198 lines
7.5 KiB
Org Mode
198 lines
7.5 KiB
Org Mode
:PROPERTIES:
|
|
:ID: 90e3b8a2-b523-4044-af6f-fd4a559b2d7f
|
|
:END:
|
|
#+title: traefik_docker
|
|
#+filetags: :docker:
|
|
|
|
Traefik is a reverse proxy for hosting various applications on [[id:80666401-173e-4828-9c29-552dab716946][dns]] entries. It is run as a [[id:df046fd7-1f82-4e12-9065-56d222f56408][docker]] container on the communication [[id:80a4104e-af18-4d90-a45e-2c92b51e8c0c][server w10]]. To host a container in reverse proxy mode, the *tags* feature of docker containers. These tags have to be added to a container to uphost it. Those tags declare which type of hosting is wanted and what service/router is to be used. The traefik container needs access to [[id:f4bb4857-2112-4e10-a22e-6da1436ce7b7][port]] 80, 443 for hosting and port 8080 for the dashboard.
|
|
|
|
* how to run traefik
|
|
- create a ~traefik~ folder using ~mkdir~
|
|
- create a ~treafik.yml~ file using ~touch traefik.yml~
|
|
- insert the code as shown under the _traefik.yml_ heading into the ~traefik.yml~ file
|
|
- crate a compose file or a stack using poertainer
|
|
- insert the code as shown under the _docker-compose_ heading into the stack or the compse file
|
|
- create a ~certs~ ([[id:e28dfeaa-876b-4255-a25e-dcc0c909d08a][certificate]]) folder inside your ~traefik~ folder
|
|
- link all the folders into the docker compose or stack file as bind volumes (if you created the ~traefik~ folder in ~/home/<user>/~ than you just need to add in your user name)
|
|
- add your email to the ~traefik.yml~ file
|
|
- run the compose file
|
|
- add the flags to your application container as shown under the heading _flags_
|
|
- fill in the needed data
|
|
- run the application container and check the logs
|
|
- make sure the application and the proxy are in the same network
|
|
- check the dashboard at port 8080 for more information
|
|
|
|
* traefik.yml file
|
|
This file should be stored in the traefik home folder as specified in the.
|
|
#+begin_src bash
|
|
global:
|
|
checkNewVersion: true
|
|
sendAnonymousUsage: false # true by default
|
|
|
|
# (Optional) Log information
|
|
# ---
|
|
# log:
|
|
# level: ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL
|
|
# format: common # common, json, logfmt
|
|
# filePath: /var/log/traefik/traefik.log
|
|
|
|
# (Optional) Accesslog
|
|
# ---
|
|
# accesslog:
|
|
# format: common # common, json, logfmt
|
|
# filePath: /var/log/traefik/access.log
|
|
|
|
# (Optional) Enable API and Dashboard
|
|
# ---
|
|
api:
|
|
dashboard: true # true by default
|
|
insecure: true # Don't do this in production!
|
|
|
|
# Entry Points configuration
|
|
# ---
|
|
entryPoints:
|
|
web:
|
|
address: :80
|
|
# (Optional) Redirect to HTTPS
|
|
# ---
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
|
|
websecure:
|
|
address: :443
|
|
|
|
# Configure your CertificateResolver here...
|
|
# ---
|
|
certificatesResolvers:
|
|
staging:
|
|
acme:
|
|
email: <email>
|
|
storage: /etc/traefik/certs/acme.json
|
|
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
httpChallenge:
|
|
entryPoint: web
|
|
|
|
production:
|
|
acme:
|
|
email: <email>
|
|
storage: /etc/traefik/certs/acme.json
|
|
caServer: "https://acme-v02.api.letsencrypt.org/directory"
|
|
httpChallenge:
|
|
entryPoint: web
|
|
|
|
# (Optional) Overwrite Default Certificates
|
|
# tls:
|
|
# stores:
|
|
# default:
|
|
# defaultCertificate:
|
|
# certFile: /etc/traefik/certs/cert.pem
|
|
# keyFile: /etc/traefik/certs/cert-key.pem
|
|
# (Optional) Disable TLS version 1.0 and 1.1
|
|
# options:
|
|
# default:
|
|
# minVersion: VersionTLS12
|
|
|
|
providers:
|
|
docker:
|
|
exposedByDefault: false # Default is true
|
|
file:
|
|
# watch for dynamic configuration changes
|
|
directory: /etc/traefik
|
|
watch: true
|
|
#+end_src
|
|
For more informationm on the secure [[id:bd5b34ba-aa98-4808-b97b-2376aa7b8866][protocol]]: [[id:872ee33b-8361-40c7-9d88-69b3afe5ade2][TLS]] and [[id:95c8982d-e104-43a2-9bb2-fd7e1c3204f2][SSL]]
|
|
* Networks
|
|
To host a service, this service has to be in the same [[id:9d04fac3-89ae-4a96-b326-9ae7e2c22118][docker-network]] as the the traefik proxy. It doesn't matter if the service container is added to the traefik network or vice versa. The default approach is to add all services to the ~traefik-relay~ network. The Services themselfes can have other network for their supportive containers. Those secondary containers should not be added to the traefik network, because this network is exposed to the internet.
