🌍 Traefik 2, a reverse proxy to rules them all

Traefik is an open-source reverse-proxy and load-balancer HTTP, TCP and UDP. This article give you some informations about it.

logo traefik

Traefik is an open-source reverse-proxy and load-balancer for HTTP, TCP and UDP. SSL certificates are managed with Let's Encrypt or your personal certificate authority.

An open-source reverse proxy and load balancer for HTTP and TCP-based  applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology...

Version Date Comments
1 05/2022 Document creation
1.1 08/2022 Add the part "Why Traefik?"
2 06/2023 Add some information about the environment and execution context
2.1 08/2023 Update of versions

Goal : Discover Traefik

Environment : Debian 12, Docker 24.x, docker compose (plugin) 2.20.x, Traefik 2.10.

Execution context :

jho@vmi866042:/opt/docker/dc$ tree
.
├── conf
│   ├── acme.json
│   ├── traefik.yml
│   ├── traefikdynamic
│   │   ├── general.yml
│   │   ├── routersservices.yml
├── docker-compose.yml
└── logs
    ├── traefikAccess.log
    ├── traefik.log
  • path where are every folder and files : /opt/docker/dc
  • path of the principal configuration file for Traefik : /opt/docker/dc/conf/traefik.yml
  • folder where are every dynamic configuration files : /opt/docker/dc/conf/traefikdynamic
  • path of the file which is used to store SSL certificates for let's encrypt (or other provider) : /opt/docker/dc/conf/acme.json
  • folder to store logs : /opt/docker/dc/logs/

Why Traefik?

In your infrastructures, your users could need to access some services. With increasing availability requirements, you will need to have multiple servers needing to be accessible without user action. To do so, a type of server is needed, a "reverse-proxy". This reverse-proxy is the only entry point for your users.

A reverse proxy is used for:

  • be a load balancer ;
  • filter access ;
  • manage authentication, or transfer it to another authentication provider ;
  • cache pages to redistribute them on demand.

With its reverse proxy functions, Traefik is a fast and efficient router, which can automatically manage routes.

Some words to understand

đź’ˇ
Information provided by ldez, Traefik maintainer THANK YOU for every correction !

What is "static configuration" ?

This is a set of options used when starting Traefik. These options mainly concern connection information to providers, tracing systems and metrics tools.

Options can be defined with 3 different ways :

  • configuration file, with the TOML or YAML format (it's the traefik.toml or traefik.yml file) ;
  • settings in command lines (CLI flags) ;
  • environment variables (deprecated).

You can only use one method at a time (configuration file or command lines).

Static configuration, whatever it's source (a configuration file, CLI flags or env vars) is read only once when starting Traefik. It is not possible to define routing (routers, services, middlewares, TLS configuration) in the static configuration file.

What is "dynamic configuration" ?

This is a set of options used by Traefik to define routers, services, middlewares and TLS configuration.

This configuration can be defined in different ways :

  • One or more files (provider file) with the TOML or YAML format, without a link with the file traefik.toml / traefik.yml ;
  • with labels (provider Docker, Rancher, ...) ;
  • with Ingress or CRD specific to Traefik (Kubernetes) ;
  • with data stored in a KV store (available with v2.2).

Every source of dynamic configuration can be used at the same time. Dynamic configuration can be modified during execution of Traefik without the need to restart (because of the line watch: true in the traefik.yml file).

In case of all providers (except the file provider), this configuration will automatically rebuild and updated (without loading) as soon as a change is detected (addition/deletion/modification of a container or a configuration file)

traefik architecture
Diagram of Traefik structure

docker-compose.yml file for Traefik

With this file, you'll have a Traefik container which take requests and forward them depending on demand. I will use the path /opt/docker/dc and will create needed files/folders.

Also, I'm using the dynamic configuration to setting up my routers and services - with many tries, I found easier the dynamic configuration instead of labels (and you will not have to restart your containers !)

Preliminary steps

Creation of folders and files, with needed rights.

sudo mkdir -p /opt/docker/dc/conf/traefikdynamic /opt/docker/dc/logs

sudo touch /opt/docker/dc/conf/acme.json /opt/docker/dc/conf/traefik.yml /opt/docker/dc/logs/traefik.log

sudo chmod 0600 /opt/docker/dc/conf/acme.json

Next, a configuration for Traefik v2, with its configuration file traefik.yml (read only) and acme.json file to store Let's Encrypt certificates (read/write).

---
services:
  traefik:
    image: traefik:saintmarcelin
    container_name: traefik
    restart: unless-stopped
    ports:
      - target : 80
        published : 80
        protocol: tcp
        mode : host
      ### BEGIN dashboad
      - target : 8080
        published : 8080
        protocol: tcp
        mode : host
      ### END dashboard
      - target : 443
        published : 443
        protocol: tcp
        mode : host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./conf/traefikdynamic:/dynamic
      - ./conf/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./conf/acme.json:/etc/traefik/acme.json
      - ./logs/traefik.log:/etc/traefik/applog.log
    environment:
      TZ: Europe/Paris
traefik docker-compose.yml

traefik.yml file is for startup options of Traefik. Actually, this is my simple configuration file, with 2 entry points (80/TCP & 443/TCP), logs, connection to docker socket and access to the Traefik web dashboard :

---
global:
  sendAnonymousUsage: false
  checkNewVersion: false

api:
  dashboard: true

log:
  filePath: "/etc/traefik/applog.log"
  format: json
  level: "ERROR"

providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    watch: true
    swarmMode: false
  file:
    directory: "/dynamic"
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
traefik.yml

For this moment, a simple docker compose up -d will retrieve the latest stable and available image (if you don't have it for now) and launch Traefik...

French article here.