We Keep Coding

Unable to see services with traefik

I'm a beginner and Im a bit confused about how traefik works...
I want to use the app freqtrade (trading bot) as a docker service and replicate it with different type of configuration, if you have 5min you can go check this guy I want to do the same thing...
But I don't understant why I can't see my app running with traefik :
What I did :
Configure my domain to my server like that :
server config
And on this machine I create a docker swarm and the treafik service with this tutorial and then, my docker compose file look like that :
```
version: '3.3'
services:
traefik:
# Use the latest v2.2.x Traefik image available
image: traefik:v2.2
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- 80:80
# Listen on port 443, default for HTTPS
- 443:443
networks:
- traefik-public
deploy:
placement:
constraints:
# Make the traefik service run only on the node with this label
# as the node with it has the volume for the certificates
- node.labels.traefik-public.traefik-public-certificates == true
labels:
# Enable Traefik for this service, to make it available in the public network
- traefik.enable=true
# Use the traefik-public network (declared below)
- traefik.docker.network=traefik-public
# Use the custom label "traefik.constraint-label=traefik-public"
# This public Traefik will only use services with this label
# That way you can add other internal Traefik instances per stack if needed
- traefik.constraint-label=traefik-public
# admin-auth middleware with HTTP Basic auth
# Using the environment variables USERNAME and HASHED_PASSWORD
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
# https-redirect middleware to redirect HTTP to HTTPS
# It can be re-used by other stacks in other Docker Compose files
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# traefik-http set up only to use the middleware to redirect to https
# Uses the environment variable DOMAIN
- traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
# traefik-https the actual router using HTTPS
# Uses the environment variable DOMAIN
- traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
# Use the special Traefik service api#internal with the web UI/Dashboard
- traefik.http.routers.traefik-public-https.service=api#internal
# Use the "le" (Let's Encrypt) resolver created below
- traefik.http.routers.traefik-public-https.tls.certresolver=le
# Enable HTTP Basic auth, using the middleware created above
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
# Define the port inside of the Docker service to use
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
- /var/run/docker.sock:/var/run/docker.sock:ro
# Mount the volume to store the certificates
- traefik-public-certificates:/certificates
command:
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
# Do not expose all Docker services, only the ones explicitly exposed
- --providers.docker.exposedbydefault=false
# Enable Docker Swarm mode
- --providers.docker.swarmmode
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
# Store the Let's Encrypt certificates in the mounted volume
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
# Use the TLS Challenge for Let's Encrypt
- --certificatesresolvers.le.acme.tlschallenge=true
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log
# Enable the Dashboard and API
- --api
volumes:
# Create a volume to store the certificates, there is a constraint to make sure
# Traefik is always deployed to the same Docker node with the same volume containing
# the HTTPS certificates
traefik-public-certificates:
networks:
traefik-public:
driver: overlay
attachable: true
```
And deploy it :
docker stack deploy -c traefik.yml traefik
After that traefik works fine. Why I can't see the port 8080 in my entrypoint ? is it important for others services ?
Entrypoint traefik
I try to disable the firewall in configuration of the server and also do ufw allow 8080 but nothing change...
I create my a application like I create traefik service with this docker-compose file :
---
version: '3'
networks:
traefik_traefik-public:
external: true
services:
freqtrade:
image: freqtradeorg/freqtrade:stable
# image: freqtradeorg/freqtrade:develop
# Use plotting image
# image: freqtradeorg/freqtrade:develop_plot
# Build step - only needed when additional dependencies are needed
# build:
# context: .
# dockerfile: "./docker/Dockerfile.custom"
restart: unless-stopped
