Traefik 2: Concept
Description
Traefik is a reverse proxy that is also load balancer. The first version was very easy to set up on a docker swarm.
The need
In general, we need to deploy containers and be accessible by a domain name for example.
If we break down this need, we have:
- a service that listens on this ip and on one or more ports
- a service that certifies transactions
- a certificate management service
- A request redirection service (HTTP or TCP) to the right container.
For all that, we have Traefik v2
The elements of Traefik v2
Configurations
Traefik manages two types of configurations: Dynamic or Static.
For the static part, I choose a traefik.yaml
file.
The dynamic part is managed by labels positioned at the container level.
The providers
Traefik needs to know who will provide it with its dynamic configuration called providers
In my case, it is a docker in swarm mode. So I add this to traefik.yaml
providers:
docker:
watch: true
swarmMode: true
endpoint: "/unix:///var/run/docker.sock"
EntryPoints
The entryPoints are the ip:port pairs on which Traefik will listen. It's a static configuration.
entrypoints:
ssh:
address: ":22"
http:
address: ":80"
https:
address: ":443"
Warning: Traefik works in convention over configuration. If you do not specify entryPoints at your routers, by default, it will take the first one from list.
For my part, I put them in order of port number to read it more easily.
The routers
Routers can be static managed but are dynamically managed in my case.
A router needs one or more entryPoints and rule to determine which Traefik router should follow.
Take the example of the treafik dashboard exposition for the rest of the article.
We will listen to the requests on port 80 that will have in the header: host ("traefik.example.tld")
We must add the following labels to our traefik container:
- "traefik.http.routors.traefik-router0.entryPoints=http"
- "traefik.http.routeurs.traefik-router0.rule=Host(`traefik.example.tld`)"
Services
The service is easy to configure since it is the container that carries the labels.
Traefik will deduct a lot from that.
Now, I'm going to show you how to specify the network on which Traefik should look for the container ip and how to specify the port.
By default, I always add containers, which must be exposed via Traefik, to the traefik-net
network. It is an acquired habit in V1.
In the labels of the container, I will tell him to take the ip concerning this network
- "traefik.docker.network=traefik-net"
Then I'll tell him the port for the dashboard service. But here, Traefik 2 does not allow to do without activation at the provider docker.
In the traefik.yaml
file, I modify theproviders
block as follows:
providers:
docker:
watch: true
swarmMode: true
useBindPortIp: true
endpoint: "/unix:///var/run/docker.sock"
This allows to add the following label
- "traefik.http.services.traefik-service.loadbalancer.server.port=8080"
Of course, Traefik must also be asked to exhibit his dashboard, which is done in traefik.yaml
api:
dashboard: true
From there, by launching the traefik service, we could already access our dashboard. But everything is public.
Fortunately, Traefik provides a way to add intermediate processing via middleware.
The middlewares
There are all kinds but at first, I'll show you how to add a basic auth. Then add the middleware to a router.
The configuration of a middleware can be static or dynamic. I thought a lot about where to set up this middleware.
Then I end up telling myself that all Traefik elements must be dynamically configured.
So, I added this label to my container Traefik
- "traefik.http.middlewares.auth.basicauth.users=titi:$$2y..."
And to add it to my router
- "traefik.http.routeurs.traefik-router0.middlewares=auth"
Conclusion
So much for the first start of my Traefik v2 on my Swarm with a basic configuration.
In the following article, I will detail my traefik.yaml
andstack-traefik.yml
files for https redirection as well as certificate management.
In the meantime, I ask you the contents of the two files below.
traefik.yaml
api:
dashboard: true
entrypoints:
ssh:
address: ":22"
http:
address: ":80"
https:
address: ":443"
providers:
docker:
watch: true
swarmMode: true
useBindPortIP: true
endpoint: "unix:///var/run/docker.sock"
stack-traefik.yml
version: "3.3"
Link:
traefik-net:
external: true
configs:
traefik.yaml:
file: ./traefik.yaml
services:
traefik:
image: traefik:v2.0
ports:
- 80:80
- 443:443
- 22:22
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
configs:
- source: traefik.yaml
target: /etc/traefik/traefik.yaml
Link:
- traefik-net
deploy:
fashion: global
placement:
constraints: [node.role == manager]
labels:
- "traefik.docker.network=traefik-net"
- "traefik.http.routers.traefik-router0.entrypoints=http"
- "traefik.http.routers.traefik-router0.rule = Host (` traefik.kharats.fr`)"
- "traefik.http.routers.traefik-router0.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=titi:$$2y$$..."
- "traefik.http.services.traefik-service.loadbalancer.server.port=8080"
Top comments (0)