Traefik Notes
Last Updated: March 7th, 2022
Traefik can automatically pull service information from various sources. This page shows how to use the consul & docker sources.
Using Traefik with Consul & Nomad
Traefik can connect to Consul for service discovery.
[providers.consulCatalog]
prefix = "traefik"
exposedByDefault = false
[providers.consulCatalog.endpoint]
address = "consul:8501"
scheme = "https"
[providers.consulCatalog.endpoint.tls]
ca = "/etc/ssl/consul-ca.crt"
cert = "/etc/ssl/consul-client.crt"
key = "/etc/ssl/consul-client.key"
In your Nomad jobspec, add this. Replace IPAM with your app name.
tags = [
"traefik.http.routers.ipam.rule=Host(`ipam.techstormpc.net`)",
"traefik.http.routers.ipam.tls=true",
"traefik.http.routers.ipam.tls.certresolver=myresolver",
"traefik.http.routers.ipam.tls.domains[0].main=ipam.techstormpc.net",
"traefik.enable=true",
]
Using Traefik with Docker
Traefik automatically exposes your services from monitoring labels associated with running containers through the Docker engine.
You'll need to allow port 80 & 443 through the host firewall. Leave port 8080 closed (access through localhost only) or add security to the Traefik UI.
Instead of /opt/traefik:/etc/traefik, use C:\traefik:/etc/traefik if you are on Windows.
Create a docker-compose.yml for the Traefik service.
version: '3'
services:
traefik:
# The official v2 Traefik docker image
image: traefik:v2.6
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# Traefik configuration directory
- /opt/traefik:/etc/traefik
# Docker socket to listen for events
- /var/run/docker.sock:/var/run/docker.sock
Create a traefik.toml file in the config directory.
loglevel = "INFO"
defaultEntryPoints = ["https"]
[accessLog]
[providers.file]
filename = "/etc/traefik/dynamic.toml"
[api]
dashboard = true
insecure = true
[entryPoints]
[entryPoints.traefik]
address = ":8080"
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[providers.docker]
exposedByDefault = false
[metrics]
[metrics.prometheus]
Start the application through docker compose, or create a docker run command.
docker-compose up -d traefik
On your docker applications, add labels to the containers. You can do this on the docker compose file or the docker run command.
`traefik.enable=true`
`traefik.http.routers.app.rule=Host(`app.techstormpc.net`)`
`traefik.http.routers.app.tls=true`
SSL
Lets encrypt certs
To use Letsencrypt to automatically generate certs, you'll need to configure it with your DNS provider. Here is an example of using Cloudflare as the provider.
Edit your trafik.toml file.
[certificatesResolvers.myresolver.acme]
email = "<user>@techstormpc.com"
storage = "/etc/traefik/acme.json"
keyType = "EC384"
[certificatesResolvers.myresolver.acme.dnschallenge]
provider = "cloudflare"
delayBeforeCheck = 90
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
disablePropagationCheck = false
Make sure the CF_API_EMAIL, CF_DNS_API_TOKEN, and CF_ZONE_API_TOKEN environment variables are set.
More info here.
Wildcard or custom
To specify a default wildcard certificate used for all services, add this at the end of dynamic.toml in your Traefik config directory.
Move the certificates into the Traefik config directory as well (cert/key.pem).
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/etc/traefik/cert.pem"
keyFile = "/etc/traefik/key.pem"
In your traefik.toml file, add the following line
[providers.file]
filename = "/etc/traefik/dynamic.toml"
More info here.
Redirect HTTP to HTTPS
Edit the dynamic.toml file in your traefik config directory.
[http.routers]
[http.routers.redirecttohttps]
entryPoints = ["http"]
middlewares = ["httpsredirect"]
rule = "HostRegexp(`{host:.+}`)"
service = "noop"
# Dummy service
[http.services]
[http.services.noop.loadBalancer]
[[http.services.noop.loadBalancer.servers]]
url = "http://192.168.0.1"
[http.middlewares]
[http.middlewares.httpsredirect.redirectScheme]
scheme = "https"