What is Traefik?
Traefik is a router that allows you to publish services on the internet ina fast and easy way. It receives requests and determines which services should respond to them. There are another similar tools that also act as a reverse proxy, such as haproxy.
In addition to acting as a reverse proxy, it also has utilities that will make our lives easier regarding the management, acquisition and renewal of SSL certificates, since it does so automatically. In this example we will use LetsEncrypt as the certificate provider, although others can be used.
Once installed, it’s handling is relatively simple once you understand how it works. It is managed by labels in the services or containers in which we want it to act.
- Docker installed following the steps described in How to install Docker in Ubuntu 20.04.
- Docker Compose installed following the steps described in How to install Docker Compose in Ubuntu 20.04.
To install Traefik in our system, we will create a Docker container using Docker Compose. In order to do that we will first create a file called docker-compose.yml with container’s definition, and then we will execute it in our system.
mkdir -p docker/traefik/traefik-data touch docker/traefik/traefik-data/acme.json chmod 600 docker/traefik/traefik-data/acme.json nano docker/traefik/traefik-data/traefik.yml
Inside file traefik.yml we add the next content. You should first change email address to one of yours, so LetsEncrypt can warn you about certificates’ expiration:
api: dashboard: true entryPoints: http: address: ":80" https: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false certificatesResolvers: http: acme: email: firstname.lastname@example.org storage: acme.json httpChallenge: entryPoint: http
Traefik will listen to ports 80 and 443, corresponding to http and https services respectively. Traefik’s monitoring dashboard does not have authentication, so we will create a httpasswd credentials and assign them to this service. You should change USER and PASSWORD by the ones you want:
sudo apt-get install apache2-utils echo $(htpasswd -nb USER PASSWORD ) | sed -e s/\\$/\\$\\$/g
Now we create a virtual network where Traefik will be connected, and the container specifications:
docker network create traefik-proxy cd docker/traefik nano docker-compose.yml
Inside docker-compose.yml file we add the next content. You should change USER and PASSWORD by the ones you generated before, and the host name that we will use to accesss the service:
version: '3' services: traefik: image: traefik:v2.4.2 container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true networks: - traefik-proxy ports: - 80:80 - 443:443 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik-data/traefik.yml:/traefik.yml:ro - ./traefik-data/acme.json:/acme.json labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)" - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - "traefik.http.routers.traefik-secure.rule=Host(`traefik.ejemplo.com`)" - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=http" - "traefik.http.routers.traefik-secure.service=api@internal" networks: traefik-proxy: external: true
We save the information pressing Ctrl+X, and, ENTER.
We start the container using Docker Compose:
docker-compose up -d
We open a web browser and access Trafik’s dashboard that we just created in Docker: