DEV Community

loading...

Traefik 2 : Concept

jadekharats profile image David YOTEAU ・4 min read

Traefik 2: Concept

Description

Traefik is a reverse proxy that is also load balancer. The first version was very easy to set up on a docker swarm.

The need

In general, we need to deploy containers and be accessible by a domain name for example.

If we break down this need, we have:

  • a service that listens on this ip and on one or more ports
  • a service that certifies transactions
  • a certificate management service
  • A request redirection service (HTTP or TCP) to the right container.

For all that, we have Traefik v2

The elements of Traefik v2

Configurations

Traefik manages two types of configurations: Dynamic or Static.
For the static part, I choose a traefik.yaml file.
The dynamic part is managed by labels positioned at the container level.

The providers

Traefik needs to know who will provide it with its dynamic configuration called providers

In my case, it is a docker in swarm mode. So I add this to traefik.yaml

providers:
  docker:
    watch: true
    swarmMode: true
    endpoint: "/unix:///var/run/docker.sock"

EntryPoints

The entryPoints are the ip:port pairs on which Traefik will listen. It's a static configuration.

entrypoints:
  ssh:
    address: ":22"
  http:
    address: ":80"
  https:
    address: ":443"

Warning: Traefik works in convention over configuration. If you do not specify entryPoints at your routers, by default, it will take the first one from list.
For my part, I put them in order of port number to read it more easily.

The routers

Routers can be static managed but are dynamically managed in my case.
A router needs one or more entryPoints and rule to determine which Traefik router should follow.

Take the example of the treafik dashboard exposition for the rest of the article.

We will listen to the requests on port 80 that will have in the header: host ("traefik.example.tld")

We must add the following labels to our traefik container:

- "traefik.http.routors.traefik-router0.entryPoints=http"
- "traefik.http.routeurs.traefik-router0.rule=Host(`traefik.example.tld`)"

Services

The service is easy to configure since it is the container that carries the labels.
Traefik will deduct a lot from that.

Now, I'm going to show you how to specify the network on which Traefik should look for the container ip and how to specify the port.

By default, I always add containers, which must be exposed via Traefik, to the traefik-net network. It is an acquired habit in V1.

In the labels of the container, I will tell him to take the ip concerning this network

- "traefik.docker.network=traefik-net"

Then I'll tell him the port for the dashboard service. But here, Traefik 2 does not allow to do without activation at the provider docker.
In the traefik.yaml file, I modify theproviders block as follows:

providers:
  docker:
    watch: true
    swarmMode: true
    useBindPortIp: true
    endpoint: "/unix:///var/run/docker.sock"

This allows to add the following label

- "traefik.http.services.traefik-service.loadbalancer.server.port=8080"

Of course, Traefik must also be asked to exhibit his dashboard, which is done in traefik.yaml

api:
  dashboard: true

From there, by launching the traefik service, we could already access our dashboard. But everything is public.
Fortunately, Traefik provides a way to add intermediate processing via middleware.

The middlewares

There are all kinds but at first, I'll show you how to add a basic auth. Then add the middleware to a router.

The configuration of a middleware can be static or dynamic. I thought a lot about where to set up this middleware.
Then I end up telling myself that all Traefik elements must be dynamically configured.

So, I added this label to my container Traefik

- "traefik.http.middlewares.auth.basicauth.users=titi:$$2y..."

And to add it to my router

- "traefik.http.routeurs.traefik-router0.middlewares=auth"

Conclusion

So much for the first start of my Traefik v2 on my Swarm with a basic configuration.
Dashboard Traefik V2

In the following article, I will detail my traefik.yaml andstack-traefik.yml files for https redirection as well as certificate management.
In the meantime, I ask you the contents of the two files below.

traefik.yaml

api:
  dashboard: true
entrypoints:
  ssh:
    address: ":22"
  http:
    address: ":80"
  https:
    address: ":443"
providers:
  docker:
    watch: true
    swarmMode: true
    useBindPortIP: true
    endpoint: "unix:///var/run/docker.sock"

stack-traefik.yml

 version: "3.3"

 Link:
   traefik-net:
     external: true

 configs:
   traefik.yaml:
     file: ./traefik.yaml


 services:
   traefik:
     image: traefik:v2.0
     ports:
       - 80:80
       - 443:443
       - 22:22
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     configs:
       - source: traefik.yaml
         target: /etc/traefik/traefik.yaml
     Link:
       - traefik-net
     deploy:
       fashion: global
       placement:
         constraints: [node.role == manager]
       labels:
         - "traefik.docker.network=traefik-net"
         - "traefik.http.routers.traefik-router0.entrypoints=http"
         - "traefik.http.routers.traefik-router0.rule = Host (` traefik.kharats.fr`)"
         - "traefik.http.routers.traefik-router0.middlewares=auth"
         - "traefik.http.middlewares.auth.basicauth.users=titi:$$2y$$..."
         - "traefik.http.services.traefik-service.loadbalancer.server.port=8080"

Discussion (0)

Forem Open with the Forem app