Traefik is an open-source reverse-proxy and load-balancer for HTTP, TCP and UDP. SSL certificates are managed with Let's Encrypt or your personal certificate authority.
An open-source reverse proxy and load balancer for HTTP and TCP-based  applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology...
| Version | Date | Comments |
|---|---|---|
| 1 | 05/2022 | Document creation |
| 1.1 | 08/2022 | Add the part "Why Traefik?" |
| 2 | 06/2023 | Add some information about the environment and execution context |
| 2.1 | 08/2023 | Update of versions |
Goal : Discover Traefik
Environment : Debian 12, Docker 24.x, docker compose (plugin) 2.20.x, Traefik 2.10.
Execution context :
jho@vmi866042:/opt/docker/dc$ tree
.
âââ conf
â  âââ acme.json
â  âââ traefik.yml
â  âââ traefikdynamic
â  â  âââ general.yml
â  â  âââ routersservices.yml
âââ docker-compose.yml
âââ logs
âââ traefikAccess.log
âââ traefik.log- path where are every folder and files :
/opt/docker/dc - path of the principal configuration file for Traefik :
/opt/docker/dc/conf/traefik.yml - folder where are every dynamic configuration files :
/opt/docker/dc/conf/traefikdynamic - path of the file which is used to store SSL certificates for let's encrypt (or other provider) :
/opt/docker/dc/conf/acme.json - folder to store logs :
/opt/docker/dc/logs/
Why Traefik?
In your infrastructures, your users could need to access some services. With increasing availability requirements, you will need to have multiple servers needing to be accessible without user action. To do so, a type of server is needed, a "reverse-proxy". This reverse-proxy is the only entry point for your users.
A reverse proxy is used for:
- be a load balancer ;
- filter access ;
- manage authentication, or transfer it to another authentication provider ;
- cache pages to redistribute them on demand.
With its reverse proxy functions, Traefik is a fast and efficient router, which can automatically manage routes.
Some words to understand
What is "static configuration" ?
This is a set of options used when starting Traefik. These options mainly concern connection information to providers, tracing systems and metrics tools.
Options can be defined with 3 different ways :
- configuration file, with the TOML or YAML format (it's the
traefik.tomlortraefik.ymlfile) ; - settings in command lines (CLI flags) ;
- environment variables (deprecated).
You can only use one method at a time (configuration file or command lines).
Static configuration, whatever it's source (a configuration file, CLI flags or env vars) is read only once when starting Traefik. It is not possible to define routing (routers, services, middlewares, TLS configuration) in the static configuration file.
What is "dynamic configuration" ?
This is a set of options used by Traefik to define routers, services, middlewares and TLS configuration.
This configuration can be defined in different ways :
- One or more files (provider file) with the TOML or YAML format, without a link with the file
traefik.toml/traefik.yml; - with labels (provider Docker, Rancher, ...) ;
- with Ingress or CRD specific to Traefik (Kubernetes) ;
- with data stored in a KV store (available with v2.2).
Every source of dynamic configuration can be used at the same time. Dynamic configuration can be modified during execution of Traefik without the need to restart (because of the line watch: true in the traefik.yml file).
In case of all providers (except the file provider), this configuration will automatically rebuild and updated (without loading) as soon as a change is detected (addition/deletion/modification of a container or a configuration file)
docker-compose.yml file for Traefik
With this file, you'll have a Traefik container which take requests and forward them depending on demand. I will use the path /opt/docker/dc and will create needed files/folders.
Also, I'm using the dynamic configuration to setting up my routers and services - with many tries, I found easier the dynamic configuration instead of labels (and you will not have to restart your containers !)
Preliminary steps
Creation of folders and files, with needed rights.
sudo mkdir -p /opt/docker/dc/conf/traefikdynamic /opt/docker/dc/logs
sudo touch /opt/docker/dc/conf/acme.json /opt/docker/dc/conf/traefik.yml /opt/docker/dc/logs/traefik.log
sudo chmod 0600 /opt/docker/dc/conf/acme.jsonNext, a configuration for Traefik v2, with its configuration file traefik.yml (read only) and acme.json file to store Let's Encrypt certificates (read/write).
---
services:
traefik:
image: traefik:saintmarcelin
container_name: traefik
restart: unless-stopped
ports:
- target : 80
published : 80
protocol: tcp
mode : host
### BEGIN dashboad
- target : 8080
published : 8080
protocol: tcp
mode : host
### END dashboard
- target : 443
published : 443
protocol: tcp
mode : host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./conf/traefikdynamic:/dynamic
- ./conf/traefik.yml:/etc/traefik/traefik.yml:ro
- ./conf/acme.json:/etc/traefik/acme.json
- ./logs/traefik.log:/etc/traefik/applog.log
environment:
TZ: Europe/Paristraefik.yml file is for startup options of Traefik. Actually, this is my simple configuration file, with 2 entry points (80/TCP & 443/TCP), logs, connection to docker socket and access to the Traefik web dashboard :
---
global:
sendAnonymousUsage: false
checkNewVersion: false
api:
dashboard: true
log:
filePath: "/etc/traefik/applog.log"
format: json
level: "ERROR"
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
watch: true
swarmMode: false
file:
directory: "/dynamic"
watch: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"For this moment, a simple docker compose up -d will retrieve the latest stable and available image (if you don't have it for now) and launch Traefik...
French article here.
