Cauen/docker-swarm-traefik-subdomain-forcehttps.yml

## docker-swarm-traefik-subdomain-forcehttps.yml
# Is needed to add A records to the address of the network
# Cname with * wildcard would be good

version: '3'

services:
  traefik:
    image: traefik:v2.0.0
    command:
      - --api.insecure=false # set to 'false' on production
      - --api.dashboard=true # see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
      - --api.debug=true # enable additional endpoints for debugging and profiling
      - --log.level=DEBUG # debug while we get it working, for more levels/info see https://docs.traefik.io/observability/logs/
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=traefik-public
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencryptresolver.acme.email=user@domain.com
      - --certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json
    ports:
      - 80:80
      - 443:443
    volumes:
      # To persist certificates
      - traefik-certificates:/letsencrypt
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        # Dashboard
        - traefik.http.routers.traefik.rule=Host(`proxy.domain.com`)
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik.tls.certresolver=letsencryptresolver
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.middlewares=authtraefik
        # user/password (https://www.web2generators.com/apache-tools/htpasswd-generator)
        # comma-separated users
        - traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/

        # global redirect to https
        - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
        - traefik.http.routers.http-catchall.entrypoints=web
        - traefik.http.routers.http-catchall.middlewares=redirect-to-https

        # middleware redirect
        - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999
      placement:
        constraints:
          - node.role == manager
  helloworld:
    image: tutum/hello-world:latest
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.helloworld-web-secure.rule=Host(`domain.com`)
        - traefik.http.routers.helloworld-web-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.helloworld-web-secure.tls=true
        - traefik.http.routers.helloworld-web-secure.entrypoints=websecure
        # if you have multiple ports exposed on the service, specify port in the web-secure service
        - traefik.http.services.helloworld-web-secure.loadbalancer.server.port=80
  backend:
    image: cauen/cauenode_backend
    networks:
      - traefik-public
    networks:
      - traefik-public
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == worker
      labels:
        - traefik.enable=true
        # securing
        - traefik.http.routers.backend-secure.rule=Host(`api.domain.com`)
        - traefik.http.routers.backend-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.backend-secure.tls=true
        - traefik.http.routers.backend-secure.entrypoints=websecure
        # Service port
        - traefik.http.services.backend.loadbalancer.server.port=1234

volumes:
  traefik-certificates:
networks:
  traefik-public:
    external: true
	# Is needed to add A records to the address of the network
	# Cname with * wildcard would be good

	version: '3'

	services:
	traefik:
	image: traefik:v2.0.0
	command:
	- --api.insecure=false # set to 'false' on production
	- --api.dashboard=true # see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
	- --api.debug=true # enable additional endpoints for debugging and profiling
	- --log.level=DEBUG # debug while we get it working, for more levels/info see https://docs.traefik.io/observability/logs/
	- --providers.docker.endpoint=unix:///var/run/docker.sock
	- --providers.docker.swarmMode=true
	- --providers.docker.exposedbydefault=false
	- --providers.docker.network=traefik-public
	- --entrypoints.web.address=:80
	- --entrypoints.websecure.address=:443
	- --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
	- --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
	- --certificatesresolvers.letsencryptresolver.acme.email=user@domain.com
	- --certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json
	ports:
	- 80:80
	- 443:443
	volumes:
	# To persist certificates
	- traefik-certificates:/letsencrypt
	# So that Traefik can listen to the Docker events
	- /var/run/docker.sock:/var/run/docker.sock:ro
	networks:
	- traefik-public
	deploy:
	labels:
	- traefik.enable=true
	# Dashboard
	- traefik.http.routers.traefik.rule=Host(`proxy.domain.com`)
	- traefik.http.routers.traefik.service=api@internal
	- traefik.http.routers.traefik.tls.certresolver=letsencryptresolver
	- traefik.http.routers.traefik.entrypoints=websecure
	- traefik.http.routers.traefik.middlewares=authtraefik
	# user/password (https://www.web2generators.com/apache-tools/htpasswd-generator)
	# comma-separated users
	- traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/

	# global redirect to https
	- traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
	- traefik.http.routers.http-catchall.entrypoints=web
	- traefik.http.routers.http-catchall.middlewares=redirect-to-https

	# middleware redirect
	- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
	- traefik.http.services.dummy-svc.loadbalancer.server.port=9999
	placement:
	constraints:
	- node.role == manager
	helloworld:
	image: tutum/hello-world:latest
	networks:
	- traefik-public
	deploy:
	labels:
	- traefik.enable=true
	- traefik.http.routers.helloworld-web-secure.rule=Host(`domain.com`)
	- traefik.http.routers.helloworld-web-secure.tls.certresolver=letsencryptresolver
	- traefik.http.routers.helloworld-web-secure.tls=true
	- traefik.http.routers.helloworld-web-secure.entrypoints=websecure
	# if you have multiple ports exposed on the service, specify port in the web-secure service
	- traefik.http.services.helloworld-web-secure.loadbalancer.server.port=80
	backend:
	image: cauen/cauenode_backend
	networks:
	- traefik-public
	networks:
	- traefik-public
	deploy:
	mode: global
	placement:
	constraints:
	- node.role == worker
	labels:
	- traefik.enable=true
	# securing
	- traefik.http.routers.backend-secure.rule=Host(`api.domain.com`)
	- traefik.http.routers.backend-secure.tls.certresolver=letsencryptresolver
	- traefik.http.routers.backend-secure.tls=true
	- traefik.http.routers.backend-secure.entrypoints=websecure
	# Service port
	- traefik.http.services.backend.loadbalancer.server.port=1234

	volumes:
	traefik-certificates:
	networks:
	traefik-public:
	external: true