Difference between revisions of "Traefik"
Plittlefield (talk | contribs) |
Plittlefield (talk | contribs) (→Docker) |
||
(7 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
== Docker == | == Docker == | ||
− | The docker compose file below will create a traefik container with the Admin dashboard enabled, the Docker provider, automatic HTTP to HTTPS redirection, and Let's Encrypt SSL Certificates using AWS Route53 as the DNS challenge | + | === Docker Compose === |
+ | |||
+ | The docker compose file below will create a traefik container with the Admin dashboard enabled, the Docker provider, automatic HTTP to HTTPS redirection, and Let's Encrypt SSL Certificates using AWS Route53 or GANDI as the DNS challenge providers. | ||
sudo -i | sudo -i | ||
− | docker create | + | docker network create --driver=bridge --subnet=172.20.0.0/16 traefik |
mkdir -p /root/docker/stacks/traefik | mkdir -p /root/docker/stacks/traefik | ||
nano /root/docker/stacks/traefik/docker-compose.yml | nano /root/docker/stacks/traefik/docker-compose.yml | ||
Line 34: | Line 36: | ||
container_name: "traefik" | container_name: "traefik" | ||
command: | command: | ||
− | - "--api. | + | - "--api.dashboard=true" |
- "--providers.docker=true" | - "--providers.docker=true" | ||
- "--providers.docker.exposedbydefault=false" | - "--providers.docker.exposedbydefault=false" | ||
Line 41: | Line 43: | ||
- "--entrypoints.web.http.redirections.entrypoint.scheme=https" | - "--entrypoints.web.http.redirections.entrypoint.scheme=https" | ||
- "--entrypoints.websecure.address=:443" | - "--entrypoints.websecure.address=:443" | ||
− | - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" | + | - "--entrypoints.websecure.http.tls.domains[0].main=mydomain.org.uk" |
− | - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=route53" | + | - "--entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.org.uk" |
− | - "--certificatesresolvers.letsencrypt.acme. | + | - "--entrypoints.websecure.http.tls.certresolver=letsencrypt-aws" |
− | + | - "--certificatesresolvers.letsencrypt-aws.acme.dnschallenge=true" | |
− | - "--certificatesresolvers.letsencrypt.acme. | + | - "--certificatesresolvers.letsencrypt-aws.acme.dnschallenge.provider=route53" |
− | - "--certificatesresolvers.letsencrypt.acme.email=me@mydomain.co.uk" | + | - "--certificatesresolvers.letsencrypt-aws.acme.email=me@mydomain.co.uk" |
+ | - "--certificatesresolvers.letsencrypt-aws.acme.storage=/acme/letsencrypt-aws.json" | ||
+ | - "--certificatesresolvers.letsencrypt-gandi.acme.dnschallenge=true" | ||
+ | - "--certificatesresolvers.letsencrypt-gandi.acme.dnschallenge.provider=gandiv5" | ||
+ | - "--certificatesresolvers.letsencrypt-gandi.acme.email=me@mydomain.co.uk" | ||
+ | - "--certificatesresolvers.letsencrypt-gandi.acme.storage=/acme/letsencrypt-gandi.json" | ||
+ | networks: | ||
+ | traefik: | ||
+ | ipv4_address: 172.20.0.2 | ||
ports: | ports: | ||
- "80:80" | - "80:80" | ||
- "443:443" | - "443:443" | ||
− | |||
networks: | networks: | ||
- "traefik" | - "traefik" | ||
volumes: | volumes: | ||
− | - "./acme | + | - "./acme/:/acme/" |
- "/var/run/docker.sock:/var/run/docker.sock:ro" | - "/var/run/docker.sock:/var/run/docker.sock:ro" | ||
environment: | environment: | ||
- "AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxx" | - "AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxx" | ||
− | - "AWS_SECRET_ACCESS_KEY= | + | - "AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" |
+ | - "GANDIV5_API_KEY=xxxxxxxxxxxxxxxxxxxxx" | ||
+ | labels: | ||
+ | - "traefik.enable=true" | ||
+ | - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik-dashboard.mydomain.org.uk`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" | ||
+ | - "traefik.http.routers.traefik-dashboard.service=api@internal" | ||
+ | - "traefik.http.routers.traefik-dashboard.middlewares=auth" | ||
+ | - "traefik.http.middlewares.auth.basicauth.users=my-username:$$2a$$04xxxxxxxxxxxxxxxxxxxxxxTebHUlFVbwar4jlRBO1a8K" | ||
