Traefik Guide#
Setting up Traefik#
- https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-18-04
- https://docs.traefik.io/user-guides/docker-compose/basic-example/
- https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5
- https://joshuaavalon.io/setup-traefik-v2-step-by-step
- https://containo.us/blog/traefik-2-0-docker-101-fc2893944b9d/
Traefik's overview#
Traefik works by 1. listening to an incoming request at certain entry points, 2. apply changes to requests with middlewares, 3. direct requests to a router, 4. route the request through services to the server.
https://docs.traefik.io/providers/docker/#routing-configuration-with-labels
Configuring Traefik#
Traefik contains static and dynamic configurations.
"Elements in the static configuration set up connections to providers and define the entrypoints Traefik will listen to (these elements don't change often)."
The dynamic configuration contains everything that defines how the requests are handled by your system. This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
Static#
For static configurations, there are three different, mutually exclusive (e.g. you can use only one at the same time), ways to define static configuration options in Traefik: 1. In a configuration file 1. In the command-line arguments 1. As environment variables
Below is an example of a docker-compose.yml configuration.
For command-line arguments, we can use the commands with docker run or add them to a docker-compose.yml configuration file and run with docker-compose up -d.
version: '3.7'
services:
traefik:
# The official v2 Traefik docker image
image: traefik:v2.1
container_name: traefik
# Enables the web UI and tells Traefik to listen to docker
restart: always
networks:
- traefik-web
command:
# For all possible arguments, check
# https://docs.traefik.io/reference/static-configuration/cli/
#- "--logLevel=DEBUG"
#- "--traefikLog.filePath=traefik.log"
- "--accesslog=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:18000"
- "--api=true"
- "--api.dashboard=true"
#- "--api.insecure=true"
ports:
# The HTTP and HTTPS port
- "18000:18000"
#- "1443:1443"
# The Web UI (enabled by --api.insecure=true)
# Do not expose traefik api port directly
#- "18080:8080"
volumes:
# How to define volumes
# https://docs.docker.com/compose/compose-file/#/volumes-volumedriver
# So that Traefik can listen to the Docker events
- "/var/run/docker.sock:/var/run/docker.sock"
- "/home/jon/Docker/traefik/config:/config"
labels:
# Dashboard
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.jonai.teojy.com`)"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=auth"
#- "traefik.http.middlewares.auth.basicauth.users=jonaiTF:$$apr1$$mjS0ALR5$$d4SIrJkE9qnzLlr28HC7h."
# This file should be mounted into the traefik container as a volume.
- "traefik.http.middlewares.auth.basicauth.usersfile=/config/.htpasswd"
whoami:
# A container that exposes an API to show its IP address
image: containous/whoami
container_name: whoami
networks:
- traefik-web
labels:
- "traefik.enable=true"
# Tells traefik to direct request from host to the whoami container
- "traefik.http.routers.whoami.rule=Host(`whoami.jonai.teojy.com`)"
- "traefik.http.routers.whoami.entrypoints=web"
networks:
traefik-web: # This is the network name to be referenced in the services defined in this current compose files.
name: traefik-web # This is the network name to be referenced in other services from other compose files. It can be different from the name above.
Dynamics#
Here is a list of all possible traefik labels for containers.
API#
https://docs.traefik.io/operations/api/#configuration
Forward Authentication#
The following guides are for Traefik v1 which uses front end and backends. * Guide * Forward Authenticator Docker
To adapt the configuration to Traefik v2, use traefik's and tfa's upgrade guide. The following are a few guides using Traefik with Forward Auth * Guide 1 * Guide 2
If you encounter the following error:
Authorization Error
Error 400: redirect_uri_mismatch
The redirect URI in the request, http://auth.jonai.teojy.com/_oauth, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: https://console.developers.google.com/apis/credentials/oauthclient/832419647462-m88199vfven2h9umnu3bhg03tt4rbbho.apps.googleusercontent.com?project=832419647462
go to developer console and add URI http://auth.jonai.teojy.com/_oauth.
If you encounter 404 error, check if the redirect is http or https. Only https will work on my traefik set up, so you may have to change it to https manually.
http to https redirection#
To direct services globally, apply the following middlewware to traefik [1][2][3]
labels:
# ...
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# global redirect to https
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
Troubleshoot#
To check network issues,
- Check Traefik's dashboard to see if there is a router for each container.
- Check docker network.
docker network ls
docker network inspect <Network ID>
- Check Traefik's log. Run it undetached (don't use
-d) and check the standard output.
docker-compose up #Run in Traefik's docker-compose.yml folder
-
If you encounter gateway timeout, chances are that you are running multiple containers that aren't on the same docker network. Check guide_docker on how to configure docker networks.
-
Check if firewall is enabled
- Check that DNS configuration on the web host is correct.
- Check if the upstream reverse proxy is configured correctly.