traefik.yml

version: '3.3'

services:

  traefik:
    image: traefik:v2.2
    # `mode: host`, could retrieve the real ip of the client, refer to:
    # https://dockerswarm.rocks/traefik/
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    deploy:
      replicas: ${TRAEFIK_REPLICAS:-3}
      placement:
        # traefik can only be deployed in manager node of swarm mode, refer to:
        # https://docs.traefik.io/providers/docker/#docker-api-access_1
        constraints:
          - node.role == manager
        preferences:
          - spread: node.id
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=${TRAEFIK_NETWORK}"
        - "traefik.http.routers.api.rule=Host(`traefik.${UI_DOMAIN?Variable UI_DOMAIN not set}`)"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.routers.api.entryPoints=web, websecure"
        - "traefik.http.routers.api.tls=true"
        - "traefik.http.routers.api.middlewares=IpWhiteList, auth"
        - "traefik.http.middlewares.IpWhiteList.ipwhitelist.sourcerange=${COMMON_IP_WHITELIST}"
        - "traefik.http.middlewares.auth.basicauth.users=${USERNAME?Variable USERNAME not set}:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}"
        # Dummy service for Swarm port detection. The port can be any valid integer value.
        - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - traefik-log:/var/log/traefik/
    command:
      --log=true
      --log.level=INFO
      --accesslog=true
      --accesslog.filepath=/var/log/traefik/access.log
      --accesslog.fields.headers.defaultmode=keep
      --api=true
      --api.dashboard=true
      --providers.docker=true
      --providers.docker.swarmMode=true
      --providers.docker.exposedbydefault=false
      --entrypoints.web.address=:80
      --entrypoints.websecure.address=:443
      --providers.consul=true
      --providers.consul.endpoints="http://consul-leader:8500"
      --providers.consul.rootkey=traefik
      --providers.consul.tls.insecureSkipVerify=true
      --entrypoints.web.http.redirections.entryPoint.to=websecure
      #--providers.docker.constraints="Label(`traefik.enable`,`true`)"
    networks:
      - default
      - ${TRAEFIK_NETWORK}
    depends_on:
      - consul-leader

  consul-leader:
    image: consul
    command: agent -server -client=0.0.0.0 -bootstrap -ui
    volumes:
      - consul-data-leader:/consul/data
    environment:
      - CONSUL_BIND_INTERFACE=eth0
      - 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}'
    networks:
      - default
      - ${TRAEFIK_NETWORK}
    deploy:
      # consul-leader need to be constrainted to a fixed node, otherwise the consul cluster will elect failed while redeploy the stack.
      placement:
        constraints:
          - node.labels.${STACK_NAME}.consul-data-leader == true
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=${TRAEFIK_NETWORK}"
        - "traefik.http.routers.consul-leader.rule=Host(`consul.${UI_DOMAIN?Variable UI_DOMAIN not set}`)"
        - "traefik.http.services.consul-leader.loadbalancer.server.port=8500"
        - "traefik.http.routers.consul-leader.entryPoints=web, websecure"
        - "traefik.http.routers.consul-leader.tls=true"
        - "traefik.http.routers.consul-leader.middlewares=IpWhiteList, auth"
        - "traefik.http.middlewares.IpWhiteList.ipwhitelist.sourcerange=${COMMON_IP_WHITELIST}"
        - "traefik.http.middlewares.auth.basicauth.users=${USERNAME?Variable USERNAME not set}:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}"

  consul-replica:
    image: consul
    command: agent -server -client=0.0.0.0 -retry-join="consul-leader"
    volumes:
      - consul-data-replica:/consul/data
    environment:
      - CONSUL_BIND_INTERFACE=eth0
      - 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}'
    networks:
      - default
      - ${TRAEFIK_NETWORK}
    deploy:
      replicas: ${CONSUL_REPLICAS:-3}
      placement:
        preferences:
          - spread: node.id

volumes:
  consul-data-leader:
  consul-data-replica:
  traefik-log:

networks:
  traefik-public:
    external: true