Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Cómo Instalar Herramientas

How to Install Traefik on Docker Swarm with Certificates

10 min read 68 reads
How to Install Traefik on Docker Swarm with Certificates
Table of contents
  1. Key takeaways
  2. What Needs to Be in Place Before Starting
  3. The Network Over Which Services Talk
  4. Certificates: HTTP Challenge or DNS Challenge
  5. The Certificate Store
  6. Static and Dynamic Configuration
  7. The Dashboard: Useful but Must Be Protected
  8. Middlewares: Where Policy Lives
  9. What You’ll Forget the First Time
  10. Conclusion

Actualizado: 2026-05-03

Traefik[1] has become, almost by osmosis, the default reverse proxy in Docker Swarm environments: label-driven declarative config, nearly transparent Let’s Encrypt certificates, and a dashboard that makes routing understandable. This guide is aimed at the moment you move from “works on my laptop” to “this has to receive real traffic”, a less trivial jump than it seems.

Key takeaways

  • The traefik_public overlay network is the join point between Traefik and the services it proxies.
  • The DNS-01 challenge is preferred in production: it allows wildcards and frees port 80 during validation.
  • A single-node local volume cert store fails when you scale to a second manager.
  • The dashboard contains sensitive information: never expose it without strong authentication.
  • Middlewares in reusable chains (chain-base, chain-oauth) are what keep the config manageable.

What Needs to Be in Place Before Starting

Four things should be resolved before running a single command:

  • An initialized Swarm cluster, even with a single node.
  • A domain whose record points to the manager’s public IP.
  • An API token at your DNS provider with permission to create TXT records.
  • An email address for Let’s Encrypt.

Ports 80 and 443 must be open toward the manager. This sounds obvious but is one of the most common causes of initial errors.

The Network Over Which Services Talk

Traefik needs an overlay network shared with proxied services:

bash
docker network create --driver=overlay --attachable traefik_public

From here, any service declaring traefik_public as one of its networks is automatically discoverable by Traefik.

Certificates: HTTP Challenge or DNS Challenge

The DNS-01 challenge is almost always the right choice for production:

  • It frees Traefik from receiving traffic on port 80 during validation.
  • It allows wildcard certificates (*.example.com).

HTTP-01 suffices if you only need certs for the domain already pointed at the server and don’t need wildcards.

The Certificate Store

Let’s Encrypt issues certificates every 90 days and Traefik renews them automatically, keeping them in a JSON file on disk. This is the most often-overlooked detail:

  • For a single manager, a Docker volume suffices.
  • For multiple managers, the file must be on shared storage (NFS, GlusterFS, JuiceFS).

If you anticipate growing, solve it from the start.

Static and Dynamic Configuration

Traefik splits config into two planes:

  • Static: things that don’t change hot (discovery providers, entrypoints, cert resolvers, logging). Lives in traefik.yml.
  • Dynamic: routes, middlewares, services. Lives in each service’s labels.

The Dashboard: Useful but Must Be Protected

The dashboard shows active routes, applied middlewares, and service state. The temptation to leave it publicly exposed is real; don’t.

Two approaches work:

  • Make it accessible only through internal networking (e.g., WireGuard) without exposing it through Traefik.
  • Expose it protected by strong authentication middleware (OAuth via Authentik, Keycloak, or at least basic auth with non-trivial credentials).

Middlewares: Where Policy Lives

The most useful in production:

  • HTTP-to-HTTPS redirection: 301 for every port-80 request.
  • Security headers: Strict-Transport-Security, X-Frame-Options, and similar.
  • Compression: gzip and brotli automatically.
  • IP rate limiting: dampens spikes and basic attacks.
  • Forward auth: delegates to Authentik or similar.

Define chains grouping common middlewares: a chain-base for everything public, a chain-oauth adding forward auth for dashboards and internal tools.

What You’ll Forget the First Time

Common oversights:

  • Default logLevel is too verbose for production; drop to INFO.
  • JSON-format access log piped to Loki or Elasticsearch is enormously valuable.
  • Prometheus metrics are off by default; enabling is one line.
  • Traefik’s default CA, if you don’t declare another, is Let’s Encrypt’s staging — which issues certs not valid in browsers.

Conclusion

Traefik wins comfortably in environments with many small services changing often, which is exactly most Swarm stacks: label config, native Docker integration, and automatic certificates are the winning combo. Start with the minimum, don’t activate the dashboard without authentication, add middlewares as you actually need them. And when things grow, take shared cert-store storage seriously: it’s the kind of decision that, made badly, haunts you through the first scale-up.

Was this useful?
[Total: 10 · Average: 4.4]
Post Views: 68
  1. Traefik

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 36K Reads Rating

Related posts

Cómo Instalar

How to install Portainer with Docker Compose v2

Portainer es la UI web de referencia para gestionar contenedores Docker, stacks de Compose y clusters Swarm/Kubernetes. Guía paso a paso con compose.yaml moderno, HTTPS en el puerto 9443, volumen nombrado y configuración opcional con Traefik.

1.0K 9 min 4.7
Cómo Instalar

How to install a local MCP server for your editor

Model Context Protocol ha pasado de propuesta a estándar de facto para conectar editores con herramientas. Guía práctica para levantar un servidor MCP local, conectarlo a VS Code o a tu cliente favorito y entender qué estás exponiendo realmente.

87 13 min 4.2