What is Traefik?
Traefik is a router that allows you to publish services on the internet ina fast and easy way. It receives requests and determines which services should respond to them. There are another similar tools that also act as a reverse proxy, such as haproxy.
In addition to acting as a reverse proxy, it also has utilities that will make our lives easier regarding the management, acquisition and renewal of SSL certificates, since it does so automatically. In this example we will use LetsEncrypt as the certificate provider, although others can be used.
Once installed, it’s handling is relatively simple once you understand how it works. It is managed by labels in the services or containers in which we want it to act.
Previous Requisites
- Docker installed following the steps described in How to install Docker in Ubuntu 20.04.
- Docker Compose installed following the steps described in How to install Docker Compose in Ubuntu 20.04.
Installing Traefik
To install Traefik in our system, we will create a Docker container using Docker Compose. In order to do that we will first create a file called docker-compose.yml with container’s definition, and then we will execute it in our system.
mkdir -p docker/traefik/traefik-data
touch docker/traefik/traefik-data/acme.json
chmod 600 docker/traefik/traefik-data/acme.json
nano docker/traefik/traefik-data/traefik.ymlInside file traefik.yml we add the next content. You should first change email address to one of yours, so LetsEncrypt can warn you about certificates’ expiration:
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: email@example.com
storage: acme.json
httpChallenge:
entryPoint: http
Traefik will listen to ports 80 and 443, corresponding to http and https services respectively. Traefik’s monitoring dashboard does not have authentication, so we will create a httpasswd credentials and assign them to this service. You should change USER and PASSWORD by the ones you want:
sudo apt-get install apache2-utils
echo $(htpasswd -nb USER PASSWORD ) | sed -e s/\\$/\\$\\$/gNow we create a virtual network where Traefik will be connected, and the container specifications:
docker network create traefik-proxy
cd docker/traefik
nano docker-compose.ymlInside docker-compose.yml file we add the next content. You should change USER and PASSWORD by the ones you generated before, and the host name that we will use to accesss the service:
version: '3'
services:
traefik:
image: traefik:v2.4.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-data/traefik.yml:/traefik.yml:ro
- ./traefik-data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.ejemplo.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
traefik-proxy:
external: trueWe save the information pressing Ctrl+X, and, ENTER.
We start the container using Docker Compose:
docker-compose up -dWe open a web browser and access Trafik’s dashboard that we just created in Docker:
https://traefik.example.com/
