Published on

Traefik Proxy

Authors
  • avatar
    Name
    Emil Moe
    Twitter

Introduction

Traefik is an open-source project designed to simplify cloud-native networking. Whether you’re deploying microservices or handling complex traffic routing needs, Traefik Proxy provides a robust solution that adapts to your infrastructure. With its auto-discovery capabilities, Traefik dynamically adjusts to changes in your environment, ensuring that your services are always accessible and correctly routed.

In this blog post, we’ll delve into how Traefik Proxy can serve as the entry point for all incoming connections to your server, acting as a powerful reverse proxy. This tool not only streamlines your traffic management but also improves security and scalability by automatically applying configurations and updates as your services evolve.

While Traefik Proxy offers advanced features such as load balancing, for now, we will focus on its core functionality as a reverse proxy.

Reverse Proxy

Before digging into the setup of Traefik Proxy, it would be beneficial to have a brief understanding of how reverse proxies work and how Traefik Proxy is meant to be used.

A reverse proxy is a server that sits in front of one or more web servers, intercepting requests from clients and forwarding them to the appropriate backend server. This setup provides several key benefits:

  1. Load Balancing: By distributing client requests across multiple backend servers, a reverse proxy helps to ensure that no single server becomes overwhelmed, thus improving overall performance and reliability.
  2. Enhanced Security: A reverse proxy can act as an additional layer of defense, shielding your backend servers from direct exposure to the internet. It can also manage SSL/TLS encryption, protecting data in transit.
  3. Caching: Reverse proxies can cache content, reducing the load on backend servers and speeding up response times for clients by serving cached content for repeated requests.
  4. Simplified SSL Management: Handling SSL termination at the reverse proxy level simplifies the management of SSL certificates and reduces the processing load on backend servers.
  5. Centralized Authentication and Logging: A reverse proxy can manage authentication for multiple backend services and provide centralized logging, making it easier to monitor and secure your infrastructure.

Traefik Proxy leverages these benefits to enhance your cloud-native applications. It is designed to be highly dynamic, automatically discovering services and updating its configuration without requiring manual intervention. This makes it particularly well-suited for environments that are constantly changing, such as those using Docker, Kubernetes, or other orchestration tools.

By using Traefik Proxy as your reverse proxy, you ensure that your applications are not only more accessible and efficient but also more secure and easier to manage. In the sections that follow, we will explore how to set up and configure Traefik Proxy to take full advantage of these features.

Installing Traffic

If you are not yet running Docker, you might want to start with my post Setup Docker on Ubuntu as it's an essential prerquisit to run Traefik.

SSL / HTTPS

The Traefik container is configured to automatically create a Let's Encrypt certificate for all your web services without you having to manage or update them. Keep in mind when you see the certificate fails, it's most often related to one or the other of:

  • DNS misconfigurations
  • Typo in app docker-compose.yml

Configuration

Start by creating a file called docker-compose.yml and place it in your desired location to keep Docker Compose setups. If you have a Docker user for running containers, it could be in /home/docker/traefik/docker-compose.yml

Ensure to update {EMAIL} with your actual e-mail address.

version: '3'

services:
  traefik:
    restart: unless-stopped
    image: traefik:latest
    command: 
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --providers.docker
      - --providers.docker.network=web
      - --certificatesresolvers.leresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.le.acme.email={EMAIL}
      - --certificatesresolvers.leresolver.acme.storage=/acme.json
      - --certificatesresolvers.leresolver.acme.tlschallenge=true
      - --log.level=INFO
    labels:
      - traefik.docker.network=web
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - web

networks:
  web:
    external: true

Go to the folder and start the container:

cd /home/docker/traefik
docker-compose up -d

If you want to update the source image of your container

docker-compose pull
docker-compose up -d --force-recreate

And if you want to stop it

docker-compose stop

Services

On its own, Traefik isn’t all that exciting. To start using it for your web apps, you need to add labels, which is how Traefik handles configurations.

The network interface web was created as part of the Traefik compose. It is the network where services share connectivity with Traefik to be reverse proxied, so ensuring your service is connected to this network is essential.

Replace {SERVICE} with a unique key for your project, for example, saas-app.

For {DOMAIN} and {DOMAIN ALIAS}, you can use one, two, or as many as you like to add subdomain aliases. Typically, you would use something like Host('saas-app.com', 'www.saas-app.com').

The last option ensures the app is secured by SSL.

If your app uses a different port than 80, you can add a label to adjust for that. It will still be externally exposed to 443 (HTTPS) but internally redirected to the given port, for example, 3000:

- traefik.http.services.{SERVICE}.loadbalancer.server.port=3000

Your app service configuration might look like this:

version: '3'
services:

  httpd:
    image: <image>
    restart: unless-stopped
    networks:
      - web
    labels:
      - traefik.http.routers.{SERVICE}.rule=Host(`{DOMAIN}`,`{DOMAIN_ALIAS}`)
      - traefik.http.routers.{SERVICE}.entrypoints=websecure
      - traefik.http.routers.{SERVICE}.tls=true
      - traefik.http.routers.{SERVICE}.tls.certresolver=leresolver

Traefik Dashboard

When managing your cloud infrastructure it might come in handy to have a dashboard to monitor your activities.

We can enable this by adding these 2 commands

- --api.dashboard=true
- --api.insecure=false

And adding these labels, telling Traefik which domain the dashboard is hosted at and creating a basic auth to avoid public access

- traefik.http.routers.traefik.rule=Host(`traefik.example.com`)
- traefik.http.routers.traefik.middlewares=auth
- traefik.http.middlewares.auth.basicauth.users=admin:{PASSWORD}

In order to generate your password use a htpasswd generator. Be sure that every $ is doubled to $$ to escape it.

And replace admin:{PASSWORD} with the result.