Develop Reference

Wordpress service is not showing in Traefik

I am trying to deploy Wordpress application on docker swarm stack, behind Traefik reverse proxy, I wanted to use Nginx for reverse proxying but as the the Wordpress is deployed with 2 replicas I am facing session time out issue, therefore I am trying the use Traefik instaed to configure sticky session later.
I have deployed the Traefik service successfully and can access the dashboard, but the Wordpress is not being proxied and it is not showing in the services list on the dashboard.
Traefik Dashboard Screenshot
Traefik Dashboard 2
Traefik Proxy yaml File:
version: '3.3'
services:
traefik:
image: traefik:v2.2
ports:
- 80:80
- 443:443
deploy:
placement:
constraints:
# Make the traefik service run only on the node with this label
# as the node with it has the volume for the certificates
- node.labels.traefik-public.traefik-public-certificates == true
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
- traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
- traefik.http.routers.traefik-public-https.service=api#internal
- traefik.http.routers.traefik-public-https.tls.certresolver=le
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
command:
- --providers.docker
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmmode
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --accesslog
- --log
- --api
networks:
- traefik-public
volumes:
traefik-public-certificates:
networks:
traefik-public:
external: true
Wordpress yaml File:
version: "3.4"
services:
db:
image: mariadb
secrets:
- db_user
- db_pass
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_pass
MYSQL_USER_FILE: /run/secrets/db_user
MYSQL_PASSWORD_FILE: /run/secrets/db_pass
MYSQL_DATABASE_NAME: wpdb
ports:
- 3306:3306
networks:
- backend
volumes:
- db-data:/var/lib/mysql
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 10s
max_attempts: 3
window: 60s
wp:
image: wordpress
secrets:
- db_user
- db_pass
depends_on:
- db
labels:
- traefik.enable=true
- traefik.constraint-label=traefik-public
- traefik.docker.network=traefik-public
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.wp.rule=Host(`example.com`)
- traefik.http.routers.wp.entrypoints=http
- traefik.http.routers.wp.middlewares=https-redirect
- traefik.http.routers.wp-secured.rule=Host(`example.com`)
- traefik.http.routers.wp-secured.entrypoints=https
- traefik.http.routers.wp-secured.tls=true
- traefik.http.routers.wp-secured.tls.certresolver=le
- traefik.http.services.wp.loadbalancer.server.port=8080
environment:
WORDPRESS_DB_HOST: 192.168.20.30:3306 # node IP
WORDPRESS_DB_USER_FILE: /run/secrets/db_user
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_pass
WORDPRESS_DB_NAME: wpdb
networks:
- backend
- traefik-public
volumes:
- wp-data:/var/www/html
deploy:
replicas: 2
restart_policy:
condition: on-failure
delay: 10s
max_attempts: 3
window: 60s
networks:
backend:
external: false
traefik-public:
external: true
volumes:
wp-data:
db-data:
secrets:
db_user:
file: ./db_user.txt
db_pass:
file: ./db_pass.txt
```

Bookstack with traefik as reverse proxy

I'm trying to set up Bookstack with traefik as a reverse proxy. traefik is already set up and running fine with Nextcloud and other services.
I'm using the image provide by linuxserver and am modifying the docker-compose file as follows:
version: "2"
services:
bookstack:
image: lscr.io/linuxserver/bookstack
container_name: bookstack
environment:
- PUID=1000
- PGID=1000
- APP_URL=my-sub.domain.com
- DB_HOST=bookstack_db
- DB_USER=dbusernamesetbyme
- DB_PASS=thedbpasswordichose
- DB_DATABASE=bookstackapp
volumes:
- /path/to/data:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- PUID=1000
- PGID=1000
- MYSQL_ROOT_PASSWORD=modifiedpassword
- TZ=Europe/Berlin
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- /path/to/data:/config
restart: unless-stopped
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
When I call my-sub.domain.com I get a Gateway Timeout. If I leave out the labels and the APP_URL, I can call bookstack via the host-ip and the port e. g. 101.101.101.101:6875 it works just fine.
Any ideas?
Best regards!

Try to move labels: from bookstack_db: to bookstack:. I set up Bookstack with Trefik locally and it worked.
