Traefik is a reverse proxy software which sits in front of all running services on a server. It integrates very nicely with docker and other orchestration tools. It looks at Docker container labels to determine routing rules, middleware definitions, and other configuraiton, meaning application-specific configuration can be kept together with the application and easily applied to any server which has a Traefik reverse proxy running, rather than tying it to a particular server's global configuration. It:
- listens on port 80, and redirects any requests to https on port 443
- listens on port 443 and either forwards that request to a configured service, or responds with a 404 if no matching service is configured
- watches a static configuration file for routing rules.
- watches the docker service for routing rules configured through labels on containers.
- Automatically acquires certificates for the configured services, either through HTTP or DNS (TXT record) validation.
To deploy services on a new server, see the instructions in the README for the traefik config repository
To add a service to a server which uses Traefik as a reverse proxy, ensure it is in the web network and add labels to the container like this:
services:
web-service:
# This service has some public-facing HTTP service listening on port 1312
labels:
traefik.http.routers.{SERVICE_NAME}.rule: Host(`example.com`) || Host(`example.net`) && !PathPrefix(`/service/prefix`)
# You don't need to specify the port like this unless the container has multiple exposed ports. This is just an example:
traefik.http.services.{SERVICE_NAME}.loadbalancer.server.port: 1312
traefik.http.routers.{SERVICE_NAME}.tls: true
traefik.http.routers.{SERVICE_NAME}.tls.certresolver: letsencrypt
networks:
- internal
- web
database:
# This is something the web-service depends on, but that shouldn't be publicly exposed
networks: [ internal ]
networks:
web:
external: true
internal:
internal: true
If the service stands on its own and doesn't require a dependent service, you don't need the extra internal network, but it still needs to be on the external network named web:
services:
web-service:
labels:
traefik.http.routers.{SERVICE_NAME}.rule: Host(`example.com`) || Host(`example.net`) && !PathPrefix(`/service/prefix`)
traefik.http.routers.{SERVICE_NAME}.tls: true
traefik.http.routers.{SERVICE_NAME}.tls.certresolver: letsencrypt
networks: [ web ]
networks:
web:
external: true
Of course, don't forget to point the configured host's DNS records at the server you're working with!