189 lines
4.7 KiB
Markdown
189 lines
4.7 KiB
Markdown
---
|
|
title: Traefik
|
|
description: Hypercharged reverse proxy with Docker autodiscovery and other goodies
|
|
published: true
|
|
date: 2020-01-31T11:18:50.873Z
|
|
tags:
|
|
---
|
|
|
|
# What is this?
|
|
|
|
Traefik hogs your ports `80` and `443` (and others), will intercept HTTP requests to your server and forward them to different endpoints.
|
|
|
|
It allows you to run multiple web services on the same IP address and access them on a domain name basis.
|
|
|
|
We use both the Docker backend and a manual routing backend.
|
|
|
|
[An example setup can be had here.](https://gitlab.com/p4block/traefik-v2-ready-to-go)
|
|
|
|
# Requirements
|
|
To make it easier to have multiple `docker-compose.yml` without having to specify networks by hand, we run Traefik on the host's network stack.
|
|
|
|
This allows it to access all Docker networks by default.
|
|
|
|
Using docker-compose:
|
|
```
|
|
version: '3.7'
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:latest
|
|
network_mode: host
|
|
volumes:
|
|
- ./config/:/etc/traefik/
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
```
|
|
|
|
# Traefik Configuration
|
|
Before starting the example project:
|
|
|
|
An `acme` folder needs to exist with `700` permissions, inside there should be an `acme.json` with 600 permissions.
|
|
|
|
Failing to do so will cause your IP to be banned from Let's Encrypt for an hour or more (and accessing your services won't work because SSL will fail at a fundamental level)
|
|
|
|
## Static configuration
|
|
Changing this requires a Traefik restart.
|
|
|
|
`/etc/traefik/traefik.yml`
|
|
```
|
|
api:
|
|
dashboard: true
|
|
|
|
entryPoints:
|
|
web:
|
|
address: ":80"
|
|
web-secure:
|
|
address: ":443"
|
|
|
|
providers:
|
|
docker:
|
|
endpoint: "unix:///var/run/docker.sock"
|
|
exposedByDefault: false
|
|
file:
|
|
filename: /etc/traefik/config.yml
|
|
watch: true
|
|
|
|
certificatesResolvers:
|
|
default:
|
|
acme:
|
|
email: example@changeme.com
|
|
storage: /etc/traefik/acme/acme.json
|
|
tlsChallenge: {}
|
|
|
|
log:
|
|
level: WARNING
|
|
filePath: /etc/traefik/debug.log
|
|
format: json
|
|
```
|
|
|
|
## Dynamic configuration
|
|
Traefik live reloads this file.
|
|
|
|
All http input is elevated to https using the "redirect" middleware. `traefik` and `netdata` routers listen on 443. `traefik` also runs the "auth" middleware to ask for password.
|
|
|
|
The user/password is specified in the apache htaccess format.
|
|
|
|
`/etc/traefik/config.yml`
|
|
```
|
|
http:
|
|
routers:
|
|
redirector:
|
|
rule: HostRegexp(`{any:.*}`)
|
|
entryPoints:
|
|
- "web"
|
|
service: dummy
|
|
middlewares:
|
|
- redirect
|
|
traefik:
|
|
rule: Host(`traefik.your.domain`)
|
|
entryPoints:
|
|
- "web-secure"
|
|
service: api@internal
|
|
middlewares:
|
|
- auth
|
|
tls:
|
|
certResolver: default
|
|
netdata:
|
|
rule: Host(`netdata.your.domain`)
|
|
entryPoints:
|
|
- "web-secure"
|
|
service: netdata
|
|
tls:
|
|
certResolver: default
|
|
|
|
services:
|
|
dummy:
|
|
loadBalancer:
|
|
servers:
|
|
- url: http://127.0.0.1
|
|
netdata:
|
|
loadBalancer:
|
|
servers:
|
|
- url: http://localhost:19999
|
|
|
|
middlewares:
|
|
redirect:
|
|
redirectScheme:
|
|
scheme: https
|
|
auth:
|
|
basicAuth:
|
|
users:
|
|
- 'test:$apr1$tyoqkxlc$BbG4rHVMcV7mSQWIgEZQT0' #test/test
|
|
|
|
tls:
|
|
options:
|
|
default:
|
|
sniStrict: true
|
|
minVersion: VersionTLS12
|
|
cipherSuites:
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
|
|
mintls13:
|
|
minVersion: VersionTLS13
|
|
```
|
|
|
|
# Configuring a docker-compose Service
|
|
This is the most usual configuration a service will need, which is self explanatory.
|
|
|
|
```
|
|
version: '3.7'
|
|
|
|
services:
|
|
whoami:
|
|
image: containous/whoami
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.http.routers.whoami.entryPoints=web-secure
|
|
- traefik.http.routers.whoami.rule=Host(`whoami.your.domain`)
|
|
- traefik.http.routers.whoami.tls.certresolver=default
|
|
|
|
```
|
|
|
|
A more verbose one is needed when a specific port must be used or a middleware is needed, such as asking for basic authentication.
|
|
|
|
Here shown a Caddy download page that asks for the username and password defined in the dynamic configuration.
|
|
|
|
It also doesn't use Let's Encrypt and will serve Traefik's default certificate, as the machine this configuration is pulled from is running behind Cloudflare.
|
|
|
|
```
|
|
version: '3.7'
|
|
|
|
services:
|
|
private-caddy:
|
|
image: abiosoft/caddy:php
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ./srv:/srv
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.http.routers.private-caddy.entryPoints=web-secure
|
|
- traefik.http.routers.private-caddy.rule=Host(`private.your.domain`)
|
|
- traefik.http.routers.private-caddy.tls=true
|
|
- traefik.http.routers.private-caddy.middlewares=auth@file
|
|
- traefik.http.services.private-caddy.loadbalancer.server.port=2015
|
|
```
|
|
|