In our network I am setting up a Docker swarm cluster for our DevOps tools (Jenkins, Nexus, …). In the last two months, I worked on a local prototype with virtual box, now I have to bring it to production. I have already set up a swarm of three nodes (1 manager, two workers). In step one I want to deploy a traefik reverse proxy to this swarm that should later be used to access all my services. In my local prototype, that worked fine, but in production, we are only allowed to use https and so the global firewall only allows communication on port 443. And here is my problem:
How do I configure my traefik service to show the dashboard (usually port 8080) on port 443? I tried different configurations after doing long online research. Currently, I have opened a question on Stackoverflow for that problem. Can someone maybe have a look at this?
Or should I copy the content of the Stackoverflow question to this forum?
I found out that my network traffic reached the Docker COntainer with the revers Proxy (traefik) but the answers did not come back to the client. It looks like the NAT (=network address translation) rules, generated by docker are not correct. I have a cleint in one network:
When I use the browser to access https://docker-manager.prod.company.de, the network traffic is forwarded (because auf generated NAT rules) over the docker_gwbridge network to the IP address of my traefik container. But the answers do not get back to my client, bacause the container does not know my client and answers to the docker_gwbridge but the bridge doesn’t forward the answer to my client, because the NAT MASQUERADE rules only work for LOCAL requests:
iptables -t nat -L -v
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 504 MASQUERADE all -- any docker_gwbridge anywhere anywhere ADDRTYPE match src-type LOCAL
0 0 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE all -- any !docker_gwbridge 172.18.0.0/16 anywhere
I had to add one more NAT MASQUERADE rule to my iptables:
iptables -t nat -A POSTROUTING -o docker_gwbridge -j MASQUERADE
resulting in following line:
1 52 MASQUERADE all -- any docker_gwbridge anywhere anywhere
Now this workaround works and I can access my dashboard on https://docker-manager.prod.company.de but I do not understand why I have to do this network modifications, because my usecase should not be that rare and I never read about a solution like this to get a setup like this working.
Can someone maybe have a closer look at this topic?
Thanks in advance!