I strongly use Docker and now Podman. But for some time now, I have been in a somewhat uncomfortable situation.
Many projects offer to serve an application locally through a local domain name "*.localhost" (which, in itself, is not the problem at all). And to do this, they use "Traefik".
Of course, you love Traefik. And I do too.
Traefik is a very complete, cloud-native, "easy to use" reverse proxy. But it has a serious handicap when we talk about "local" work, that is, as a gateway for an application that will point to a particular container and port: it uses the Docker API.
I am very far from denigrating Docker, I have been using it since its inception (in 2013). But it's not Docker itself that I like, it's the containerization. Docker has a lot of advantages, but for some time I'm very interested in "podman" which also offers serious advantages (especially to keep the user id of the host).
The problem with Docker is finally its notoriety. Notoriety leads to acceptance, whatever if some solutions to make something are inappropriate.
And therefore, when one of the pioneers of the Reverse Proxy genre such as Traefik comes on the market, forcing you to mount the Docker socket and use labels to manipulate the hosts, nobody flinches. "That's the way to do".
That's not my philosophy.
As a matter of fact, Traefik uses what is proposed to it, and it is to its credit because it will work wonderfully well. And this with Kubernetes and Docker.
But it won't work with anything other than what it was designed for.
And here we are at the heart of the problem. I want to use Podman. And since there is no socket in rootless mode, Traefik will refuse to work.
Understand the problem (if I can call it that), Traefik will use the Docker API through a UNIX socket (or http) to go read the labels of the containers you will manage to define if it is active, what hostname to use, and other things.
Except that, despite the fact that Podman will provide a compatible socket, it doesn't work in rootless mode. The consequence is that even if I want to mount the socket to make Traefik work with Podman, I will have to start my containers as root (via
And that's out of the question!
To resolve this problem, I started to avoid Traefik in local environment. The first solution was to use Nginx as a reverse proxy, but the configuration was a bit more complex than declaring hosts in labels. I needed to create a configuration file and to mount it.
To allow my user to bind the 80/443 ports, I needed to call:
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=0
After a while, I decided to develop something easier to use, something that doesn't use API, labels,... Something that only takes "host to endpoint" declaration in the environment.
I mean, I wanted to create an agnostic solution, whatever the container technology you want to use.
I named it "Pathwae".
That works with Docker, Podman and can work with other solutions!
After a while, I'm now proud to announce that I decided to release this for the community.
The website is here https://pathwae.net and you can use it this way:
version: "3" services: # example, start a simple "ghost" container # which listens on 2368 port blog: image: ghost environment: # mandatory with ghost... url: https://ghost.test.localhost # then use pathwae proxy: image: quay.io/pathwae/proxy environment: CONFIG: | ghost.test.localhost: to: http://blog:2368 force_ssl: true # enabled: true # pathway should bind port 80 and 443 ports: - "80:80" - "443:443" # web UI - "8080:8080"
You probably noticed that pathway propose a Web UI, it is served on 8080 port.
So, then, you can start the stack with
docker-compose up or
podman-compose up (don't forget to allow the opening of unprivileged ports as explained above) and visit http://ghost.test.localhost.
Pathwae will do the job. As you didn't provide a TLS/SSL certificate, so it will create one (temporary)
The Web UI (http://localhost:8080) gives real-time information about certificates, state and requests. But it also allows you to change the endpoint or "pause" the route.
Pathwae creates TLS/SSL certificates if you don't provide it. You can add
force_ssl: true to the configuration (in the environment) to force the redirection to "https".
If you are, like I am, a fan of
mkcert, so you can create your certificates in a directory, then mount this directory to
/certs of Pathwae container.
Pathwae will find which is a key file or a certificate file and will use them to serve https. And it works, of course, with wildcard certificates too.
I want to insist. I love Traefik and I'll never want to make Pathwae a Traefik challenger. I only think that Traefik is not adapted for developers, it doesn't allow rootless containers (it sticks to Docker and Kubernetes) and TLS/SSL is not easy to manage (not as easy as auto-ssl / cert path mounting).
Pathwae is not, and never will be, a "production" reverse proxy. It is a solution for developers.
I need you to test it in several situations, to have bug reports, ideas to improve the solution. It's free, open-source, and built with Go (and Typescript/Vue for the web UI).
Give it a chance!