You can use this docker-compose.yaml for reference:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=my-sub.domain.com
- TZ=Europe/Berlin
- DB_HOST=bookstack_db:3306
- DB_DATABASE=bookstackapp
- DB_USERNAME=dbusernamesetbyme
- DB_PASSWORD=thedbpasswordichose
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.de`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.routers.bookstack-secure.service: "bookstack"
# traefik.http.services.bookstack.loadbalancer.server.port: "80"
# traefik.docker.network: "nameofmyproxynetwork"
networks:
- nameofmyproxynetwork
bookstack_db:
image: mariadb:10.9
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=modifiedpassword
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=usernamesetbyme
- MYSQL_PASSWORD=anotherpassword
volumes:
- ./bookstack/db:/var/lib/mysql
ports:
- 3306:3306
restart: unless-stopped
networks:
- nameofmyproxynetwork
networks:
nameofmyproxynetwork:
external: true
I attach also my original labels: config, just in case.
labels:
- traefik.enable=true
- traefik.http.routers.bookstack-http.entrypoints=web
- traefik.http.routers.bookstack-http.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-http.middlewares=bookstack-https
- traefik.http.middlewares.bookstack-https.redirectscheme.scheme=https
- traefik.http.routers.bookstack-https.entrypoints=websecure
- traefik.http.routers.bookstack-https.rule=Host(`bookstack.docker.localdev`)
- traefik.http.routers.bookstack-https.tls=true"

So, I've got some external help and got a .yml-file that worked:
version: "3.7"
services:
bookstack:
image: linuxserver/bookstack:latest
container_name: bookstack
environment:
- APP_URL=https://my-sub.domain.com
- TZ=Europe/Berlin
# - PUID= # = stat ./bookstack/app --format "%u"
# - PGID= # = stat ./bookstack/app --format "%g"
- DB_HOST=bookstack_db
- DB_DATABASE=bookstackdb
- DB_USERNAME=<dbuser>
- DB_PASSWORD=<dbpassword>
volumes:
- ./bookstack/app:/config
ports:
- 6875:80
restart: unless-stopped
depends_on:
- bookstack_db
labels:
traefik.enable: "true"
traefik.docker.network: "proxy"
traefik.http.routers.bookstack.entrypoints: "http"
traefik.http.routers.bookstack.rule: "Host(`my-sub.domain.com`)"
traefik.http.middlewares.bookstack-https-redirect.redirectscheme.scheme: "https"
traefik.http.routers.bookstack.middlewares: "bookstack-https-redirect"
traefik.http.routers.bookstack-secure.entrypoints: "https"
traefik.http.routers.bookstack-secure.rule: "Host(`my-sub.domain.com`)"
traefik.http.routers.bookstack-secure.tls: "true"
traefik.http.routers.bookstack-secure.tls.certresolver: "http"
traefik.http.services.bookstack.loadbalancer.server.port: "80"
networks:
- default
- proxy
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=<dbrootpassword>
- MYSQL_DATABASE=bookstackdb
- MYSQL_USER=<dbuser>
- MYSQL_PASSWORD=<dbpassword>
volumes:
- ./bookstack/db:/var/lib/mysql
restart: unless-stopped
networks:
- default
networks:
default:
name: bookstack-default
proxy:
external: true
One issue of mine was, that I did not realize, that DB_USERNAME and MYSQL_USER, and DB_PASSWORD and MYSQL_PASSWORD had to contain the same variable.
Furthermore I'm going to provide my traefik.yml, as it shows that I did not use the typical labelnames.
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "./dynamic_conf.yml"
certificatesResolvers:
http:
acme:
email: username#domain.com
storage: acme.json
httpChallenge:
entryPoint: http
Hope that helps somebody else!

Self assigned TLS sertificate traefik

My problem is self assigned cert instead of lets-encrypt cert
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik
command:
- --api
- --providers.docker
- --providers.docker.exposedbydefault=false
ports:
- 8080:8080
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
networks:
- public
- private
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.dashboard.service=api#internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:admin"
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
service labels
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.registry.tls.domains[0].main=example.com"
- "traefik.http.routers.registry.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.gites.tls.certresolver=resolver"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"
traefik.yml:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
resolver:
acme:
email: mail#example.com
storage: acme.json
tlsChallenge: {}
This is what I get in my Firefox:
This is happend, because browser takes traefik default cert, but there is must be lets-encrypt cert With log level debug I get
level=debug msg="http: TLS handshake error from 192.168.80.1:53932: remote error: tls: bad certificate"

I solve my problem
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik:v2.2.11
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
- /etc/data/letsencrypt:/letsencrypt
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=web"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=resolver"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
gitea:
image: gitea/gitea:latest
environment:
- APP_NAME=Gitea
- USER_UID=1000
- USER_GID=1000
- ROOT_URL=https://gitea.example.com
- SSH_DOMAIN=gitea.example.com
- SSH_PORT=2222
- HTTP_PORT=3000
- DB_TYPE=postgres
- DB_HOST=gitea-db:5432
