Closed Berndinox closed 7 years ago
I am having the exact same problem. How to enable letsencrypt with a docker deploy setup?
I found an example here #750, (specifying options on the traefik commandline) but it would require traefik to be restarted when adding a letsencrypt domain.
Ok, I got it to work with the following config:
version: "3"
services:
proxy:
image: traefik
command: \
--web --docker --docker.swarmmode --docker.domain=docker.localhost --docker.watch \
--logLevel=DEBUG \
--entryPoints='Name:http Address::80 Redirect.EntryPoint:https' \
--entryPoints='Name:https Address::443 TLS' \
--acme.entryPoint=https --acme.email=ron.arts@xxxxxx.com \
--acme.storage=/etc/traefik/acme/acme.json \
--acme.domains=xxxxxx.com \
--acme.ondemand=true \
--acme.onhostrule=true
networks:
- proxy
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefikdata:/etc/traefik/acme
deploy:
placement:
constraints:
- node.labels.env == prod
- node.role == manager
volumes:
traefikdata:
driver: local-persist
driver_opts:
mountpoint: /data/traefik
networks:
proxy:
driver: overlay
Though, auto-redirect from 80 to 443 doesn't work yet.
Alright, auto-redirect works if you specify deploy labels like this:
viz:
image: manomarks/visualizer
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
proxy:
aliases:
- monitor_viz
deploy:
labels:
- traefik.port=8080
- traefik.backend=monitor_viz
- traefik.docker.network=proxy
- traefik.frontend.rule=Host:viz.xxxxx.com
- traefik.frontend.entryPoints=http,https
networks:
proxy:
external:
name: proxy_proxy
You need to specify both http and https as entrypoints.
HY @raarts , thanks for the Update. Amazing!
Note for keeping the downloaded certificated I used a host-mount with the local-persist driver. This means you still cannot move the treafik container around easily. Also treafik needs to run on a manager node. I prepared all my manager nodes with a /data/traefik directory
Thanks for the hint!! I'll use this with a portworx shared volume across hosts in the swarm: https://github.com/Berndinox/swarm_portworx
@Berndinox @raarts if you think the documentation needs some upgrade, your help is welcome :)
@emilevauge atm i do not feel confident enough to do, but may i will.. ;)
All the docu is arround the toml.conf, but i think there should be more about docker specific things:
BR
@emilevauge https://github.com/emilevauge, @Berndinox https://github.com/Berndinox I have cloned the repo, and am looking at learning how to extend the docs. No promises though.
On Thu, Feb 9, 2017 at 9:29 AM, Berndinox notifications@github.com wrote:
@emilevauge https://github.com/emilevauge atm i do not feel confident enough to do, but may i will.. ;)
All the docu is arround the toml.conf, but i think there should be more about docker specific things:
- how to create a traefik service in swarm
- best practices for configuring traefik inside docker
- real world examples (?)
BR
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/containous/traefik/issues/1091#issuecomment-278577372, or mute the thread https://github.com/notifications/unsubscribe-auth/ADBXxdqgLfvlUeX_NGvqzkbjPFcZc_iGks5ras5egaJpZM4Lz52x .
@raarts i got one other question, would it also work if i do not persist the acme folder into a volume. Cause when i scale the traefik service the same volume is mapped multiple times, and so i got doubled entries for my subdomains. thanks :)
I don't think that will work. I think there are two approaches, (1) is to make sure only one container runs per host. Docker deploy does not support affinity yet, but you can claim for example cpu1 so docker will have no choice but to find another host*). (2) define two services traefik and traefik-letsencrypt, the first one is for scaling, has letsencrypt disabled, and mounts the volume read-only, and the second one has letsencrypt enabled, maybe even has proxying disabled, mounting read-write and isn't scaled.
*) Of course if you have multiple hosts, you still need one location to keep your data, so if you control the hosts, you can create a shared filesystem, using nfs or smbfs or something, and let the hosts mount those shares, the containers won't know or care. If you don't control the hosts, then I have no solution other than spending money on shared-storage-in-the-cloud somewhere, and using a volume driver.
The Read-Only approach seems to be nice! Thanks alot!
For read-only I think you need to append :ro
On Sun, Feb 12, 2017 at 5:10 PM, Berndinox notifications@github.com wrote:
Hy @raarts https://github.com/raarts, i'd like the read only approach, however with compose v3 ready only volumes are not possible jet?!?
I tested the following setup:
version: '3'
services: whoami1: image: jwilder/whoami deploy: replicas: 1 restart_policy: delay: 10s max_attempts: 10 window: 60s volumes:
data:/data
whoami2: image: jwilder/whoami deploy: replicas: 1 restart_policy: delay: 10s max_attempts: 10 window: 60s volumes:
- data:/data:r
volumes: data: driver: local-persist driver_opts: mountpoint: /mnt/glusterfs/docker/whoami
Shared Volume accross hosts is a gluster volume. Docker inspect show RW (Read and Write) on both containers.
Also appending the config with "read_only: true" is ignored.
:(
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/containous/traefik/issues/1091#issuecomment-279228503, or mute the thread https://github.com/notifications/unsubscribe-auth/ADBXxTDLgDVIMLYZt3jt8OiBXHw53Ccyks5rby8EgaJpZM4Lz52x .
Thanks for sharing!
What version of Traefik are you using (
traefik version
)?docker - traefik:latest
What is your environment & configuration (arguments, toml...)?
Trafik (proxy.yaml)
WhoamI (whoami.yaml)
What i wanna do:
Would like to enable SSL (Letsencrypt Support).
I'm new to traefik, and i do miss information:
May someone can help me ;)