Working with a new technology or tool has a learning curve and the initial work of learning something new can be frustrating. I recently started using Traefik, a modern reverse proxy and load balancer designed to make working with microservices easy and am getting to the point where the documentation is starting to make sense. Here are a few tips and tricks for working with Traefik that I hope you find useful.
version: '3' services: traefik: container_name: traefik image: traefik:v2.4 restart: unless-stopped command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--api.insecure=true" - "--log.level=debug" - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--certificatesResolvers.firstname.lastname@example.org" - "--certificatesResolvers.le.acme.storage=acme.json" - "--certificatesResolvers.le.acme.tlsChallenge=true" - "--certificatesResolvers.le.acme.httpChallenge=true" - "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web" - "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory" networks: - proxy ports: - 80:80 - 443:443 - "8080:8080" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./data/acme.json:/acme.json
This command enables the Traefik Dashboard, which can be useful to understanding interactions and connections between entrypoints, routers, services and middlewares.
It is possible to password protect and encrypt the Traefik Dashboard and I have not bothered. Once everything is setup and I am no longer debugging Traefik I just comment out the line in my docker-compose.yml.
This command enables logging. It is possible to direct the Traefik logs to a log file with "--log.filepath=path/to/your/logfile" and I do not use this. By default Traefik redirects logs to standard out (stdout). When debugging I start Traefik with "docker-compose up" and am able to view the log information in a terminal window.
Let's Encrypt Staging Server
This command tells Traefik to use Let's Encrypt's staging server. This is useful in avoiding Let's Encrypts rate limiting when you are setting up a system and testing. When you are done testing and verified that everything is working you can just remove this line from your docker-compose.yml to migrate to Let's Encrypt's production environment
External files & Commands
Create your proxy network
While it is possible to create a proxy network for Traefik automatically. I have found it easier and cleaner to just create this network manually, so remember to run the following before starting up Traefik (and remember you only have to do this once).
docker create network proxy-network-name
Create your acme.json file
Remember to create and set permissions on your acme.json file.
mkdir data touch acme.json chmod 600 acme.json
Docker Stacks with Multiple Networks
Simple docker stacks (e.g. applications that only rely on one network like a simple web server) will work without any special configuration.
More complex docker stacks (e.g. applications that use multiple networks like a webserver that connects to Traefik via proxy network and a connects to a back-end database server via another private network) require additional configuration to inform the container which network traffic should be proxied on. Use this label in the containers' docker-compose.yml to do this: