Time to set up Traefik before the private Docker Registry so that I get a nice route to it with a SSL-cert as a bonus. Running a default Nginx-container to verify config.
I have configured the dns to send all *.hammar.org requests to this machine/node/swarm
move to the tiny-swarm/traefik-folder. It should contain two four files.
acme.jsonEmpty (chmod 600) for future storage of Let's Encrypt certificates.
traefik.tomlwith Traefik configuration
nginx-deploy.ymlSpin up an Nginx for verification
./deploy.sh will create an Ingress Network and a Traefik Service
Test configuration if you want. The included configuration is configured to get "invalid" staging certificates.
- Issued by: Traefik = wrong
- Issued by: Fake LE Intermediate = correct staging cert
# deploy a default Nginx site that registers a frontend rule with Traefik docker stack deploy -c nginx-deploy.yml nginx # remove it with docker stack rm nginx
Hot reloading configuration in Docker
Hot reloading of traefik.toml
[docker] watch = true have issues related to the use of fsnotify (go) in docker volumes. In my case with "naive" volumes on the host it does not work.
Changing SSL-certs from Staging to Production
Remember to empty out Acme.json first. If it doesn't work.. check your browser before debugging. They sometime hang on to the staging cert quite some time, or check with
# replace -servername and -connect :-) echo | openssl s_client -showcerts -servername hub.hammar.org -connect hub.hammar.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
docker network create -d overlay traefik-ingress docker stack deploy -c compose-traefik.yml traefik
# traefik-compose.yml # docker network create -d overlay traefik-ingress # docker stack deploy -c compose-traefik.yml traefik version: '3.5' services: proxy: image: traefik:1.6 #Alpine is larger ports: - "80:80" - "443:443" - "8888:8888" volumes: - /var/run/docker.sock:/var/run/docker.sock - ~/volume/traefik_data/traefik.toml:/traefik.toml - ~/volume/traefik_data/acme.json:/acme.json labels: - "traefik.enable=false" networks: - traefik-ingress deploy: replicas: 1 placement: constraints: - node.role==manager restart_policy: condition: any delay: 10s max_attempts: 5 networks: traefik-ingress: external: true
# traefik.toml debug = true logLevel = "ERROR" defaultEntryPoints = ["https","http"] [web] address = ":8888" [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" compress = true [entryPoints.https.tls] [docker] domain = "hammar.org" watch = true swarmmode = true exposedbydefault = false [acme] email = "firstname.lastname@example.org" storage = "acme.json" acmeLogging = true entryPoint = "https" OnHostRule = true # Uncomment next line for staging and tests. They only give 5 proper certs per week caServer = "https://acme-staging.api.letsencrypt.org/directory" [acme.httpChallenge] entryPoint = "http"