Traefik Reverse Proxy

Posted on by alaria
  1. Installing Traefik
  2. Deploying Traefik Proxies
    1. Docker Container Labels
    2. File-Based Configuration

When it comes to selecting a reverse proxy, there are a number of good options. Tools like nginx-proxy-manager are an easy way to get started while Apache2 or NGINX provide raw power. Traefik, on the other hand, is a little bit different. While it can be used as a bog-standard reverse proxy, where it really shines is docker and docker compose.

Traefik has a steeper learning curve that nginx-proxy-manager, and less power than Apache2 / NGINX, but it can be connected directly with docker, and the proxy for a new container can be configured directly within that container’s docker-compose.yml file.

Installing Traefik

As traefik works so closely with docker, it only makes sense that it would be installed as a docker container. To start you’re going to want to create the following folder structure:

<...>/traefik
|- docker-compose.yml
|- config/
|  |- traefik.yml
|- data/
|  |- configs/

Once you have that, create two networks:

$ docker network create backend
$ docker network create frontend
docker-compose.yml
services:
  traefik:
    container_name: traefik-traefik
    image: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    networks:
      - frontend
    volumes:
      - /run/docker.sock:/var/run/docker.sock
      - ./config/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./data/certs/:/var/traefik/certs/:rw
      - ./data/configs:/configs:ro
    labels:
      traefik.enable: true
      traefik.http.routers.dashboard.rule: Host(`traefik.docker102.EXAMPLE.COM`)
      traefik.http.routers.dashboard.entrypoints: websecure
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.tls: true
      traefik.http.middlewares.dashboard-auth.basicauth.users: # Generate passwd entry and insert here
      traefik.http.routers.dashboard.middlewares: dashboard-auth@docker

networks:
  frontend:
    external: true

Being sure to change EXAMPLE.COM for your domain and generatting a passwd entry for basicauth.users.

config/traefik.yml
global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443

certificatesResolvers:
  letsencrypt:
    acme:
      email: "jsmith@example.com"
      storage: "/var/traefik/certs/letsencrypt-acme.json"
      caServer: https://acme-v02.api.letsencrypt.org/directory
      httpChallenge:
        entryPoint: web

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: "frontend"
  file:
    directory: "/configs"
    watch: true

being sure to change jsmith@example.com for your email

Deploying Traefik Proxies

Traefik proxies can be deployed in many ways, but this install has providers for both files stored at data/configs/*.yml and docker containers (via labels).

Docker Container Labels

To deploy a proxy using labels in a docker-compose.yml file, you’ll need to add the following to the respective container:

docker-compose.yml (service to be proxied)
<...>
    networks:
      - frontend
    labels:
      traefik.enable: true
      traefik.http.routers.<router-name>.entrypoints: websecure
      traefik.http.routers.<router-name>.rule: Host(`<proxy-fqdn>`)
      
      # Optional, restricts the proxy to local addresses only
      # traefik.http.routers.<router-name>.middlewares: pihole-ipwhitelist
      # traefik.http.middlewares.<service-name>-ipwhitelist.ipallowlist.sourcerange: "192.168.1.0/24"

      traefik.http.routers.<router-name>.service: <service-name>
      traefik.http.routers.<router-name>.tls: true
      traefik.http.routers.<router-name>.tls.certresolver: letsencrypt
      traefik.http.services.<service-name>.loadBalancer.server.port: <proxy-dest-port>
      
      # Optional, used instead of server.port
      # traefik.http.services.<service-name>.loadBalancer.server.url: http<s>://<proxy-dest-url>:<proxy-dest-port>/

networks:
  frontend:
    external: true

File-Based Configuration

To configure a proxy with labels it has to both be a docker service and be on the same host as traefik’s docker container. For any other proxies we use file-based configuration. Create a new file called <service-name>.yml in .../traefik/data/configs/:

<service-name>.yml
http:
  routers:
    <router-name>:
      entryPoints:
        - "websecure"
      rule: Host(`<proxy-fqdn>`)
      tls:
        certResolver: letsencrypt
      service: <service-name>
  services:
    <service-name>:
      loadBalancer:
        servers:
          - url: "http<s>://<proxy-dest-url>:<proxy-dest-port>"

Leave a Reply

Your email address will not be published. Required fields are marked *