Because I want to install a service and spend as little time as possible on maintaining it, I try to avoid complicated hand-made configurations. That is why , I find containers pretty cool and use them for different stuff: I stumbled over traefik which makes my life very easy.
Keeping life simple:
I hate to touch millions of configuration files and investing night after night into the maintenance of my services. Some of them are my blog, my ownCloud, and my monitoring system.
I rent a little server at scaleway.com for my sevice purposes. And decided to go with docker-compose for deployments until i hop on the kubernetes train.
I went through testing several scenarios for setting up my services. Deploying on vms, having different vhosts for webapplications and so on. All of that is imho frustrating to install and maintain.
A little while ago i then came across a handy little helper called traefik. It is not just a loadbalancer but also a reverse proxy written in go-lang and with minimal configuration efforts i was able to get my services up and running even with valid ssl certificates obtained by letsencrypt.
Create Traefik service
To achieve this i created this docker-compose.yml
I used mydomain.com as placeholder domains, you will want to change any occurence of that when you see it.
version: '3' services: traefik: image: traefik:latest command: --docker --docker.domain=mydomain.com ports: - 80:80 - 443:443 networks: - proxy volumes: - /var/run/docker.sock:/var/run/docker.sock - ./traefik.toml:/traefik.toml - ./acme.json:/acme.json labels: - traefik.enable=true - traefik.port=8080 - traefik.backend=traefik - traefik.docker.network=proxy - traefik.frontend.rule=Host:traefik.mydomain.com container_name: traefik restart: always networks: proxy: external: true
And configured My Traefik in the traefik.toml
#Traefik Global Configuration debug = false checkNewVersion = true logLevel = "ERROR" #Define the EntryPoint for HTTP and HTTPS defaultEntryPoints = ["https","http"] #Enable automatically redirect HTTP to HTTPS [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] #Enable retry sending a request if the network error [retry] #Define Docker Backend Configuration [docker] endpoint = "unix:///var/run/docker.sock" #domain = "mydomain.com" watch = true exposedbydefault = true #Letsencrypt Registration #Define the Letsencrypt ACME HTTP challenge [acme] email = "email@example.com" storage = "acme.json" entryPoint = "https" OnHostRule = true [acme.httpChallenge] entryPoint = "http" # Domains list. [[acme.domains]] main = "mydomain.com" [[acme.domains]] main = "mysidedomain.com"
Before starting any containers I need to define a network for them to communicate with.
docker network create proxy
Then I start traefik with:
docker-compose up -d
Create service with https and proxied by traefik
After that I am ready to start a service, in this case, drone-ci with:
version: '3.4' networks: proxy: external: true internal: external: false services: drone-server: image: drone/drone:1.1.0 volumes: - drone-server-data:/var/lib/drone/ restart: always environment: - DRONE_OPEN=true - DRONE_HOST=drone.jonaka.de - DRONE_GITHUB=true - DRONE_ADMIN=mygithubname - DRONE_GITHUB_CLIENT_ID=mygithubclientid - DRONE_GITHUB_CLIENT_SECRET=mygithubclientsecret - DRONE_SECRET=mydronesecret labels: - traefik.backend=drone - traefik.frontend.rule=Host:drone.mydomain.com - traefik.docker.network=proxy - traefik.enable=true networks: - internal - proxy drone-agent: image: drone/agent:1.1.0 restart: always depends_on: - drone-server volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - DRONE_SERVER=drone.mydomain.com:9000 - DRONE_SECRET=mydronesecret labels: - traefik.backend=drone-agent - traefik.enable=false networks: - internal
The part that is particularly interesting are the labels that interact with traefik:
labels: - traefik.backend=drone - traefik.frontend.rule=Host:drone.mydomain.com - traefik.docker.network=proxy - traefik.enable=true
This tells traefik: Here is a service that needs a domain: drone.mydomain.com
Use this network traefik.docker.network=proxy for the service and make sure this service can communicate with others in on the host and make it available to the outside.
What are your thoughts on reverse proxies? Are you all on kubernetes already? Is it worth the ramp up time ? What kind of services do you have deployed? Any plans for holiday projects? I am looking forward in improving my prometheus setup or setting up a kubernetes cluster utilizing terraform and ansible.