Painless Docker - 2nd Edition

Using Traefik as a Front-End Load Balancer with Docker Swarm

Traefik is a modern HTTP reverse proxy, load balancer, and service mesh. It supports multiple backends such as Docker Swarm, Kubernetes, Amazon ECS, Rancher, and more. Traefik natively integrates with Docker Swarm and can automatically discover services, react to changes in the Swarm, and adjust its routing rules dynamically without needing to restart or reconfigure. Traefik is particularly well-suited for Docker Swarm environments due to its seamless integration, automatic service discovery, and ease of configuration, especially in dynamic and frequently changing environments.

Let's start with a basic example. Create a network and two stacks:

• A network called whoami that will be used by the whoami service and Traefik.
• A Traefik stack that contains a Traefik service.
• A sample stack that contains a whoami service.

Traefik has to access the Docker Swarm API to discover services and route traffic to them. To achieve this, we need to mount the Docker socket in the Traefik container.

When Traefik receives a request, it will check the routing rules and forward the request to the right service. In our example, we will use the following routing rule: Host(whoami.$MANAGER_NODE_IP.nip.io). This means that Traefik will forward the request to the whoami service when the request is sent to whoami.$MANAGER_NODE_IP.nip.io.

nip.io is a DNS service that provides wildcard DNS for any IP address. This service receives a request and resolves the domain name to the IP address specified in the URL. For example, if we send a request to 127.0.0.1.nip.io or anything.127.0.0.1.nip.io, nip.io will resolve it to 127.0.0.1.

In our case, nip.io will allow us to access the whoami service we'll deploy using the following URL: whoami.$MANAGER_NODE_IP.nip.io instead of using an IP address or a real domain name.

If we need to deploy more services and expose them to the outside world, we can use other routing rules: domains, subdomains, paths, etc.

It's also worth noting that our cluster in this example contains 1 manager node and 1 worker node.

Start by creating the Traefik stack:

# create the traefik stack
cd $HOME && mkdir -p traefik && cd traefik && cat < docker-compose.yml
# Define services
services:
  # Reverse proxy service using Traefik
  reverse-proxy:
    # Use Traefik version 3
    image: traefik:v3.6.7
    # Traefik command-line options
    command:
      # Define entrypoint for HTTP traffic on port 80
      - "--entrypoints.web.address=:80"
      # Enable insecure API (for testing purposes)
      - "--api.insecure=true"
      # Enable Docker Swarm provider
      - "--providers.swarm=true"
      # Connect to Docker via socket
      - "--providers.swarm.endpoint=unix:///var/run/docker.sock"
      # Only expose containers with traefik.enable=true label
      - "--providers.swarm.exposedByDefault=false"
      # Enable access log
      - "--accesslog=true"
      # Set log level to DEBUG
      - "--log.level=DEBUG"
      # Set log format to JSON
      - "--log.format=json"
    # Expose ports for HTTP traffic and the Traefik dashboard
    ports:
      # Expose port 80 for HTTP traffic
      - "80:80"
      # Expose port 8080 for the Traefik dashboard
      - "8080:8080"
    # Mount the Docker socket for dynamic configuration
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    deploy:
      labels:
        # Disable Traefik for this service
        # This means Traefik will not route traffic to itself but will still be able to discover other services in the Swarm
        traefik.enable: "False"
      placement:
        constraints:
          # Deploy this service only on manager nodes in Docker Swarm
          - node.role == manager
    networks:
      # Connect this service to the 'whoami' external network
      - whoami
# Define external networks
networks:
  # External network named 'whoami'
  whoami:
    external: true
EOF