I had overall good experience with Traefik 1.x used on Rancher 1.x (before they switched to Kubernetes, rest in peace Cattle container orchestration) and recently I have been trying to migrate my tiny playground infrastructure to Traefik 2.0. Unfortunately, the API is completely different and you have to wrap your head around the new concept how to handle load balancing from scratch.
It seems official documentation is still not there yet so I’m gonna post some general examples specifically for load balancing docker services using docker labels alone (without using file configuration at all) - hopefully somebody will find it helpful.
Spinning up Traefik with web UI with http to https redirect, letsencrypt and basic auth
Here is ansible config that you can use almost out of the box (docker compose syntax is very similar tho):
- name: Create a named volume docker_volume: name: traefik - name: Create traefik network docker_network: name: traefik - name: Create traefik container docker_container: name: traefik image: traefik:v2.0.2 restart_policy: always command: - --api.insecure=true - --providers.docker - --providers.docker.exposedbydefault=false - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - [email protected] - --certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json - --accesslog=true labels: traefik.enable: 'true' traefik.docker.network: 'traefik' traefik.http.middlewares.redirect-https.redirectscheme.scheme: 'https' traefik.http.middlewares.redirect-https.redirectscheme.permanent: 'true' traefik.http.routers.router-http-traefik.rule: 'Host(`traefik.mydomain.com`)' traefik.http.routers.router-http-traefik.entrypoints: 'web' traefik.http.routers.router-http-traefik.middlewares: '[email protected]' traefik.http.middlewares.auth-traefik.basicauth.users: 'test:$apr1$EBRw4S.r$avwoNeITj198OBI8BOsI61' traefik.http.routers.router-https-traefik.rule: 'Host(`traefik.mydomain.com`)' traefik.http.routers.router-https-traefik.middlewares: '[email protected]' traefik.http.routers.router-https-traefik.entrypoints: 'websecure' traefik.http.routers.router-https-traefik.tls.certResolver: 'letsencrypt' traefik.http.services.balancer-traefik.loadbalancer.server.port: '8080' volumes: - /var/run/docker.sock:/var/run/docker.sock - traefik:/traefik ports: - 80:80 - 443:443 networks: - name: traefik purge_networks: yes
So we’re putting traefik container using
traefik docker network - we will use that network for all of our containers that need to speak with traefik. We also mount traefik volume where traefik will store certificates (so we assume we’re running this on a single server, HA setup is a little bit more complex).
Then we spin up the traefik itself:
with api enabled and with ACME provider declared (that is: letsencrypt) -
certificatesresolverslabels are responsible for that and
letsencryptis our custom name (it can be anything)
with two default
entrypoints(we name them
websecureand assign corresponding ports
we also enable
accesslog(in case you don’t need it feel free to disable it, but might be handy when trying to debug some potential issues)
The interesting parts are the labels - you notice a lot of
services - and if you look closely it all comes in play together.
redirect-https middleware and then use it in our
router-http-traefik router - we redirect all traffic to
auth-traefik middleware (
test user & password) is being used our
router-https-traefik router. Loadbalancer -
balancer-traefik (again this is a custom name and it needs to be unique across your stack - you can re-use middleware names tho) points traffic to traefik’s
8080 port (web dashboard).
For sake of completion of this example let’s add another service:
- name: Create Docker Container docker_container: name: other-app image: image-of-my-app state: started restart_policy: always pull: true labels: traefik.enable: 'true' traefik.docker.network: 'traefik' traefik.http.routers.myother-router.rule: 'Host(`mydomain.com`, `subdomain.mydomain.com`, `otherdomain.com`)' traefik.http.routers.myother-router.entrypoints: 'web' traefik.http.routers.myother-router.middlewares: '[email protected]' traefik.http.routers.myother-https-router.rule: 'Host(`mydomain.com`, `subdomain.mydomain.com`, `otherdomain.com`)' traefik.http.routers.myother-https-router.entrypoints: 'websecure' traefik.http.routers.myother-https-router.tls.certResolver: 'letsencrypt' traefik.http.services.myother-balancer.loadbalancer.server.port: '8080' networks: - name: traefik purge_networks: yes
Here we configure another simple service that should be accessible on 3 different addresses - and whole traffic should be redirected to https. As you see we re-used
[email protected] middleware declaration that was defined on traefik container itself and it should just work. The rest is very similar - we specify we want to use cert resolver and balance traffic to port
Assuming everything is configured as it should you should be able to access traefik’s panel via
traefik.mydomain.com and see your services.
Overall I suggest taking a deep dive into official documentation and happy traefiking! If you notice any issues with instructions above please lemme know as I’m still in process of migrating my stuff as well ;).