container_name: freqtrade
volumes:
- "./user_data:/freqtrade/user_data"
# Expose api on port 8080 (localhost only)
# Please read the https://www.freqtrade.io/en/stable/rest-api/ documentation
# before enabling this.
networks:
- traefik_traefik-public
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
delay: 5s
command: >
trade
--logfile /freqtrade/user_data/logs/freqtrade.log
--db-url sqlite:////freqtrade/user_data/tradesv3.sqlite
--config /freqtrade/user_data/config.json
--strategy SampleStrategy
labels:
- traefik.http.routers.bot001.tls=true'
- traefik.http.routers.bot001.rule=Host(`bot001.bots.lordgoliath.com`)'
- traefik.http.services.bot001.loadbalancer.server.port=8080'
and this is a part of the configuation file of the bot (to access to the UI)
"api_server": {
"enabled": true,
"enable_openapi": true,
"listen_ip_address": "0.0.0.0",
"listen_port": 8080,
"verbosity": "info",
"jwt_secret_key": "somethingrandom",
"CORS_origins": ["https://bots.lordgoliath.com"],
"username": "api",
"password": "api"
},
then :
docker stack deploy -c docker-compose.yml freqtrade
So I have that :
goliath#localhost:~/freqtrade_test/user_data$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
nkvpjjztjibg freqtrade_freqtrade replicated 1/1 freqtradeorg/freqtrade:stable
6qryu28ute9i traefik_traefik replicated 1/1 traefik:v2.2 *:80->80/tcp, *:443->443/tcp
I see the bot running with the command docker service logs freqtrade_freqtrade but
when I try to go on my domain to see it have only the Traefik dashboard and can't see anything else running.
traefik http
traefik https
how I can see my app freqtrade running ? how can I access to the bot UI via my domain ?
Thanks !
Sorry for my bad English I hope this is clear enough to understand my problem
UPDATE
docker service inspect --pretty freqtrade_freqtrade
ID: o6bpaso69i9n6etybtj09xsqi
Name: ft1_freqtrade
Labels:
com.docker.stack.image=freqtradeorg/freqtrade:stable
com.docker.stack.namespace=ft1
Service Mode: Replicated
Replicas: 1
Placement:
Constraints: [node.role == manager]
UpdateConfig:
Parallelism: 1
On failure: pause
Monitoring Period: 5s
Max failure ratio: 0
Update order: stop-first
RollbackConfig:
Parallelism: 1
On failure: pause
Monitoring Period: 5s
Max failure ratio: 0
Rollback order: stop-first
ContainerSpec:
Image: freqtradeorg/freqtrade:stable#sha256:3b2f2acb5b9cfedaa7b07cf56af01d1a750bce4c3054bdbaf40ac27935c984eb
Args: trade --logfile /freqtrade/user_data/logs/freqtrade.log --db-url sqlite:////freqtrade/user_data/tradesv3.sqlite --config /freqtrade/user_data/config.json --strategy SampleStrategy
Mounts:
Target: /freqtrade/user_data
Source: /home/goliath/freqtrade_test/user_data
ReadOnly: false
Type: bind
Resources:
Networks: traefik_traefik-public
Endpoint Mode: vip
UPDATE NEW docker-compose.yml
---
version: '3'
networks:
traefik_traefik-public:
external: true
services:
freqtrade:
image: freqtradeorg/freqtrade:stable
# image: freqtradeorg/freqtrade:develop
# Use plotting image
# image: freqtradeorg/freqtrade:develop_plot
# Build step - only needed when additional dependencies are needed
# build:
# context: .
# dockerfile: "./docker/Dockerfile.custom"
restart: unless-stopped
container_name: freqtrade
volumes:
- "./user_data:/freqtrade/user_data"
# Expose api on port 8080 (localhost only)
# Please read the https://www.freqtrade.io/en/stable/rest-api/ documentation
# before enabling this.
networks:
- traefik_traefik-public
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
delay: 5s
labels:
- 'traefik.enabled=true'
- 'traefik.http.routers.bot001.tls=true'
- 'traefik.http.routers.bot001.rule=Host(`bot001.bots.lordgoliath.com`)'
- 'traefik.http.services.bot001.loadbalancer.server.port=8080'
command: >
trade
--logfile /freqtrade/user_data/logs/freqtrade.log
--db-url sqlite:////freqtrade/user_data/tradesv3.sqlite
--config /freqtrade/user_data/config.json
--strategy SampleStrategy
UPDATE docker network ls
goliath#localhost:~/freqtrade_test$ docker network ls
NETWORK ID NAME DRIVER SCOPE
003e00401b5d bridge bridge local
9f3d9a222928 docker_gwbridge bridge local
09a33afad0c9 host host local
r4u268yenm5u ingress overlay swarm
bed40e4a5c62 none null local
qo9w45gitke5 traefik_traefik-public overlay swarm

