Traefik on Docker Swarm

Traefikopen in new window is an application load balancer written in Go and designed to simplify the task of serving HTTP(S) services whose configuration changes on the fly. Traefik v1.1.0 was recently released with support for Docker Swarm and it works excellently.

In this post, we'll go through how one sets up their Swarm cluster to automatically expose its services through Traefik.

Why use Traefik?

Unlike traditional reverse proxies, Traefik's configuration is ideally sourced directly from your service's configuration databases - with support for everything from ZooKeeper and Consort to Docker Swarm and Kubernetes' metadata. This enables Traefik to react almost instantaneously to changes in your service configurations, buying back valuable time on your SLA budgetopen in new window.

In addition to this: Traefik includes support for HTTP/2.0 out of the box, something I'm still waiting for HAProxy to support, and ACMEopen in new window support (which means LetsEncrypt without any effort).

Setting up your Swarm

First thing's first, we'll need to setup your Docker host to be running in Swarm mode. This is super-simple to accomplish, simply run the following if you haven't already.

docker swarm init

At this point, you should be able to run docker service ls without any errors.

Create a Network

You'll also want to create a network on which you'll advertise containers to Traefik. It's always a good idea to keep services like databases and caches off of this network, as Traefik will have the ability to access all the containers on this network, and you don't want to publish your DB by mistake.

docker network create --driver overlay http

You'll notice that we're using the overlay driver for this network. The overlay driver will create a virtual network between all of your swarm nodes and make it available to containers which are connected to this network.

Create the Traefik Service

Now for the juicy part, we're going to spin up the Traefik container on our Swarm cluster, giving it access to the /var/run/docker.sock socket so that it can access the Docker API and pull the information it needs to configure itself.

We'll also expose ports 80 and 8080, the http listener and Traefik's web dashboard respectively.

docker service create --name traefik `
    --network http `
    -p "80:80" `
    -p "8080:8080" `
    --mount "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock" `
    "traefik:v1.1.1" `
        --web `
        --docker `
        --docker.swarmmode ` `
docker service create --name traefik \
    --network http \
    -p 80:80 \
    -p 8080:8080 \
    --mount "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock" \
    traefik:v1.1.1 \
        --web \
        --docker \
        --docker.swarmmode \ \

You'll notice that we're passing a couple of command line options to Traefik here, specifically the following.

  • --web enables Traefik's web control panel (by default on port 8080).
  • --docker enables the Docker configuration driver.
  • --docker.swarmmode tells the Docker config driver to use Swarm mode services.
  • instructs the Docker driver to watch the Docker event stream for changes.
  • tells Traefik to publish services under <service-name> vhosts.

Create your Service

Now you'll want to spin up a container for us to play around with, let's use the excellent ehazlett/docker-demo container, which is perfect for this purpose.

docker service create --name demo `
    --network http `
    --label "traefik.port=8080" `
docker service create --name demo \
    --network http \
    --label "traefik.port=8080" \

Here we're telling Docker to run the service, connect it to the http network and set the traefik.port label, which Traefik will be looking for to determine how to connect to the container.

Check Traefik

Now that you've got everything set up, let's hop on over to the Traefik dashboard to confirm that everything is working correctly.

http://localhost:8080open in new window

You should see something like the following:

Traefik Dashboard

Check your Service

Great, now it's time to check that your service is available. We're using localtest.meopen in new window to route requests to your local machine. All does is resolve DNS to - nice and simple.

http://demo.localtest.meopen in new window

You should see the demo application, something like this:

Demo Application


Although this post was somewhat long, there's actually not much going on at all - with all the magic happening in a total of 4 commands. This just goes to show how easily one can automate the traditionally menial task of configuring your load balancers.

If you have any questions about how this works, portions which weren't explained adequately, or suggestions for future posts - please don't hesitate to leave a comment below.

A picture of Benjamin Pannell

Benjamin Pannell

Site Reliability Engineer, Microsoft

Dublin, Ireland