Traefik is an open-source reverse-proxy and load-balancer for HTTP, TCP and UDP. SSL certificates are managed with Let's Encrypt or your personal certificate authority.

An open-source reverse proxy and load balancer for HTTP and TCP-based applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology...

Version Date Comments
1 05/2022 Document creation
1.1 08/2022 Add the part "Why Traefik?"
2 06/2023 Add some information about the environment and execution context
2.1 08/2023 Update versions
2.2 12/2024 Update versions, reformulations,

Goal : Discover and have a knowledge of Traefik.

Environment : Debian 12, Docker 24.x, docker compose (plugin) 2.24.x, Traefik 3.2.x.

Execution context :

jho@vmi866042:/opt/docker/dc$ tree
.
├── conf
│   ├── acme.json
│   ├── traefik.yml
│   ├── traefikdynamic
│   │   ├── general.yml
│   │   ├── routersservices.yml
├── docker-compose.yml
└── logs
    ├── traefikAccess.log
    ├── traefik.log
  • path where are every folder and files : /opt/docker/dc
  • path of the principal configuration file for Traefik : /opt/docker/dc/conf/traefik.yml
  • folder where are every dynamic configuration files : /opt/docker/dc/conf/traefikdynamic
  • path of the file which is used to store SSL certificates for let's encrypt (or other provider) : /opt/docker/dc/conf/acme.json
  • folder to store logs : /opt/docker/dc/logs/

Why Traefik?

In your infrastructures, your users could need to access some services. With increasing availability requirements, you will need to have multiple servers needing to be accessible without user action. To do so, a type of server is needed, a “reverse-proxy”. This reverse-proxy is the only entry point for your users.

A reverse proxy is used for:

  • be a load balancer ;
  • filter access ;
  • manage authentication, or transfer it to another authentication provider ;
  • cache pages to redistribute them on demand.

With its reverse proxy functions, Traefik is a fast and efficient router, which can automatically manage routes.

Some words to understand

💡
Information provided by ldez, Traefik maintainer THANK YOU for every correction !

What is “static configuration” ?

This is a set of options used when starting Traefik. These options mainly concern connection information to providers, tracing systems and metrics tools. There is also the configuration of entry points of TCP and UDP.

Options can be defined with 3 different ways :

  • configuration file, with the TOML or YAML format (it's the traefik.toml or traefik.yml file) ;
  • settings in command lines (CLI flags) ;
  • environment variables (deprecated, I don't advise you to use it, because it's heavier to use than configuration file or CLI flags).

You can only use one method at a time (configuration file or command lines).

Static configuration, whatever it's source (a configuration file, CLI flags or env variables) is read only once when starting Traefik. It is not possible to define routing (routers, services, middlewares, TLS configuration) in the static configuration file.

When you upgrade the static configuration, you have to restart Traefik.

What is “dynamic configuration” ?

This is a set of options used by Traefik to define routers, services, middlewares and TLS configuration.

This configuration can be defined in different ways :

  • One or more files (provider file) with the TOML or YAML format, without a link with the file traefik.toml or traefik.yml ;
  • with labels (provider Docker, Rancher, …)
  • with Ingress or CRD specific to Traefik (Kubernetes) ;
  • with data stored in a KV store (available with v2.2).

Every source of dynamic configuration can be used at the same time. Dynamic configuration can be modified during execution of Traefik without the need to restart (because of the line watch: true in the traefik.yml file).

In case of all providers (except the file provider), this configuration will automatically rebuild and updated (without loading) as soon as a change is detected (addition/deletion/modification of a container or a configuration file)

traefik architecture

docker-compose.yml file for Traefik

With this file, you'll have a Traefik container which take requests and forward them depending on demand. I will use the path /opt/docker/dc and will create needed files and folders.

Also, I'm using the dynamic configuration to setting up my routers and services — with many tries, I found easier the dynamic configuration instead of labels (and you will not have to restart your containers !)

Preliminary steps

Creation of folders and files, with needed rights.

sudo mkdir -p /opt/docker/dc/conf/traefikdynamic /opt/docker/dc/logs

sudo touch /opt/docker/dc/conf/acme.json /opt/docker/dc/conf/traefik.yml /opt/docker/dc/logs/traefik.log

sudo chmod 0600 /opt/docker/dc/conf/acme.json
sudo chown -R $USER:$USER /opt/docker/dc

Next, a configuration for Traefik v2, with its configuration file traefik.yml (read only) and acme.json file to store Let's Encrypt certificates (read/write).

---
services:
  traefik:
    image: traefik:munster
    container_name: traefik
    restart: unless-stopped
    ports:
      - 80:80/tcp
      - 8080:8080/tcp # dashboard
      - 443:443/tcp
      - 443:443/udp # http3 - quic
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./conf/traefikdynamic:/dynamic
      - ./conf/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./conf/acme.json:/etc/traefik/acme.json
      - ./logs/traefik.log:/etc/traefik/applog.log
    environment:
      TZ: Europe/Paris

traefik docker-compose.yml

traefik.yml file is for startup options of Traefik. Actually, this is my simple configuration file, with 2 entry points (80/TCP & 443/TCP), logs, connection to docker socket and access to the Traefik web dashboard :

---
global:
  sendAnonymousUsage: true # not mandatory, see https://doc.traefik.io/traefik/contributing/data-collection/#the-code-for-data-collection
  checkNewVersion: false # see GitHub repository to avoid unneeded requests

api:
  dashboard: true # access to dashboard

log:
  filePath: "/etc/traefik/applog.log"
  format: json
  level: "ERROR"

providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    watch: true
    swarmMode: false
  file:
    directory: "/dynamic"
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

traefik.yml

For this moment, a simple docker compose up -d will retrieve the latest stable and available image (if you don't have it for now) and launch Traefik…

French article here.

Share this post