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
volumes:
- gitea_app:/data
ports:
- 2222:2222
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.entrypoints=web"
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=websecure"
- "traefik.http.routers.gitea.middlewares=gitea-https-redirect"
- "traefik.http.routers.gitea-secure.entrypoints=websecure"
- "traefik.http.routers.gitea-secure.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea-secure.tls=true"
- "traefik.http.routers.gitea-secure.tls.certresolver=resolver"
- "traefik.http.routers.gitea-secure.service=gitea"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.docker.network=public"
gitea-db:
image: postgres:alpine
volumes:
- gitea_db:/var/lib/postgresql/data
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
networks:
- private
traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
api:
dashboard: true
log:
level: DEBUG
providers:
docker:
exposedbydefault: false
endpoint: "unix:///var/run/docker.sock"
swarmMode: true
certificatesResolvers:
resolver:
acme:
email: mail#example.com
storage: letsencrypt/acme.json
httpChallenge:
entryPoint: web
also I have a letsencrypt empty folder for acme.json file

traefik not working when a service is in multiple overlay networks

version: '3.2'
services:
traefik:
image: "traefik:latest"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=public
- --api
- --log.level=ERROR
ports:
- "80:80"
- "443:443"
networks:
- public
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
agent:
image: portainer/agent
environment:
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
# deployed inside an overlay network
AGENT_CLUSTER_ADDR: tasks.agent
# AGENT_PORT: 9001
# LOG_LEVEL: debug
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ce:2.0.0
command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- data:/data
networks:
- public
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.yourdomain.com`)"
- "traefik.http.routers.portainer.entrypoints=web"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.http.routers.portainer.service=portainer"
# Edge
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
- "traefik.http.routers.edge.entrypoints=web"
- "traefik.http.services.edge.loadbalancer.server.port=8000"
- "traefik.http.routers.edge.service=edge"
networks:
public:
external: true
agent_network:
external: true
volumes:
We can see that "portainer" is in both public and agent_network overlay networks. And it has two IP addresses, 10.0.38.7 and 10.0.39.7.
traefik is only in public network, it has IP address 10.0.38.6.
The problem is, from traefik web UI, it refers "portainer" as 10.0.39.7 instead of 10.0.38.7. So that it fails to work.
Any solution to this?

How can I use Sticky sessions on Docker using Traefik v2.3?

How can I use Sticky sessions in Traefik v2.3?
When I enable the below line in my docker compose file, my docker services (e.g. http://192.168.0.1:9086) don't work.
- "traefik.http.services.mynginximage2.loadBalancer.sticky.cookie=true"
Do you have any idea why a sticky session doesn't work?
And is it possible to make a session affinity by the labels of a service?
The following is my docker compose file:
version: "3.8"
services:
traefik:
image: traefik:v2.3
deploy:
mode: global
networks:
- traefik-net
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.mynginximage2_ep.address=:8086"
ports:
- 80:80
- 9086:8086
- 8080:8080
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "traefik/whoami"
deploy:
replicas: 2
networks:
- traefik-net
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.rule=Host(`192.168.0.1`) || Host(`192.168.0.2`)"
#- "traefik.http.services.whoami.loadBalancer.sticky.cookie=true"
- "traefik.http.services.whoami-service.loadbalancer.server.port=80"
mynginximage2:
image: mynginximage2
deploy:
replicas: 2
networks:
- traefik-net
#ports:
# - 9080:8086
labels:
- "traefik.enable=true"
- "traefik.http.routers.mynginximage2.entrypoints=mynginximage2_ep"
- "traefik.http.routers.mynginximage2.rule=Host(`192.168.0.1`) || Host(`192.168.0.2`)"
#- "traefik.http.services.mynginximage2.loadBalancer.sticky.cookie=true"
- "traefik.http.services.mynginximage2-service.loadbalancer.server.port=8086"
networks:
traefik-net:
external: true
name: traefik-net

I found the issue why my Traefik routers don't work when I enable a sticky session feature.
The solution is that each service has a different cookie name. So, I added cookie names. For example:
version: "3.8"
services:
#...
whoami:
#...
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.rule=Host(`192.168.0.1`) || Host(`192.168.0.2`)"
- "traefik.http.services.whoami-service.loadBalancer.sticky.cookie=true"
- "traefik.http.services.whoami-service.loadBalancer.sticky.cookie.name=whoami_cookie_name"
- "traefik.http.services.whoami-service.loadbalancer.server.port=80"
mynginximage2:
#...
labels:
- "traefik.enable=true"
- "traefik.http.routers.mynginximage2.entrypoints=mynginximage2_ep"
- "traefik.http.routers.mynginximage2.rule=Host(`192.168.0.1`) || Host(`192.168.0.2`)"
- "traefik.http.services.mynginximage2-service.loadBalancer.sticky.cookie=true"
- "traefik.http.services.mynginximage2-service.loadBalancer.sticky.cookie.name=mynginximage2_cookie_name"
- "traefik.http.services.mynginximage2-service.loadbalancer.server.port=8086"
#...