|
|
|
|
* Compose file
|
|
This is the compose file that has to be run either manually or via the [[id:4afb1f41-983a-4b54-9828-a1e3788eb28b][portainer-docker]].
|
|
#+begin_src bash
|
|
volumes:
|
|
traefik_ssl_certs:
|
|
driver: local
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.5
|
|
container_name: madrigal_traefik
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
- 8080:8080 # (optional) expose the dashboard !don't use in production!
|
|
volumes:
|
|
- /home/<user>/traefik:/etc/traefik
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- traefik_ssl_certs:/ssl-certs
|
|
restart: unless-stopped
|
|
#+end_src
|
|
|
|
* Typical flags for containers
|
|
Typical flags for hosting a container (under the labels section in a [[id:fcbfabfa-4a8c-4826-8b57-5dce05965c76][docker-compose]] file.
|
|
#+begin_src bash
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.<application router>.entrypoints=<entrypoint-s>" # as described in the traefik.yml (default web and/or websecure)
|
|
- "traefik.http.routers.<application router>.rule=Host(`<subdomain.domain-name.ending>`)"
|
|
- "traefik.http.routers.<application router>.tls=true" #if tls is wanted
|
|
- "traefik.http.routers.<application router>.tls.certresolver=<cert stage>" #as described in the traefik.yml file (default staging or production)
|
|
- "traefik.http.routers.<application router>.service=<name of service>"
|
|
- "traefik.http.services.<application router>.loadbalancer.server.port=<application port>"
|
|
- "traefik.docker.network=<traefik_relay network>"
|
|
#+end_src
|
|
* Traefik with dynamic config
|
|
Applications that cannot connect to the Traefik Docker network (i.e. non-Docker native applications) cannot use Docker labels. Therefore, Traefik configuration must be done in an external configuration file. This file is located in the same folder as the ~traefik.yml~ static configuration file. The file is called ~configuration.yml~.
|
|
#+begin_src bash
|
|
http:
|
|
###############################
|
|
routers:
|
|
dashboard:
|
|
rule: "Host(`example.exampledomain.de`)" || "Host(`example2.exampledomain2.com`)"
|
|
entrypoints:
|
|
- "websecure"
|
|
tls: true
|
|
service: api@internal
|
|
#--------------------------------
|
|
app1:
|
|
rule: "Host(`app1.exampledomain.de`)"
|
|
entrypoints:
|
|
- "websecure"
|
|
tls: true
|
|
service: service1
|
|
#--------------------------------
|
|
app2:
|
|
rule: "Host(`app2.exampledomain.de`)"
|
|
entrypoints:
|
|
- "websecure"
|
|
tls:
|
|
certresolver: "production"
|
|
options: "modern@file"
|
|
middlewares: "default-security-headers@file"
|
|
service: service2
|
|
#############################
|
|
services:
|
|
service1:
|
|
loadbalancer:
|
|
servers:
|
|
- url: "http://xxx.xxx.xxx.xxx:yy"
|
|
service2:
|
|
loadbalancer:
|
|
servers:
|
|
- url: "http://ooo.ooo.ooo.ooo:kk"
|
|
##############################
|
|
middlewares:
|
|
default-security-headers:
|
|
headers:
|
|
...
|
|
##############################
|
|
##############################
|
|
tls:
|
|
options:
|
|
modern:
|
|
...
|
|
#+end_src
|
|
|
|
This file is built in the same way as flags in the Docker configuration, only written in a more readable format. The fact that the IP addresses of the hosted services are given here makes it possible to easily serve non-Docker native apps. As this file is dynamic, Traefik is updated automatically when you save it.
|