This works for me with Docker Swarm and docker stack deploy. I use a trusted base image and just manually create a little docker socket proxy configuration inline. Socket proxy uses no ports:, as all connections happen within a Docker network.
services:
traefik:
image: traefik:v3.1
hostname: '{{.Node.Hostname}}'
ports:
- published: 80
target: 80
protocol: tcp
mode: host
- published: 443
target: 443
protocol: tcp
mode: host
networks:
- dockersock
- proxy
volumes:
- letsencrypt:/letsencrypt
#- /var/log:/var/log
command:
- --api.dashboard=true
- --log.level=INFO
#- --log.filepath=/var/log/traefik.log
- --accesslog=true
- --accesslog.format=json
#- --accesslog.filepath=/var/log/traefik-access.log
- --providers.swarm.network=proxy
- --providers.swarm.endpoint=tcp://dockersock:2375
- --providers.swarm.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=mail@example.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
deploy:
mode: global
placement:
constraints:
- node.role==manager
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.services.mydashboard.loadbalancer.server.port=1337
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
dockersock:
image: nginx:alpine-slim
hostname: '{{.Node.Hostname}}'
#user: "0"
#user: dockersocket:docker
security_opt:
- no-new-privileges:true
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
cap_drop:
- ALL
networks:
- dockersock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
deploy:
mode: global
placement:
constraints:
- node.role==manager
entrypoint: ["/bin/sh", "-c"]
command:
- |
ln -sf /dev/stdout /var/log/nginx/access.log
ln -sf /dev/stderr /var/log/nginx/error.log
#su - nginx
cat <<'EOF' > /etc/nginx/nginx.conf
user root;
events { worker_connections 1024; }
http {
server {
listen 2375;
location ~ ^/(v1\.24/events|v1\.24/containers|v1\.24/services|v1\.24/version|v1\.24/networks|v1\.24/tasks) {
if ($$request_method != GET) { return 405; }
proxy_pass http://unix:/var/run/docker.sock;
proxy_set_header Host $$host;
proxy_set_header X-Real-IP $$remote_addr;
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $$scheme;
}
location / { return 405; }
}
}
EOF
echo ID
id
echo Starting nginx
nginx -g "daemon off;"
expose:
- 2375
whoami:
image: traefik/whoami:v1.10
hostname: '{{.Node.Hostname}}'
networks:
- proxy
deploy:
mode: global
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.example.com`) || PathPrefix(`/whoami`)
- traefik.http.services.whoami.loadbalancer.server.port=80
networks:
proxy:
name: proxy
driver: overlay
attachable: true
dockersock:
name: dockersock
driver: overlay
attachable: true
volumes:
letsencrypt:
name: letsencrypt
For regular Docker you might need to adjust the script line:
location ~ ^/(v1\.24/events|v1\.24/containers|v1\.24/services|v1\.24/version|v1\.24/networks|v1\.24/tasks) {