Roy Portas
Roy Portas
POSTSPROJECTS

Edge routing using Traefik

Published 2020-05-23
TraefikDocker

I've been following the development of Traefik for some time, since it was originally inducted into the CNCF foundation. They recently released version 2 so I figured I'd give it a go to deploy some infrastructure that I use, namely Matomo and Drone.

I usually use Nginx as a reverse proxy installed on the host operating system and configure it as a reverse proxy to my containers. However I was reading over the Traefik docs and it seems to provide an even easier way to configure routing.

To get started I'm gonna create a new docker-compose.yml file to store my configuration. if you want to follow along at home, create a new folder with the following structure:

my-example-project
|- reverse-proxy
|   |- docker-compose.yml
|- hello-world
|   |- docker-compose.yml

Now place this docker-compose.yml file in my-example-project/reverse-proxy/docker-compose.yml

version: "3"

services:
  reverse-proxy:
    image: traefik:v2.2
    command:
      #- "--log.level=DEBUG"
      #- "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      # - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.email=postmaster@example.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      #- "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      # Persist the letsencrypt config to disk (e.g. certs, etc.)
      - ./letsencrypt:/letsencrypt

# Connect to the external network called "shared"
# needs to be manually created first
networks:
  default:
    external:
      name: shared

This configures Traefik to run as a reverse proxy exposed on 80 (for http) and 443 (for https). Make sure to replace the ACME email with the domain name you want to use.

Next we will create another docker-compose file containing a simple "hello world" docker container, which we will expose through Traefik. Place this in my-example-project/hello-world/docker-compose.yml

version: "3"

services:
  hello-world:
    image: strm/helloworld-http
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.drone.loadbalancer.server.port=80"
      - "traefik.http.routers.drone.rule=Host(`hello.example.com`)"
      - "traefik.http.routers.drone.entrypoints=websecure"
      - "traefik.http.routers.drone.tls.certresolver=letsencrypt"

# Connect to the external network called "shared"
# needs to be manually created first
networks:
  default:
    external:
      name: shared

Make sure to replace hello.example.com with your domain name. Before this will work you need to create an Docker network that is to be shared between docker-compose stacks, use the following command:

docker network create shared

Now we can bring the stacks up, start with the Traefik stack first, then bring up the Hello World stack

cd reverse-proxy && docker-compose up -d && cd ..
cd hello-world && docker-compose up -d && cd ..

Now you should be able to access the container from hello.example.com

curl https://hello.example.com
© 2021, Roy Portas. Built with Gatsby