This is the minimal config you need to integrate in order to see the traefik dashboard on localhost:8080
version: "3.9"
services:
traefik:
image: traefik:latest
command: |
--api.insecure=true
ports:
- 8080:8080
Then, your minimal configuration to get traefik to route example.com to itself:
version: "3.9"
networks:
public:
attachable: true
name: traefik
services:
traefik:
image: traefik:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
command: |
--api.insecure=true
--providers.docker.exposedbydefault=false
--providers.docker.swarmmode
--providers.docker.network=traefik
ports:
- 80:80
networks:
- public
deploy:
labels:
traefik.enable: "true"
traefik.http.routers.traefik.rule: Host(`example.com`)
traefik.http.services.traefik.loadbalancer.server.port: 8080
Now, minimal https support - using Traefik self signed certs to start with. Note that we configure tls on the https entrypoint, which means traefik implicitly creates http and https variants for each router.
version: "3.9"
networks:
public:
attachable: true
name: traefik
services:
traefik:
image: traefik:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
command: |
--api.insecure=true
--providers.docker.exposedbydefault=false
--providers.docker.swarmmode
--providers.docker.network=traefik
--entrypoints.http.address=:80
--entrypoints.https.address=:443
--entrypoints.https.http.tls=true
deploy:
placement:
constraints:
- node.role == manager
ports:
# - 8080:8080
- 80:80
- 443:443
networks:
- public
deploy:
labels:
traefik.enable: "true"
traefik.http.routers.traefik.rule: Host(`example.com`)
traefik.http.services.traefik.loadbalancer.server.port: 8080
At this point, gluing in your le config should be simple.
Your freqtrade stack compose would need to be this. If this is a single node swarm, just omit the placement constraints, but when the swarm is large enough to have workers, then tasks that don't need to be on managers should explicitly be kept on workers.
Traefik needs to talk to the swarm api over the docker socket, which is on manager nodes only, which is why it must be node.role==manager.
version: "3.9"
networks:
traefik:
external: true
services:
freqtrade:
image: freqtradeorg/freqtrade:stable
command: ...
volumes: ...
networks:
- traefik
deploy:
placement:
constraints:
- node.role == worker
restart_policy:
max_attempts: 5
labels:
traefik.enabled: "true"
traefik.http.routers.bot001.rule: Host(`bot001.bots.lordgoliath.com`)
traefik.http.services.bot001.loadbalancer.server.port: 8080

Error 504 Gateway Timeout when trying to access a homeserver service through an SSH tunnel and traefik

