Traefik Reverse Proxy for Docker

Traefik is a reverse proxy / load balancer that’s easy, dynamic, automatic, fast, full-featured, open source, production proven, provides metrics, and integrates with every major cluster technology.

Overview

In this tutorial I will share my Traefik docker-compose.yml setup files and how to use them.

Setup

  1. clone the repo https://github.com/RaveMaker/docker-traefik
  2. select your toml file:
    • traefik.toml – allow http and https
    • traefik.ssl.toml – redirect http to https

docker-compose settings


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
version: '3.7'

services:
  reverse-proxy:
    image: traefik
    restart: unless-stopped
    networks:
      - proxy
    command: --api --docker  # Enables the web UI and tells Traefik to listen to docker
    ports:
      - "80:80"      # The HTTP port
      - "443:443"    # The HTTPs port
      - "8080:8080"  # The Web UI (enabled by --api)
    labels:
      - "traefik.frontend.rule=Host:monitor.docker.localhost"
      - "traefik.docker.network=proxy"
      - "traefik.port=8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # So that Traefik can listen to the Docker events
      - ./traefik.toml:/traefik.toml

networks:
  proxy:
    external: false
    name: proxy

optional: Comment port 8080 in docker-compose file and use port 80/443. you can use a local url to access your Traefik dashboard instead, using the hostRule label in .env file.

Traefik.toml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
defaultEntryPoints = ["https","http"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
      ]
      [[entryPoints.https.tls.certificates]]
        certFile = "certs/traefik.crt"
        keyFile = "certs/traefik.key"

Network settings

The stack is divided into three networks: proxy, backend and frontend.

the idea behind splitting the stack into three networks is to block the access of the Traefik reverse proxy to the backend containers.

with the Traefik container you will only create the ‘proxy’ network, other networks will be created with each stack according to that stack name to avoid access between frontend/backend containers of different stacks.

  • proxy
  • stack1_frontend
  • stack1_backend
  • stack2_frontend
  • stack2_backend

and so on…

  • request –> traefik –> frontend1 –> backend1
  • request –> traefik –> frontend2 –> backend2

there is a ‘connect.sh’ script included that will connect your Traefik container to all of your frontend networks. you only need to run it after creating a new stack. the connection is persistent and will remain between reboots and up/down commands. you can run the script multiple times, it will output an error if the connection already exist.

Examples

Leave a Reply

Your email address will not be published.

*