wait for a fix https://github.com/containous/traefik/issues/5374

thanks problem solved

The above configuration worked for me as well. Can someone explain why the dashboard doesn't work over HTTPS without having the HTTP redirect also configured? The documentation makes it seem like just having the HTTPS router configured and pointing to service api@internal would work, but that didn't seem to work.

Thanks, helped a lot with dashboard in HTTPS