Situation: I run Home Assistant on an Ubuntu server on my home LAN network. Because my home network is behind a double NAT, I have set up an SSH tunnel to tunnel the Home Assistant web interface to a VPS server running Ubuntu as well.
When I run the following on the VPS, I notice that the SSH tunnel works as expected:
$ curl localhost:8045 | grep -iPo '(?<=<title>)(.*)(?=</title>)'
Home Assistant
On the VPS, I run a bunch of web services via docker-compose and traefik. The other services (caddy, portainer) run without problems.
When I try to serve the Home Assistant service through traefik and access https://ha.mydomain.com through a web browser, I get an Error 504 Gateway Timeout.
Below are my configuration files. What am I doing wrong?
docker-compose yaml file:
version: "3.7"
services:
traefik:
container_name: traefik
image: traefik:latest
networks:
- proxy
extra_hosts:
- host.docker.internal:host-gateway
ports:
- "80:80"
- "443:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- ${HOME}/docker/data/traefik/traefik.yml:/traefik.yml:ro
- ${HOME}/docker/data/traefik/credentials.txt:/credentials.txt:ro
- ${HOME}/docker/data/traefik/config:/config
- ${HOME}/docker/data/traefik/letsencrypt/acme.json:/acme.json
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.dashboard.rule=Host(`traefik.mydomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.dashboard.tls.domains[0].main=traefik.mydomain.com"
- "traefik.http.routers.dashboard.tls.domains[0].sans=traefik.mydomain.com"
- "traefik.http.routers.dashboard.service=api#internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.usersfile=/credentials.txt"
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
networks:
- proxy
volumes:
- ${HOME}/docker/data/caddy/Caddyfile:/etc/caddy/Caddyfile
- ${HOME}/docker/data/caddy/site:/srv
- ${HOME}/docker/data/caddy/data:/data
- ${HOME}/docker/data/caddy/config:/config
labels:
- "traefik.http.routers.caddy-secure.rule=Host(`vps.mydomain.com`)"
- "traefik.http.routers.caddy-secure.service=caddy"
- "traefik.http.services.caddy.loadbalancer.server.port=80"
portainer:
image: portainer/portainer-ce
container_name: portainer
networks:
- proxy
command: -H unix:///var/run/docker.sock --http-enabled
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${HOME}/docker/data/portainer:/data
labels:
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.mydomain.com`)"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
restart: unless-stopped
networks:
# proxy is the network used for traefik reverse proxy
proxy:
external: true
traefik static configuration file:
api:
dashboard: true
insecure: false
debug: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: web_secure
web_secure:
address: :443
http:
middlewares:
- secureHeaders#file
tls:
certResolver: letsencrypt
providers:
docker:
network: proxy
endpoint: "unix:///var/run/docker.sock"
file:
filename: /config/dynamic.yml
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: myname#mydomain.com
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: web
traefik dynamic configuration file:
# dynamic.yml
http:
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
user-auth:
basicAuth:
users:
- "username:hashedpassword"
routers:
home-assistant-secure:
rule: "Host(`ha.mydomain.com`)"
service: home-assistant
services:
home-assistant:
loadBalancer:
passHostHeader: true
servers:
- url: http://host.docker.internal:8045
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12

Traefik v2.1.4 - How to create a static route and redirect to a specific host and port

I'm a beginner with Traefik v2.1.4. I'm using in a docker container. I'm trying to set up a static route. I found some examples using the toml configuration file.
[providers]
[providers.file]
[http]
[http.routers]
[http.routers.netdata]
rule = "Host(`netdata.my-domain.com`)"
service = "netdata"
entrypoint=["http"]
[http.services]
[http.services.netdata.loadbalancer]
[[http.services.netdata.loadbalancer.servers]]
url = "https://192.168.0.2:19999"
Following this example I would like to convert it to docker labels of my docker-compose.
My docker-compose file:
version: "3.7"
services:
traefik:
image: traefik:v2.1.4
container_name: traefik
restart: always
command:
- "--log.level=DEBUG"
- "--api.insecure=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsresolver.acme.tlschallenge=true"
- "--certificatesresolvers.letsresolver.acme.email=my-email#domain.com"
- "--certificatesresolvers.letsresolver.acme.storage=/letsencrypt/acme.json"
labels:
- "traefik.enable=true"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# global redirect to https
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
# dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.my-domain.com`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.middlewares=admin"
- "traefik.http.routers.traefik.tls.certresolver=letsresolver"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.middlewares.admin.basicauth.users=user:hash-passwordXXX"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
default:
external:
name: network

It is possible to use 2 providers together: file and docker.
Your docker-compose.yml:
services:
traefik:
image: traefik:2.2.1
command: traefik --configFile=/etc/traefik/traefik.yml
ports:
- "80:80"
- "8080:8080"
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml
- ./routes.yml:/etc/traefik/routes.yml
- /var/run/docker.sock:/var/run/docker.sock
# your services go here ...
Your traefik.yml:
api:
dashboard: true
insecure: true
entryPoints:
web:
address: :80
providers:
docker: {}
file:
filename: /etc/traefik/routes.yml
watch: true
Your routes.yml:
http:
routers:
hello:
rule: PathPrefix(`/hello`)
service: hello#docker
rule: PathPrefix(`/world`)"
service: world#docker
These are only examples, don't use them in production environment directly, of course.

