Traefik is a reverse proxy that is also load balancer. The first version was very easy to set up on a docker swarm.
In general, we need to deploy containers and be accessible by a domain name for example.
If we break down this need, we have:
- a service that listens on this ip and on one or more ports
- a service that certifies transactions
- a certificate management service
- A request redirection service (HTTP or TCP) to the right container.
For all that, we have Traefik v2
Traefik manages two types of configurations: Dynamic or Static.
For the static part, I choose a
The dynamic part is managed by labels positioned at the container level.
Traefik needs to know who will provide it with its dynamic configuration called
In my case, it is a docker in swarm mode. So I add this to
providers: docker: watch: true swarmMode: true endpoint: "/unix:///var/run/docker.sock"
The entryPoints are the ip:port pairs on which Traefik will listen. It's a static configuration.
entrypoints: ssh: address: ":22" http: address: ":80" https: address: ":443"
Warning: Traefik works in convention over configuration. If you do not specify entryPoints at your routers, by default, it will take the first one from list.
For my part, I put them in order of port number to read it more easily.
Routers can be static managed but are dynamically managed in my case.
A router needs one or more entryPoints and rule to determine which Traefik router should follow.
Take the example of the treafik dashboard exposition for the rest of the article.
We will listen to the requests on port 80 that will have in the header: host ("traefik.example.tld")
We must add the following labels to our traefik container:
- "traefik.http.routors.traefik-router0.entryPoints=http" - "traefik.http.routeurs.traefik-router0.rule=Host(`traefik.example.tld`)"
The service is easy to configure since it is the container that carries the labels.
Traefik will deduct a lot from that.
Now, I'm going to show you how to specify the network on which Traefik should look for the container ip and how to specify the port.
By default, I always add containers, which must be exposed via Traefik, to the
traefik-net network. It is an acquired habit in V1.
In the labels of the container, I will tell him to take the ip concerning this network
Then I'll tell him the port for the dashboard service. But here, Traefik 2 does not allow to do without activation at the provider docker.
traefik.yaml file, I modify the
providers block as follows:
providers: docker: watch: true swarmMode: true useBindPortIp: true endpoint: "/unix:///var/run/docker.sock"
This allows to add the following label
Of course, Traefik must also be asked to exhibit his dashboard, which is done in
api: dashboard: true
From there, by launching the traefik service, we could already access our dashboard. But everything is public.
Fortunately, Traefik provides a way to add intermediate processing via middleware.
There are all kinds but at first, I'll show you how to add a basic auth. Then add the middleware to a router.
The configuration of a middleware can be static or dynamic. I thought a lot about where to set up this middleware.
Then I end up telling myself that all Traefik elements must be dynamically configured.
So, I added this label to my container Traefik
And to add it to my router
In the following article, I will detail my
stack-traefik.yml files for https redirection as well as certificate management.
In the meantime, I ask you the contents of the two files below.
api: dashboard: true entrypoints: ssh: address: ":22" http: address: ":80" https: address: ":443" providers: docker: watch: true swarmMode: true useBindPortIP: true endpoint: "unix:///var/run/docker.sock"
version: "3.3" Link: traefik-net: external: true configs: traefik.yaml: file: ./traefik.yaml services: traefik: image: traefik:v2.0 ports: - 80:80 - 443:443 - 22:22 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro configs: - source: traefik.yaml target: /etc/traefik/traefik.yaml Link: - traefik-net deploy: fashion: global placement: constraints: [node.role == manager] labels: - "traefik.docker.network=traefik-net" - "traefik.http.routers.traefik-router0.entrypoints=http" - "traefik.http.routers.traefik-router0.rule = Host (` traefik.kharats.fr`)" - "traefik.http.routers.traefik-router0.middlewares=auth" - "traefik.http.middlewares.auth.basicauth.users=titi:$$2y$$..." - "traefik.http.services.traefik-service.loadbalancer.server.port=8080"