Docker Community Forums

Share and learn in the Docker community.

Traefik (reverse) proxy for Docker Swarm in HTTPS only environment

Hi there :slight_smile:

In our network I am setting up a Docker swarm cluster for our DevOps tools (Jenkins, Nexus, …). In the last two months, I worked on a local prototype with virtual box, now I have to bring it to production. I have already set up a swarm of three nodes (1 manager, two workers). In step one I want to deploy a traefik reverse proxy to this swarm that should later be used to access all my services. In my local prototype, that worked fine, but in production, we are only allowed to use https and so the global firewall only allows communication on port 443. And here is my problem:
How do I configure my traefik service to show the dashboard (usually port 8080) on port 443? I tried different configurations after doing long online research. Currently, I have opened a question on Stackoverflow for that problem. Can someone maybe have a look at this?

Or should I copy the content of the Stackoverflow question to this forum?

I found out that my network traffic reached the Docker COntainer with the revers Proxy (traefik) but the answers did not come back to the client. It looks like the NAT (=network address translation) rules, generated by docker are not correct. I have a cleint in one network:

client.intranet.company.de

And I have my docker hosts in another network (for example the Docker swarm manager, hosting my traefik service):

docker-manager.prod.company.de

When I use the browser to access https://docker-manager.prod.company.de, the network traffic is forwarded (because auf generated NAT rules) over the docker_gwbridge network to the IP address of my traefik container. But the answers do not get back to my client, bacause the container does not know my client and answers to the docker_gwbridge but the bridge doesn’t forward the answer to my client, because the NAT MASQUERADE rules only work for LOCAL requests:

iptables -t nat -L -v
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   504 MASQUERADE  all  --  any    docker_gwbridge  anywhere      anywhere             ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16      anywhere
    0     0 MASQUERADE  all  --  any    !docker_gwbridge  172.18.0.0/16 anywhere

I had to add one more NAT MASQUERADE rule to my iptables:

iptables -t nat -A POSTROUTING -o docker_gwbridge -j MASQUERADE

resulting in following line:

1    52 MASQUERADE  all  --  any    docker_gwbridge  anywhere         anywhere

Now this workaround works and I can access my dashboard on https://docker-manager.prod.company.de but I do not understand why I have to do this network modifications, because my usecase should not be that rare and I never read about a solution like this to get a setup like this working.
Can someone maybe have a closer look at this topic?
Thanks in advance!