There is no docker label mentioned to specify url (in https://docs.traefik.io/v2.1/routing/providers/docker/#routers). And I tried to use url instead of port, but it does not work.
So I suggest to use the file provider (https://docs.traefik.io/v2.1/providers/file/).
suggeston for implementation:
update your config with:
services:
...
traefik:
...
command:
...
- "--providers.file.directory=/path/to/dynamic/conf"
config:
- source: redirect.toml
target: /path/to/dynamic/conf/redirect.toml
...
...
configs:
redirect.toml:
file: redirect.toml
and create redirect.toml with your redirection (as in your example).
Of course you can also bindmount the config into the container, or create your own traefik image containing the config, or ...
In case you want to work with labels, you can start a service which redirects with socat
services:
...
netdata:
image: alpine/socat
command: tcp-listen:80,fork,reuseaddr tcp-connect:192.168.0.2:19999
deploy:
labels:
traefik.enable: "true"
traefik.http.routers.netdata.rule: Host(`netdata.my-domain.com`)
traefik.http.services.netdata_srv.loadbalancer.server.port: 80
# hm, and probably tell to forward as https, ...

Why is my portainer and traefik not public available?

I'm setting up a docker swarm and try to get working traefik reverse and portainer+agent on docker manager. But the container isnt public available.
I'm new to docker and reverse proxys so i dont tried more than the code showing up.
Starting with:
docker stack deploy -c stack.yml stack0
stack.yml
version: "3.3"
services:
traefik:
image: traefik
command: --docker.swarmmode
networks:
- traefik-net
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefikdata:/etc/traefik
deploy:
placement:
constraints: [node.role==manager]
portainer-agent:
image: portainer/agent
environment:
AGENT_CLISTER_ADDR: tasks.agent
AGENT_PORT: 9001
LOG_LEVEL: debug
ports:
- target: 9001
published: 9001
protocol: tcp
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- portainer-agent_network
- traefik-net
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer
command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./portainerdata:/data"
networks:
- portainer-agent_network
- traefik-net
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.docker.network=stack0_traefik-net"
- "traefik.frontend.rule=Host:portainer.intern.domain.tld"
networks:
traefik-net:
portainer-agent_network:
driver: overlay
attachable: true
traefikdata/traefik.toml
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[docker]
domain = "traefik.intern.domain.tld"
watch = true
exposedbydefault = false
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Let's encrypt configuration
[acme]
email="network#techgods.biz"
storage="/etc/traefik/acme/acme.json"
entryPoint="https"
acmeLogging=true
OnHostRule=true
[acme.httpChallenge]
entryPoint = "http"
I expect a running Traefik reverse Proxy, UI reachable over traefik.intern.domain.tld and portainer reachable over portainer.intern.domain.tld

For complete explicitness, I would also put the entryPoints definition:
- "traefik.frontend.entryPoints=https"
Are you positive that this part is correct?
- "traefik.docker.network=stack0_traefik-net"
It doesn't seem to align with your network definitions:
networks:
traefik-net:
portainer-agent_network:
driver: overlay
attachable: true
I'd highly recommend getting this working without the network definitions and then later adding these one at a time.

