Browse Docs

Traefik

zeitue January 2, 2024 4 min read Guide Docker Docker Traefik Reverse Proxy Docker-Compose

Traefik with Docker

On this page
Traefik

Introduction

Traefik is a modern reverse proxy and load balancer programmed in Go. It works with Docker and Kubernetes and runs on Linux, FreeBSD, macOS, OpenBSD, and Windows. Traefik will configure all containers from labels defined in the docker-compose.yml files and auto-provision SSL certificates via a chosen provider. There are two methods for setup offered in this guide: the first is Quickstart using docker-prompt with my infrastructure git repository, and the second is that you’ll create all the configurations manually. The second method is better for learning.

Cloudflare

If you want to use Cloudflare DNS, you’ll need the email of your Cloudflare account and an API token with permission to edit DNS zones. To get an API token, navigate to dash.cloudflare.com/profile/api-tokens and click Create Token. Under API token templates, you can click on Use Template next to Edit zone DNS. Under Zone Resources, select a specific zone you want the API token for or set All zones, then click Continue to summary. Click the Create token button and copy the API token for later use.

Quickstart

 1# Clone the git repository
 2git clone https://gitlab.com/tek.place/infrastructure.git
 3
 4# Navigate to the Traefik docker-compose files
 5cd ~/infrastructure/docker/traefik
 6
 7# Setup the environment with docker-prompt
 8docker-prompt env.json
 9
10# Create networks
11./scripts/mknet
12
13# Create directories to store data
14./scripts/mkvol
15
16# Start up traefik
17./scripts/up

Manual Setup

You’ll first want to create a network to which all containers you wish to publish will connect.

1docker network create --attachable --gateway=172.21.0.1 --subnet=172.21.0.0/16 proxy

Create a network if you want to run Netcloud-AIO and still need to set it up.

1docker network create --attachable --gateway=172.18.0.1 --subnet=172.18.0.0/24 nextcloud-aio

Create a place for your configuration, docker-compose file, and volumes, then navigate there.

1mkdir -p ~/infrastructure/docker/traefik
2cd ~/infrastructure/docker/traefik

Create a directory to back the Traefik config volume; in this case, we’ll store it in the ~/infrastructure/docker/traefik directory for simplicity.

1mkdir config

Generate a hashed password to use to access Traefik’s admin dashboard. The result should start with a $ sign; insert it in the .env file instead of YOUR_HASHED_ADMIN_PASSWORD_HERE.

1openssl passwd -apr1

Create the environment for Traefik, a file named .env containing all the environment variables. Be sure to replace name@example.com, YOUR_HASHED_ADMIN_PASSWORD_HERE, YOUR_CLOUDFLARE_API_KEY_HERE, and domain.com with the proper content.

 1# filename: .env
 2# DNS Challenge provider
 3ACME_CHALLENGE_PROVIDER=cloudflare
 4
 5# Email for Let's Encrypt
 6ACME_EMAIL=name@example.com
 7
 8# Cloudflare email address
 9CF_API_EMAIL=name@example.com
10
11# Cloudflare API key
12CF_DNS_API_TOKEN=YOUR_CLOUDFLARE_API_KEY_HERE
13
14# Traefik HTTPS port
15HTTPS_PORT=443
16
17# Traefik HTTP port
18HTTP_PORT=80
19
20# Log level
21LOG_LEVEL=info
22
23# Volume used for storing config files
24TRAEFIK_CONFIG_VOL_DIR=${PWD}/config
25
26# password for HTTP Basic Auth for Traefik dashboard
27TRAEFIK_DASHBOARD_PASS=YOUR_HASHED_ADMIN_PASSWORD_HERE
28
29# username for HTTP Basic Auth for Traefik dashboard
30TRAEFIK_DASHBOARD_USER=admin
31
32# Domain to access Traefik dashboard and API
33TRAEFIK_DOMAIN=traefik.domain.com

Create a file called docker-compose.yml with the following contents.

 1version: "3.8"
 2
 3# Use external networks
 4networks:
 5  proxy:
 6    external: true
 7  nextcloud-aio:
 8    external: true
 9
10# Create a data volume backed by a local directory
11volumes:
12  traefik_config:
13    name: ${PREFIX}traefik_config
14    driver: local
15    driver_opts:
16      o: bind
17      type: none
18      device: "${TRAEFIK_CONFIG_VOL_DIR}"
19
20services:
21  traefik:
22    image: "traefik:v2.10"
23    container_name: "${PREFIX:-}traefik"
24    ports:
25      - "${HTTP_PORT:-80}:80"
26      - "${HTTPS_PORT:-443}:443"
27    env_file:
28      - "../.env"
29    volumes:
30      - "traefik_config:/etc/traefik"
31      # Docker socket to be able to access containers
32      - "/var/run/docker.sock:/var/run/docker.sock:ro"
33    networks:
34      - proxy
35      - nextcloud-aio
36    labels:
37      # Configure Traefik labels for the dashboard with HTTP basic auth
38      traefik.enable: true
39      traefik.http.routers.api.entrypoints: websecure
40      traefik.http.routers.api.rule: Host(`${TRAEFIK_DOMAIN}`)
41      traefik.http.routers.api.service: api@internal
42      traefik.http.routers.api.tls.certresolver: le
43      traefik.http.routers.api.middlewares: dashboard-auth
44      traefik.http.middlewares.dashboard-auth.basicauth.users: "${TRAEFIK_DASHBOARD_USER}:${TRAEFIK_DASHBOARD_PASS}"
45    command:
46      - "--certificatesresolvers.le.acme.dnschallenge=true"
47      - "--certificatesresolvers.le.acme.dnschallenge.provider=${ACME_CHALLENGE_PROVIDER}"
48      - "--certificatesresolvers.le.acme.email=${ACME_EMAIL}"
49      - "--certificatesresolvers.le.acme.storage=/etc/traefik/acme.json"
50      - "--log.level=${LOG_LEVEL:-debug}"
51      - "--api.insecure=false"
52      - "--api.dashboard=${__TRAEFIK_DASHBOARD:-true}"
53      - "--providers.docker=true"
54      - "--providers.docker.exposedbydefault=false"
55      - "--entrypoints.web.address=:80"
56      - "--entrypoints.websecure.address=:443"
57      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
58      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

Finally, start Traefik using the docker-compose command.

1docker-compose up -d