Update stack-proxy.yml

[tmackness]

• use traefik for the dashboard, thus remove port binding 8080 and access via subdomain
• add a default network e.g. proxy (save adding "traefik.network=proxy" label to every service)
• set exposedByDefault to false, thus have to use "traefik.enable=true" label in each service for better security.

[pascalandy]

@tmackness good work on this! I'll test it.

The missing part (Consul on HA set up) of the puzzle is here: https://dockerswarm.rocks/traefik/ Still testing on my side. Cheers!

[BretFisher]

Hey, thanks for the PR. Some feedback:

1. This doesn't work for me, and I seem to remember others having this issue in traefik GHIssues
2. Sweet, it works.
3. I don't set exposedByDefault to true anywhere and the default must be false, because if I deploy stacks in the proxy network they aren't added to Traefik. Can you replicate the issue?

[tmackness]

1. Works perfectly fine for me. Maybe they have fixed the issue?

3 I’ll have a look and get back to you.

[BretFisher]

FYI I'm testing with the stack-proxy-global.yml now, as stack-proxy.yml isn't redundant in any way. The "self proxy" of the dashboard doesn't work for me with consul backend and seeding it with a different traefik service.

[BretFisher]

ah, ok got traefik working, not sure what I did different... :), I'm adding each of these as a commit for both stack files for traefik and giving you credit :). So 1 and 2 are implemented so far.

[tmackness]

Ah great.

As for 3. here in the docs states:

# Expose containers by default in Traefik.
# If set to false, containers that don't have `traefik.enable=true` will be ignored.
#
# Optional
# Default: true
#
exposedByDefault = true

[tmackness]

I prefer to set a label on all the containers I wish to connect to Traefik in order to be more explicit.

[BretFisher]

I'ved tested exposedByDefault and I'm confused by it's use. How can a service be exposed by default if traefik doesn't know what port it runs on or the dns name to route to it? I can confirm if I remove port/hostname labels that the frontend/backend disappear. So either exposedByDefault is false by default and docs are wrong, or there is something else I don't understand for how you "accidentally expose services on the proxy network". Thoughts?

[tmackness]

I see what your saying. I'm very new to Traefik TBH and didn't actually give it too much thought. Maybe setting defaults in the Traefik service could cause some to connect?

Say you have multiple services that expose port 1000 and you have the Traefik defaults with:

• docker.domain=traefik
• docker.network=proxy
• traefik.port=1000

Haven't tested this, but maybe it would automatically proxy to these services?

[tmackness]

This sheds a little light: Issue 663

[FinalDes]

I have working example on my repo:

https://github.com/FinalDes/docker-swarm-defauts/blob/master/traefik/docker-compose.yml