After hours of trying to revive my stack.yml i started from beginning, read a bit more of documentation and found much helpful stackoverflow posts.
At the end, I'm actually having this:
version: "3"
services:
traefik:
image: traefik:latest
command: --web --docker --docker.swarmmode --docker.watch --docker.domain=intern.domain.tld --logLevel=DEBUG
deploy:
placement:
constraints: [node.role==manager]
restart_policy:
condition: on-failure
labels:
- "traefik.port=8080"
- "traefik.docker.network=proxy"
- "traefik.frontend.rule=Host:traefik.intern.domain.tld"
ports:
- "80:80"
- "5003:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /dev/null:/traefik.toml
networks:
- proxy
portainer:
image: portainer/portainer:latest
command: --no-auth -H unix:///var/run/docker.sock
deploy:
placement:
constraints: [node.role == manager]
labels:
- "traefik.portainer.port=9000"
- "traefik.docker.network=proxy"
- "traefik.frontend.rule=Host:portainer.intern.domain.tld"
ports:
- "5001:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
networks:
proxy:
Now i would need to get the portainer agent working. I'll work on it. On the first view portainer and traefik reachable on the right ports. SSL not yet, but for this my questions below.
Actually portainer.intern.domain.tld:5001 and traefik.intern.domain.tld:5001 both still portainer, but traefik.intern.domain.tld:5001 should not be reachable - just :5003 with traefik - Also the other way round.
In the documentation, I've read that for cluster operation, kv storage is needed to use acme certificates across multiple hosts. Nevertheless, I found configurations with the acme.json configuration in the network (for the swarm operation). Is kv storages obligatory or not?
I would really appreciate if their is a basic auth for the first in front of portainer and traefik - later wanna edit this to certificates. I know a bit about configuration in the traefik.toml - but is it the right way, if i done anything else over the compose file?
Same for SSL - i know a bit about configuration over traefik.toml, but is it the right way? What about storing all this in the compose file?
thank u in advance.

Traefik: Simple Letsencrypt HTTPS redirect to whoami service throws "404 page not found"

I've tried to get this up and running for two days now and some simple HTTP -> HTTPs redirect does not work! :(
Pretty simple use case:
whoami.my-example-domain.com:80 => redirect to whoami.my-example-domain.com:443 and then traefik internally redirects to :80 of my whoami service docker container.
Here's the docker-compose.yml
version: "3"
services:
reverse-proxy:
image: traefik:alpine
command:
- --logLevel=WARN
- --defaultentrypoints=http,https
- --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
- --entrypoints=Name:https Address::443 TLS
- --acme
- --acme.email=myemail#gmail.com
- --acme.storage=acme.json
- --acme.entryPoint=https
- --acme.httpChallenge.entryPoint=http
- --acme.OnHostRule=true
- --acme.onDemand=false
- --acme.acmeLogging=true
- --docker
- --docker.watch
- --docker.exposedbydefault=false
- --docker.domain=docker.localhost
restart: always
networks:
- web
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /opt/data/traefik/acme.json:/acme.json
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:whoami.some-example-domain.com"
- "traefik.port=80"
- "traefik.frontend.entryPoints=http"
networks:
web:
external: true
When I now call http://whoami.some-example-domain.com (this is just a demo domain and won't work) => it redirects to HTTPs... which is cool, but then it throws the famous "404 page not found" traefik standard error.
If already tried to set the following labels to the container:
"traefik.port=80"
"traefik.frontend.entryPoints=http"
That didn't work either.
Any help would be appreciated! Thanks in advance!
Regards,
Sascha

You have to remove traefik.frontend.entryPoints (linked to defaultentrypoints) or use traefik.frontend.entryPoints=http,https
version: "3"
services:
reverse-proxy:
image: traefik:v1.7.8
command:
- --logLevel=WARN
- --defaultentrypoints=http,https
- --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
- --entrypoints=Name:https Address::443 TLS
- --acme
- --acme.email=myemail#gmail.com
- --acme.storage=acme.json
- --acme.entryPoint=https
- --acme.httpChallenge.entryPoint=http
- --acme.OnHostRule=true
- --acme.onDemand=false
- --acme.acmeLogging=true
- --docker
- --docker.exposedbydefault=false
- --docker.domain=some-example-domain.com
restart: always
networks:
- web
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /opt/data/traefik/acme.json:/acme.json
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:some-example-domain.com"
networks:
- web
networks:
web:
external: true