I had overall good experience with Traefik 1.x used on Rancher 1.x (before they switched to Kubernetes, rest in peace Cattle container orchestration) and recently I have been trying to migrate my tiny playground infrastructure to Traefik 2.0. Unfortunately, the API is completely different and you have to wrap your head around the new concept how to handle load balancing from scratch.

It seems official documentation is still not there yet so I’m gonna post some general examples specifically for load balancing docker services using docker labels alone (without using file configuration at all) - hopefully somebody will find it helpful.

Spinning up Traefik with web UI with http to https redirect, letsencrypt and basic auth

Here is ansible config that you can use almost out of the box (docker compose syntax is very similar tho):

- name: Create a named volume
    name: traefik

- name: Create traefik network
    name: traefik

- name: Create traefik container
    name: traefik
    image: traefik:v2.0.2
    restart_policy: always
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - [email protected]
      - --certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json
      - --accesslog=true
      traefik.enable: 'true'
      traefik.docker.network: 'traefik'
      traefik.http.middlewares.redirect-https.redirectscheme.scheme: 'https'
      traefik.http.middlewares.redirect-https.redirectscheme.permanent: 'true'
      traefik.http.routers.router-http-traefik.rule: 'Host(`traefik.mydomain.com`)'
      traefik.http.routers.router-http-traefik.entrypoints: 'web'
      traefik.http.routers.router-http-traefik.middlewares: '[email protected]'
      traefik.http.middlewares.auth-traefik.basicauth.users: 'test:$apr1$EBRw4S.r$avwoNeITj198OBI8BOsI61'
      traefik.http.routers.router-https-traefik.rule: 'Host(`traefik.mydomain.com`)'
      traefik.http.routers.router-https-traefik.middlewares: '[email protected]'
      traefik.http.routers.router-https-traefik.entrypoints: 'websecure'
      traefik.http.routers.router-https-traefik.tls.certResolver: 'letsencrypt'
      traefik.http.services.balancer-traefik.loadbalancer.server.port: '8080'
      - /var/run/docker.sock:/var/run/docker.sock
      - traefik:/traefik
      - 80:80
      - 443:443
      - name: traefik
    purge_networks: yes

So we’re putting traefik container using traefik docker network - we will use that network for all of our containers that need to speak with traefik. We also mount traefik volume where traefik will store certificates (so we assume we’re running this on a single server, HA setup is a little bit more complex).

Then we spin up the traefik itself:

The interesting parts are the labels - you notice a lot of routers, middlewares and services - and if you look closely it all comes in play together.

We define redirect-https middleware and then use it in our router-http-traefik router - we redirect all traffic to https.

auth-traefik middleware (test user & password) is being used our router-https-traefik router. Loadbalancer - balancer-traefik (again this is a custom name and it needs to be unique across your stack - you can re-use middleware names tho) points traffic to traefik’s 8080 port (web dashboard).

For sake of completion of this example let’s add another service:

- name: Create Docker Container
    name: other-app
    image: image-of-my-app
    state: started
    restart_policy: always
    pull: true
      traefik.enable: 'true'
      traefik.docker.network: 'traefik'
      traefik.http.routers.myother-router.rule: 'Host(`mydomain.com`, `subdomain.mydomain.com`, `otherdomain.com`)'
      traefik.http.routers.myother-router.entrypoints: 'web'
      traefik.http.routers.myother-router.middlewares: '[email protected]'
      traefik.http.routers.myother-https-router.rule: 'Host(`mydomain.com`, `subdomain.mydomain.com`, `otherdomain.com`)'
      traefik.http.routers.myother-https-router.entrypoints: 'websecure'
      traefik.http.routers.myother-https-router.tls.certResolver: 'letsencrypt'
      traefik.http.services.myother-balancer.loadbalancer.server.port: '8080'
      - name: traefik
    purge_networks: yes

Here we configure another simple service that should be accessible on 3 different addresses - and whole traffic should be redirected to https. As you see we re-used [email protected] middleware declaration that was defined on traefik container itself and it should just work. The rest is very similar - we specify we want to use cert resolver and balance traffic to port 8080.

Assuming everything is configured as it should you should be able to access traefik’s panel via traefik.mydomain.com and see your services.

Traefik 2.x Dashboard

Overall I suggest taking a deep dive into official documentation and happy traefiking! If you notice any issues with instructions above please lemme know as I’m still in process of migrating my stuff as well ;).