restart: "always" | restart: "always" | ||
Line 64: | Line 80: | ||
traefik: | traefik: | ||
external: true | external: true | ||
+ | |||
+ | === Middlewares Chain === | ||
+ | |||
+ | labels: | ||
+ | - "traefik.http.routers.router1.service=service1" | ||
+ | - "traefik.http.routers.router1.middlewares=secured" | ||
+ | - "traefik.http.routers.router1.rule=Host(`mydomain`)" | ||
+ | - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users" | ||
+ | - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" | ||
+ | - "traefik.http.middlewares.https-only.redirectscheme.scheme=https" | ||
+ | - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32" | ||
+ | - "traefik.http.services.service1.loadbalancer.server.port=80" |
Latest revision as of 11:43, 29 August 2024
Introduction
Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and the list goes on; and can handle many at the same time. (It even works for legacy software running on bare metal.)
With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions). With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
Documentation
https://doc.traefik.io/traefik/
Redirect HTTP to HTTPS
https://jensknipper.de/blog/traefik-http-to-https-redirect/
Docker
Docker Compose
The docker compose file below will create a traefik container with the Admin dashboard enabled, the Docker provider, automatic HTTP to HTTPS redirection, and Let's Encrypt SSL Certificates using AWS Route53 or GANDI as the DNS challenge providers.
sudo -i docker network create --driver=bridge --subnet=172.20.0.0/16 traefik mkdir -p /root/docker/stacks/traefik nano /root/docker/stacks/traefik/docker-compose.yml
version: "3.3" services: traefik: image: "traefik:latest" container_name: "traefik" command: - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.websecure.address=:443" - "--entrypoints.websecure.http.tls.domains[0].main=mydomain.org.uk" - "--entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.org.uk" - "--entrypoints.websecure.http.tls.certresolver=letsencrypt-aws" - "--certificatesresolvers.letsencrypt-aws.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt-aws.acme.dnschallenge.provider=route53" - "--certificatesresolvers.letsencrypt-aws.acme.email=me@mydomain.co.uk" - "--certificatesresolvers.letsencrypt-aws.acme.storage=/acme/letsencrypt-aws.json" - "--certificatesresolvers.letsencrypt-gandi.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt-gandi.acme.dnschallenge.provider=gandiv5" - "--certificatesresolvers.letsencrypt-gandi.acme.email=me@mydomain.co.uk" - "--certificatesresolvers.letsencrypt-gandi.acme.storage=/acme/letsencrypt-gandi.json" networks: traefik: ipv4_address: 172.20.0.2 ports: - "80:80" - "443:443" networks: - "traefik" volumes: - "./acme/:/acme/" - "/var/run/docker.sock:/var/run/docker.sock:ro" environment: - "AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxx" - "AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - "GANDIV5_API_KEY=xxxxxxxxxxxxxxxxxxxxx" labels: - "traefik.enable=true" - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik-dashboard.mydomain.org.uk`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" - "traefik.http.routers.traefik-dashboard.service=api@internal" - "traefik.http.routers.traefik-dashboard.middlewares=auth" - "traefik.http.middlewares.auth.basicauth.users=my-username:$$2a$$04xxxxxxxxxxxxxxxxxxxxxxTebHUlFVbwar4jlRBO1a8K" restart: "always" networks: traefik: external: true
Middlewares Chain
labels: - "traefik.http.routers.router1.service=service1" - "traefik.http.routers.router1.middlewares=secured" - "traefik.http.routers.router1.rule=Host(`mydomain`)" - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users" - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" - "traefik.http.middlewares.https-only.redirectscheme.scheme=https" - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32" - "traefik.http.services.service1.loadbalancer.server.port=80"