traefik

This directory contains some examples for the Traefik proxy and load-balancer.

For each example, the recommended command to start the docker-compose stack is:

Bash
docker-compose down && docker-compose up

Useful notes

To generate the passwords for the digest authentication, use the htdigest command. If you are on Debian and the htdigest command is not installed, you can run:

Bash
sudo apt-get update && sudo apt-get install -y apache2-utils

Similar packages exist for other operating systems.

example-01

Features:

uses HTTP only (port 80), no HTTPS
two Docker containers are served, respectively at http://foo.lvh.me/ and http://bar.lvh.me/
the Traefik dashboard is active and in secure mode at http://dashboard.lvh.me/
the login credentials are admin:admin

example-02

Before starting this stack, you have to generate a custom certificate (server.crt and server.key files). To do so, you can use the OpenSSL utility:

Bash
openssl req -newkey rsa:2048 -nodes -keyout server.key \
    -x509 -days 365 -subj "/C=IT/ST=Italy/L=/O=MyOrganization/OU=/CN=*.example.com" -out server.crt

Features:

uses HTTPS (port 443)
the URLs to access the containers are https://foo.example.com/ and https://bar.example.com/
every request made to port 80 is redirected to the HTTPS port at the same path
there is a custom permanent redirect from https://example.com/ to https://www.example.com/
containers use the main bridged Docker network (docker0) instead of the default docker-compose stack network
container labels are used as dynamic configuration provider for Traefik
the Traefik dashboard is available at https://dashboard.example.com/

Note: it's a good thing to set the traefik.http.routers.<name>.entryPoints=websecure label for every container in this case, because otherwise the Traefik routers would bind to all the entryPoints including web, which isn't secure because it uses HTTP.

example-03

Before starting this stack, you have to create an empty file named acme.json with 600 permissions:

Bash
touch acme.json
chmod 600 acme.json

It will be used to store the keys and certificates issued by Let's Encrypt.

Features:

uses HTTPS with automatically-generated certificates, using Let's Encrypt
DNS domains will be automatically assigned to the containers based on their name
the foo container listens on port 8080 instead of 80

example-04

Similar to example-01, but:

container labels are used as dynamic configuration provider for Traefik
the Traefik dashboard is served on port 8080, which is bound to localhost only in the docker-compose.yml file
the Traefik dashboard is accessible without authentication

Additional tips

You can use a regular expression to match domains with: HostRegexp(`^(.+\.)?example\.com$`). See https://doc.traefik.io/traefik/routing/routers/#host-and-hostregexp for further details

If you use Let's Encrypt as the certificate resolver and you want a router to handle all the possible subdomains (with HostRegexp) but, for some reason, you cannot use the ACME DNS-01 challenge and you are fine with enabling Let's Encrypt only for some subdomains, you can manually specify the details of the HTTPS certificate for each domain with something like this:

YAML
http:
  routers:
    myrouter:
      entryPoints: [websecure]
      rule: HostRegexp(`^(.+\.)?example\.com$`)
      tls:
        # The "certResolver" option is needed here to make Traefik try to
        # generate certificates based on routers Host and HostSNI rules. See
        # https://doc.traefik.io/traefik/routing/routers/#certresolver
        certResolver: letsencrypt
        domains:
          - main: example.com
            sans: [www.example.com]
          - main: www01.example.com
          - main: www02.example.com
          - main: www03.example.com
      service: myservice

traefik

Useful notes

example-01

example-02

example-03

example-04

Additional tips

Links