dogvscat icon indicating copy to clipboard operation
dogvscat copied to clipboard

Published 20 hours ago verified publisher icon BretFisher

Update stack-proxy.yml

Open tmackness opened this issue 5 years ago • 11 comments

  • use traefik for the dashboard, thus remove port binding 8080 and access via subdomain
  • add a default network e.g. proxy (save adding "traefik.network=proxy" label to every service)
  • set exposedByDefault to false, thus have to use "traefik.enable=true" label in each service for better security.

tmackness avatar Jan 21 '19 13:01 tmackness

@tmackness good work on this! I'll test it.

The missing part (Consul on HA set up) of the puzzle is here: https://dockerswarm.rocks/traefik/ Still testing on my side. Cheers!

pascalandy avatar Feb 01 '19 21:02 pascalandy

Hey, thanks for the PR. Some feedback:

  1. This doesn't work for me, and I seem to remember others having this issue in traefik GHIssues
  2. Sweet, it works.
  3. I don't set exposedByDefault to true anywhere and the default must be false, because if I deploy stacks in the proxy network they aren't added to Traefik. Can you replicate the issue?

BretFisher avatar Feb 04 '19 06:02 BretFisher

  1. Works perfectly fine for me. Maybe they have fixed the issue?

3 I’ll have a look and get back to you.

tmackness avatar Feb 04 '19 06:02 tmackness

FYI I'm testing with the stack-proxy-global.yml now, as stack-proxy.yml isn't redundant in any way. The "self proxy" of the dashboard doesn't work for me with consul backend and seeding it with a different traefik service.

BretFisher avatar Feb 04 '19 06:02 BretFisher

ah, ok got traefik working, not sure what I did different... :), I'm adding each of these as a commit for both stack files for traefik and giving you credit :). So 1 and 2 are implemented so far.

BretFisher avatar Feb 04 '19 06:02 BretFisher

Ah great.

As for 3. here in the docs states:

# Expose containers by default in Traefik.
# If set to false, containers that don't have `traefik.enable=true` will be ignored.
#
# Optional
# Default: true
#
exposedByDefault = true

tmackness avatar Feb 04 '19 07:02 tmackness

I prefer to set a label on all the containers I wish to connect to Traefik in order to be more explicit.

tmackness avatar Feb 04 '19 07:02 tmackness

I'ved tested exposedByDefault and I'm confused by it's use. How can a service be exposed by default if traefik doesn't know what port it runs on or the dns name to route to it? I can confirm if I remove port/hostname labels that the frontend/backend disappear. So either exposedByDefault is false by default and docs are wrong, or there is something else I don't understand for how you "accidentally expose services on the proxy network". Thoughts?

BretFisher avatar Feb 04 '19 07:02 BretFisher

I see what your saying. I'm very new to Traefik TBH and didn't actually give it too much thought. Maybe setting defaults in the Traefik service could cause some to connect?

Say you have multiple services that expose port 1000 and you have the Traefik defaults with:

  • docker.domain=traefik
  • docker.network=proxy
  • traefik.port=1000

Haven't tested this, but maybe it would automatically proxy to these services?

tmackness avatar Feb 04 '19 07:02 tmackness

This sheds a little light: Issue 663

tmackness avatar Feb 04 '19 07:02 tmackness

I have working example on my repo:

https://github.com/FinalDes/docker-swarm-defauts/blob/master/traefik/docker-compose.yml

FinalDes avatar Apr 09 '19 12:04 FinalDes