Traefik as Reverse Proxy for your docker-compose setup!

Because I want to install a service and spend as little time as possible on maintaining it, I try to avoid complicated hand-made configurations. That is why , I find containers pretty cool and use them for different stuff: I stumbled over traefik which makes my life very easy.

Keeping life simple:

I hate to touch millions of configuration files and investing night after night into the maintenance of my services. Some of them are my blog, my ownCloud, and my monitoring system.

I rent a little server at scaleway.com for my sevice purposes. And decided to go with docker-compose for deployments until i hop on the kubernetes train. 

I went through testing several scenarios for setting up my services. Deploying on vms, having different vhosts for webapplications and so on. All of that is imho frustrating to install and maintain.

A little while ago i then came across a handy little  helper called traefik. It is not just a loadbalancer but also a reverse  proxy written in go-lang and with minimal configuration efforts i was able to get my services up and running even with valid ssl certificates obtained by letsencrypt.

Create Traefik service

To achieve this i created this docker-compose.yml 

I used mydomain.com as placeholder domains, you will want to change any occurence of that when you see it. 

version: '3'

services:

  traefik:
    image: traefik:latest
    command: --docker --docker.domain=mydomain.com 
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
      - ./acme.json:/acme.json
    labels:
      - traefik.enable=true
      - traefik.port=8080
      - traefik.backend=traefik
      - traefik.docker.network=proxy
      - traefik.frontend.rule=Host:traefik.mydomain.com
      
    container_name: traefik
    restart: always

networks:
  proxy:
    external: true

And configured My Traefik in the traefik.toml

#Traefik Global Configuration
debug = false
checkNewVersion = true
logLevel = "ERROR"

#Define the EntryPoint for HTTP and HTTPS
defaultEntryPoints = ["https","http"]

#Enable automatically redirect HTTP to HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#Enable retry sending a request if the network error
[retry]

#Define Docker Backend Configuration
[docker]
endpoint = "unix:///var/run/docker.sock"
#domain = "mydomain.com"
watch = true
exposedbydefault = true

#Letsencrypt Registration
#Define the Letsencrypt ACME HTTP challenge
[acme]
email = "me@mydomain.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
  [acme.httpChallenge]
  entryPoint = "http"
# Domains list.

 [[acme.domains]]
 main = "mydomain.com"
 [[acme.domains]]
 main = "mysidedomain.com"

Before starting any containers I need to define a network for them to communicate with.

docker network create proxy

Then I start traefik with:

docker-compose up -d

Create service with https and proxied by traefik

After that I am ready to start a service, in this case, drone-ci with:

version: '3.4'
networks:
  proxy:
    external: true
  internal: 
    external: false

services:
  drone-server:
    image: drone/drone:1.1.0
    volumes:
      - drone-server-data:/var/lib/drone/
    restart: always
    environment:
      - DRONE_OPEN=true
      - DRONE_HOST=drone.jonaka.de
      - DRONE_GITHUB=true
      - DRONE_ADMIN=mygithubname
      - DRONE_GITHUB_CLIENT_ID=mygithubclientid
      - DRONE_GITHUB_CLIENT_SECRET=mygithubclientsecret
      - DRONE_SECRET=mydronesecret
    labels:
      - traefik.backend=drone
      - traefik.frontend.rule=Host:drone.mydomain.com
      - traefik.docker.network=proxy
      - traefik.enable=true
    networks:
      - internal
      - proxy

  drone-agent:
    image: drone/agent:1.1.0
    restart: always
    depends_on:
      - drone-server
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DRONE_SERVER=drone.mydomain.com:9000
      - DRONE_SECRET=mydronesecret 
    labels:
      - traefik.backend=drone-agent
      - traefik.enable=false
    networks:
      - internal

The part that is particularly interesting are the labels that interact with traefik:

labels:
      - traefik.backend=drone
      - traefik.frontend.rule=Host:drone.mydomain.com
      - traefik.docker.network=proxy
      - traefik.enable=true

This tells traefik: Here is a service that needs a domain: drone.mydomain.com

Use this network traefik.docker.network=proxy for the service and make sure this service can communicate with others in on the host and make it available to the outside.

What are your thoughts on reverse proxies? Are you all on kubernetes already? Is it worth the ramp up time ? What kind of services do you have deployed? Any plans for holiday projects? I am looking forward in improving my prometheus setup or setting up a kubernetes cluster utilizing terraform and ansible.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.