Traefik with multiple docker-compose.yml files

Question

Hello traefik friends.

I just started to look into traefik. All tutorials show how to run one docker-compose.yml file with traefik togather with other containers. I most often have many separate docker-compose.yml files and very much would like to use them with traefik.

so here is my code for traefik container:

version: "3.3"
services:
  traefik:
    image: "traefik:v2.5"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=xxxxxxxxx@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    networks:
      - "traefik"
      - "external"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

and the other exemplary docker-compose I would like to use with traefik:

version: '3.1'
services:
  php:
    image: php:7.4-apache
    ports:
      - 8081:80
    volumes:
      - ./php/www:/var/www/html/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.php.rule=host(`php.xxxxxx.com`)"
      - "traefik.http.routers.php.entrypoints=websecure"
      - "traefik.http.routers.php.tls.certresolver=myresolver"

unfortunately that doesnt seem to work (when I concat theese to files into one big docker-compose.yml file - it works fine. Could you point me in the right direction?

Answer 1

Each docker-compose.yml by default create its own virtual network. So traefik from the traefik network can't access PHP server from some other "php-default" network. see Compose Networking docs

You have to add the PHP server to the traefik network by setting the default network of the php/docker-compose.yml to the traefik.

php/docker-compose.yml:

services:
  php:
    image: php:7.4-apache
    # we need to tell the traefik what port is the container listening to
    expose: 
      - 80
    volumes:
      - ./php/www:/var/www/html/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.php.rule=host(`php.xxxxxx.com`)"
      - "traefik.http.routers.php.entrypoints=websecure"
      - "traefik.http.routers.php.tls.certresolver=myresolver"
networks:
  default:
    name: traefik
    external: true

OR if you want to have the php/docker-compose.yml in its own network, you have to define the traefik network in the compose file and add the php service to it:

services:
  php:
...
    networks:
      - traefik
...
networks:
  traefik:
    external: true

Note I have defined expose instead of port. The port exposes ports on the host which you likely don't want when you are using reverse proxy like traefik. The expose act as mere documentation (see this Q) that the traefik uses.

Both examples expect there is defined traefik network somewhere. So to complete the setup here is traefik/docker-compose.yml

services:
  traefik:
    image: "traefik:v2.5"
    container_name: "traefik"
    # ...
    # your traefik setup
    # ...
    ports:
      - "443:443"
      - "8080:8080"
    networks:
      - "traefik"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
  traefik:

Answer 2

Traefik needs to be part of the networks for all the services it connects to. For me it works when I set network: host for Traefik. (And then you have to remove ports part.)

I do wonder how safe that is, I can't seem to access the admin interface from another machine, so that's good.