:PROPERTIES:
:ID:       90e3b8a2-b523-4044-af6f-fd4a559b2d7f
:END:
#+title:  traefik_docker
#+filetags: :docker:

Traefik is a reverse proxy for hosting various applications on [[id:80666401-173e-4828-9c29-552dab716946][dns]] entries.  It is run as a [[id:df046fd7-1f82-4e12-9065-56d222f56408][docker]] container on the communikation [[id:80a4104e-af18-4d90-a45e-2c92b51e8c0c][server w10]].  To host a container in reverse proxy mode, the *tags* feature of docker containers.  These tags have to be added to a container to uphost it.  Those tags declare which type of hosting is wanted and what service/router is to be used.  The traefik container needs access to [[id:f4bb4857-2112-4e10-a22e-6da1436ce7b7][port]] 80, 443 for hosting and port 8080 for the dashboard.

* how to run traefik
- create a ~traefik~ folder using ~mkdir~
- create a ~treafik.yml~ file using ~touch traefik.yml~
- insert the code as shown under the _traefik.yml_ heading into the ~traefik.yml~ file
- crate a compose file or a stack using poertainer
- insert the code as shown under the _docker-compose_ heading into the stack or the compse file
- create a ~certs~ ([[id:e28dfeaa-876b-4255-a25e-dcc0c909d08a][certificate]]) folder inside your ~traefik~ folder
- link all the folders into the docker compose or stack file as bind volumes (if you created the ~traefik~ folder in ~/home/<user>/~ than you just need to add in your user name)
- add your email to the ~traefik.yml~ file
- run the compose file
- add the flags to your application container as shown under the heading _flags_
- fill in the needed data
- run the application container and check the logs
- make sure the application and the proxy are in the same network
- check the dashboard at port 8080 for more information
  
* traefik.yml file
This file should be stored in the traefik home folder as specified in the.
#+begin_src bash
 global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
# log:
#  level: ERROR  # DEBUG, INFO, WARNING, ERROR, CRITICAL
#   format: common  # common, json, logfmt
#   filePath: /var/log/traefik/traefik.log

# (Optional) Accesslog
# ---
# accesslog:
  # format: common  # common, json, logfmt
  # filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: true  # true by default
  insecure: true  # Don't do this in production!

# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

# Configure your CertificateResolver here...
# ---
certificatesResolvers:
   staging:
     acme:
       email: <email>
       storage: /etc/traefik/certs/acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web

   production:
     acme:
       email: <email>
       storage: /etc/traefik/certs/acme.json
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web

# (Optional) Overwrite Default Certificates
# tls:
#   stores:
#     default:
#       defaultCertificate:
#         certFile: /etc/traefik/certs/cert.pem
#         keyFile: /etc/traefik/certs/cert-key.pem
# (Optional) Disable TLS version 1.0 and 1.1
#   options:
#     default:
#       minVersion: VersionTLS12

providers:
  docker:
    exposedByDefault: false  # Default is true
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true  
#+end_src
For more informationm on the secure [[id:bd5b34ba-aa98-4808-b97b-2376aa7b8866][protocol]]: [[id:872ee33b-8361-40c7-9d88-69b3afe5ade2][TLS]] and [[id:95c8982d-e104-43a2-9bb2-fd7e1c3204f2][SSL]]
* Networks
To host a service, this service has to be in the same [[id:9d04fac3-89ae-4a96-b326-9ae7e2c22118][docker-network]] as the the traefik proxy.  It doesn't matter if the service container is added to the traefik network or vice versa.  The default approach is to add all services to the ~traefik-relay~ network.  The Services themselfes can have other network for their supportive containers.  Those secondary containers should not be added to the traefik network, because this network is exposed to the internet.

* Compose file
This is the compose file that has to be run either manually or via the [[id:4afb1f41-983a-4b54-9828-a1e3788eb28b][portainer-docker]].
#+begin_src bash
 volumes:
  traefik_ssl_certs:
      driver: local

services:
  traefik:
    image: traefik:v2.5
    container_name: madrigal_traefik
    ports:
      - 80:80
      - 443:443
      - 8080:8080  # (optional) expose the dashboard !don't use in production!
    volumes:
      - /home/<user>/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_ssl_certs:/ssl-certs
    restart: unless-stopped 
#+end_src

* Typical flags for containers
Typical flags for hosting a container (under the labels section in a [[id:fcbfabfa-4a8c-4826-8b57-5dce05965c76][docker-compose]] file.
#+begin_src bash
 labels:
      - "traefik.enable=true"
      - "traefik.http.routers.<application router>.entrypoints=<entrypoint-s>" # as described in the traefik.yml (default web and/or websecure)
      - "traefik.http.routers.<application router>.rule=Host(`<subdomain.domain-name.ending>`)"
      - "traefik.http.routers.<application router>.tls=true" #if tls is wanted
      - "traefik.http.routers.<application router>.tls.certresolver=<cert stage>" #as described in the traefik.yml file (default staging or production)
      - "traefik.http.routers.<application router>.service=<name of service>"
      - "traefik.http.services.<application router>.loadbalancer.server.port=<application port>"
      - "traefik.docker.network=<traefik_relay network>"
#+end_src