Wednesday, August 1, 2018

My traefik demo

I've been using haproxy as my reverse proxy for a while and it's hard not to like. The challenge for any production system is deploying new services and sometimes updates. One definite weakness is updating https certs. Keep in mind if you believe in configuration as code then haproxy and an all in one deploy might not be a bad thing but that could be applied to various dimensions in the "system".

For the purpose of discussion haproxy and traefik perform a similar function but where haproxy is static, traefik services register. Traefik has two killer features. [1] registration of dynamic services [2] dynamic wildcard support at let's encrypt.


  • docker, docker-compose
  • docker-machine could be useful if you want to do remote deploys (post for another day)
  • dns + nameserver
  • traefik supported DNS service (I'm using digitalocean in this example)
  • at least one demo service


This was cobbled together from a number of sources...

$ mkdir -p /opt/traefik
$ cd /opt/traefik
$ touch acme.json docker-compose.yml traefik.toml
$ chmod 0600 acme.json

The acme file starts empty because traefik will fill it in with certs etc. The other two have some simple config. But first things first... create a docker network for the services to communicate with traefik.

$ docker network create web

The docker-compose.yml looks like this and is a standard compose file. The only interesting bits are the DO_AUTH_TOKEN which is configured at digital ocean and is used to update the DNS for let's encrypt. And the labels which are used by traefik and similar to passing environment variables into a container but more special purpose.

version: '3'

    image: traefik
    command: --api --docker
    restart: always
      - 80:80
      - 443:443
      - web
      - DO_AUTH_TOKEN=<token here>
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
      - ""
    container_name: traefik

    external: true

The traefik.toml file can be used to stitch traefik and it's functions together as well as some basics for the user services. I have implemented the basic authentication feature in my traefic.toml but in reality the services are supposed to implement their own. Certainly if I were implementing a single signon solution integration right here would make sense along with some RBAC built into the apps/services. At the bottom of the file are the let's encrypt configuration items. That includes wildcard. (let's encrypt has some rate limits to beware)

debug = false

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

# openssl passwd -apr1 myPassword
  address = ":80"
    entryPoint = "https"
      users = ["admin:passwd hash goes here"]
      users = ["admin:passwd hash goes here"]
  address = ":443"


endpoint = "unix:///var/run/docker.sock"
domain = ""
watch = true
exposedByDefault = false

email = "my email addr here"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
  main = "*"
  sans = [""]
entryPoint = "http"
  provider = "digitalocean"
  delayBeforeCheck = 0

Now that everything is configured... time to launch.

$ docker-compose up -d

At this point traefik is running; and it's time to launch a service.

$ mkdir -p $HOME/who
$ cd $HOME/who
$ touch docker-compose.yml

And here is the docker-compose.yml file.

version: "3"

    image: emilevauge/whoami
    restart: always
      - web
      - default
      - "80"
      - ""
      - "traefik.enable=true"
      - ""
      - "traefik.basic.port=80"
      - "traefik.basic.protocol=http"

    external: true

Launching the service is as simple as

$ docker-compose up -d

NOTE this is not a docker swarm. That config is different and for another day but based on this config.

No comments:

Post a Comment

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...