Traefik v2 + Docker Swarm + LE - Service/Subdomain routing

Hi,
I've been trying to set up a dev/prod env on a bare metal hosted server, using Traefik as the reverse proxy in a Docker Swarm setup.

I've been able to set up the Traefik with Lets Encrypt SSL and I have been able to reach services/containers exposed to the internet using sub.domain.com:port, but I want to be able to route through my Traefik using service.sub.domain.com and reach different services. For example portainer.sub.domain.com. I've not yet managed to do this.

Preferably I would be able to do it using a wildcard cert for all current and incoming services in the swarm.

I've been scratching my head for some days now as I'm quite new to Docker Swarm and Traefik and this type of setup. Any help and or tips would be greatly appreciated!

The compose file thus far:

version: '3.9'
networks:
  traefik-swarm:
    external: true

services:
    traefik:
      image: "traefik:v2.6"
      networks:
          - traefik-swarm
          # - proxy
      command:
        # - "--providers.docker.endpoint=tcp://socket-proxy:2375"
        - "--providers.docker.swarmMode=true"
        - "--providers.docker.exposedByDefault=false"
        - "--providers.docker.network=traefik-swarm"
        - "--log.level=INFO"
        - "--api.insecure=true"
        - "--api.dashboard=true"
        # - "--log=true"
        # - "--log.level=WARN" # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
        # - "--accessLog=false"
        # - "--accessLog.filePath=/traefik.log"
        # - "--accessLog.bufferingSize=100" # Configuring a buffer of 100 lines
        # - "--accessLog.filters.statusCodes=400-499"
        - "--entryPoints.web.address=:80"
        - "--entryPoints.websecure.address=:443"
        # - --entrypoints.websecure.http.tls.domains[0].main=sub.domain.com
        # - --entrypoints.websecure.http.tls.domains[0].sans=*.sub.domain.com

        - "--certificatesresolvers.le.acme.httpchallenge=true"
        - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
        - "--certificatesresolvers.le.acme.email=email"
        - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
        - "--certificatesResolvers.le.acme.caServer=https://acme-v02.api.letsencrypt.org/directory"
      ports:
        - target: 80
          published: 80
          protocol: tcp
          mode: host
        - target: 443
          published: 443
          protocol: tcp
          mode: host
        - target: 8080
          published: 8080
          protocol: tcp
          mode: host
      deploy:
        update_config:
          parallelism: 1
          delay: 10s
        mode: global
        placement:
          constraints:
            - node.role == manager
        restart_policy:
          condition: on-failure
          delay: 5s
          max_attempts: 3
          window: 120s
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.traefik.rule=Host(`traefik.sub.domain.com`)"
          - "traefik.http.services.traefik.loadbalancer.server.port=8080"
          - "traefik.http.services.traefik.loadbalancer.server.port=80"
          - "traefik.http.routers.traefik.service=api@internal"
          - "traefik.http.routers.traefik.entrypoints=https"
          - "traefik.http.routers.traefik.tls.certresolver=le"
          - "traefik.http.routers.traefik.tls=true"
          - "traefik.http.routers.traefik.entrypoints=websecure"

          # global redirect to https
          - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
          - "traefik.http.routers.http-catchall.entrypoints=web"
          - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

          # middleware redirect
          - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      volumes:
        # - "./certs/:/etc/ssl/:ro"
        - "./letsencrypt:/letsencrypt"
        - "/var/run/docker.sock:/var/run/docker.sock:ro"

    whoami:
      networks:
          - traefik-swarm
      image: "traefik/whoami"
      command:
        - "--port=82"
      ports:
        - "82:82"
      deploy:
        restart_policy:
          condition: on-failure
        placement:
          constraints:
            - node.role == manager
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.whoami.rule=Host(`whoami.sub.domain.com`)"
          - "traefik.http.routers.whoami.entrypoints=websecure"
          - "traefik.http.routers.whoami.tls=true"
          - "traefik.http.routers.whoami.tls.certresolver=le"
          - "traefik.http.services.whoami.loadbalancer.server.port=82"```

Thanks!

Apparently, the people in charge of setting up DNS had not actually made the DNS records wildcards.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.