Load balancing docker services with Traefik 2.0

I had overall good experience with Traefik 1.x used on Rancher 1.x (before they switched to Kubernetes, rest in peace Cattle container orchestration) and recently I have been trying to migrate my tiny playground infrastructure to Traefik 2.0. Unfortunately, the API is completely different and you have to wrap your head around the new concept how to handle load balancing from scratch.

It seems official documentation is still not there yet so I’m gonna post some general examples specifically for load balancing docker services using docker labels alone (without using file configuration at all) - hopefully somebody will find it helpful.

Spinning up Traefik with web UI with http to https redirect, letsencrypt and basic auth

Here is ansible config that you can use almost out of the box (docker compose syntax is very similar tho):

- name: Create a named volume
  docker_volume:
    name: traefik

- name: Create traefik network
  docker_network:
    name: traefik

- name: Create traefik container
  docker_container:
    name: traefik
    image: traefik:v2.0.2
    restart_policy: always
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - [email protected]
      - --certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json
      - --accesslog=true
    labels:
      traefik.enable: 'true'
      traefik.docker.network: 'traefik'
      traefik.http.middlewares.redirect-https.redirectscheme.scheme: 'https'
      traefik.http.middlewares.redirect-https.redirectscheme.permanent: 'true'
      traefik.http.routers.router-http-traefik.rule: 'Host(`traefik.mydomain.com`)'
      traefik.http.routers.router-http-traefik.entrypoints: 'web'
      traefik.http.routers.router-http-traefik.middlewares: '[email protected]'
      traefik.http.middlewares.auth-traefik.basicauth.users: 'test:$apr1$EBRw4S.r$avwoNeITj198OBI8BOsI61'
      traefik.http.routers.router-https-traefik.rule: 'Host(`traefik.mydomain.com`)'
      traefik.http.routers.router-https-traefik.middlewares: '[email protected]'
      traefik.http.routers.router-https-traefik.entrypoints: 'websecure'
      traefik.http.routers.router-https-traefik.tls.certResolver: 'letsencrypt'
      traefik.http.services.balancer-traefik.loadbalancer.server.port: '8080'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - traefik:/traefik
    ports:
      - 80:80
      - 443:443
    networks:
      - name: traefik
    purge_networks: yes

So we’re putting traefik container using traefik docker network - we will use that network for all of our containers that need to speak with traefik. We also mount traefik volume where traefik will store certificates (so we assume we’re running this on a single server, HA setup is a little bit more complex).

Then we spin up the traefik itself:

• with api enabled and with ACME provider declared (that is: letsencrypt) - certificatesresolvers labels are responsible for that and letsencrypt is our custom name (it can be anything)

• with two default entrypoints (we name them web and websecure and assign corresponding ports 80 and 443)

• we also enable accesslog (in case you don’t need it feel free to disable it, but might be handy when trying to debug some potential issues)

The interesting parts are the labels - you notice a lot of routers, middlewares and services - and if you look closely it all comes in play together.

We define redirect-https middleware and then use it in our router-http-traefik router - we redirect all traffic to https.

auth-traefik middleware (test user & password) is being used our router-https-traefik router. Loadbalancer - balancer-traefik (again this is a custom name and it needs to be unique across your stack - you can re-use middleware names tho) points traffic to traefik’s 8080 port (web dashboard).

For sake of completion of this example let’s add another service:

- name: Create Docker Container
  docker_container:
    name: other-app
    image: image-of-my-app
    state: started
    restart_policy: always
    pull: true
    labels:
      traefik.enable: 'true'
      traefik.docker.network: 'traefik'
      traefik.http.routers.myother-router.rule: 'Host(`mydomain.com`, `subdomain.mydomain.com`, `otherdomain.com`)'
      traefik.http.routers.myother-router.entrypoints: 'web'
      traefik.http.routers.myother-router.middlewares: '[email protected]'
      traefik.http.routers.myother-https-router.rule: 'Host(`mydomain.com`, `subdomain.mydomain.com`, `otherdomain.com`)'
      traefik.http.routers.myother-https-router.entrypoints: 'websecure'
      traefik.http.routers.myother-https-router.tls.certResolver: 'letsencrypt'
      traefik.http.services.myother-balancer.loadbalancer.server.port: '8080'
    networks:
      - name: traefik
    purge_networks: yes

Here we configure another simple service that should be accessible on 3 different addresses - and whole traffic should be redirected to https. As you see we re-used [email protected] middleware declaration that was defined on traefik container itself and it should just work. The rest is very similar - we specify we want to use cert resolver and balance traffic to port 8080.

Assuming everything is configured as it should you should be able to access traefik’s panel via traefik.mydomain.com and see your services.

Overall I suggest taking a deep dive into official documentation and happy traefiking! If you notice any issues with instructions above please lemme know as I’m still in process of migrating my stuff as well ;).