wiki/traefik.md

189 lines
4.7 KiB
Markdown
Raw Normal View History

2019-07-01 15:21:56 +00:00
---
title: Traefik
description: Hypercharged reverse proxy with Docker autodiscovery and other goodies
published: true
2020-01-31 11:18:52 +00:00
date: 2020-01-31T11:18:50.873Z
2019-07-01 15:21:56 +00:00
tags:
---
# What is this?
Traefik hogs your ports `80` and `443` (and others), will intercept HTTP requests to your server and forward them to different endpoints.
It allows you to run multiple web services on the same IP address and access them on a domain name basis.
We use both the Docker backend and a manual routing backend.
2020-01-31 11:18:52 +00:00
[An example setup can be had here.](https://gitlab.com/p4block/traefik-v2-ready-to-go)
2019-07-01 15:21:56 +00:00
# Requirements
2020-01-31 11:18:52 +00:00
To make it easier to have multiple `docker-compose.yml` without having to specify networks by hand, we run Traefik on the host's network stack.
2019-07-01 15:21:56 +00:00
This allows it to access all Docker networks by default.
2019-12-28 17:37:39 +00:00
Using docker-compose:
2019-07-01 15:21:56 +00:00
```
2019-12-28 17:37:39 +00:00
version: '3.7'
services:
traefik:
image: traefik:latest
network_mode: host
volumes:
- ./config/:/etc/traefik/
- /var/run/docker.sock:/var/run/docker.sock
2019-07-01 15:21:56 +00:00
```
2019-12-28 17:37:39 +00:00
# Traefik Configuration
2020-01-31 11:18:52 +00:00
Before starting the example project:
2019-12-28 17:37:39 +00:00
2020-01-31 11:18:52 +00:00
An `acme` folder needs to exist with `700` permissions, inside there should be an `acme.json` with 600 permissions.
2019-12-28 17:37:39 +00:00
2020-01-31 11:18:52 +00:00
Failing to do so will cause your IP to be banned from Let's Encrypt for an hour or more (and accessing your services won't work because SSL will fail at a fundamental level)
2019-12-28 17:37:39 +00:00
## Static configuration
Changing this requires a Traefik restart.
`/etc/traefik/traefik.yml`
```
api:
dashboard: true
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /etc/traefik/config.yml
watch: true
certificatesResolvers:
default:
acme:
email: example@changeme.com
storage: /etc/traefik/acme/acme.json
tlsChallenge: {}
log:
level: WARNING
filePath: /etc/traefik/debug.log
format: json
```
## Dynamic configuration
Traefik live reloads this file.
All http input is elevated to https using the "redirect" middleware. `traefik` and `netdata` routers listen on 443. `traefik` also runs the "auth" middleware to ask for password.
2020-01-31 11:18:52 +00:00
The user/password is specified in the apache htaccess format.
2019-12-28 17:37:39 +00:00
`/etc/traefik/config.yml`
```
http:
routers:
redirector:
rule: HostRegexp(`{any:.*}`)
entryPoints:
- "web"
service: dummy
middlewares:
- redirect
traefik:
rule: Host(`traefik.your.domain`)
entryPoints:
- "web-secure"
service: api@internal
middlewares:
- auth
tls:
certResolver: default
netdata:
rule: Host(`netdata.your.domain`)
entryPoints:
- "web-secure"
service: netdata
tls:
certResolver: default
services:
dummy:
loadBalancer:
servers:
- url: http://127.0.0.1
netdata:
loadBalancer:
servers:
- url: http://localhost:19999
middlewares:
redirect:
redirectScheme:
scheme: https
auth:
basicAuth:
users:
- 'test:$apr1$tyoqkxlc$BbG4rHVMcV7mSQWIgEZQT0' #test/test
tls:
options:
default:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
mintls13:
minVersion: VersionTLS13
```
# Configuring a docker-compose Service
This is the most usual configuration a service will need, which is self explanatory.
2019-07-01 15:21:56 +00:00
```
2019-12-28 17:37:39 +00:00
version: '3.7'
services:
whoami:
image: containous/whoami
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entryPoints=web-secure
- traefik.http.routers.whoami.rule=Host(`whoami.your.domain`)
- traefik.http.routers.whoami.tls.certresolver=default
2019-07-01 15:21:56 +00:00
```
2019-12-28 17:37:39 +00:00
A more verbose one is needed when a specific port must be used or a middleware is needed, such as asking for basic authentication.
Here shown a Caddy download page that asks for the username and password defined in the dynamic configuration.
It also doesn't use Let's Encrypt and will serve Traefik's default certificate, as the machine this configuration is pulled from is running behind Cloudflare.
```
version: '3.7'
services:
private-caddy:
image: abiosoft/caddy:php
restart: unless-stopped
volumes:
- ./srv:/srv
labels:
- traefik.enable=true
- traefik.http.routers.private-caddy.entryPoints=web-secure
- traefik.http.routers.private-caddy.rule=Host(`private.your.domain`)
- traefik.http.routers.private-caddy.tls=true
- traefik.http.routers.private-caddy.middlewares=auth@file
- traefik.http.services.private-caddy.loadbalancer.server.port=2015
```