This is a resuseable traefik config for usage on a vServer using docker-compose. It uses:
- Traefik 2.2
- docker-compose
- Let's encrypt
- DNSMasq
- Clone repository
git clone https://github.com/korridor/reverse-proxy-docker-traefik.git cd reverse-proxy-docker-traefik
- Copy default config
cp docker-compose.prod.yml docker-compose.yml cp -r configs-prod configs echo "{}" > certificates/acme.json chmod 600 certificates/acme.json
- Replace domain for dashboard (
reverse-proxy.somedomain.com
inconfigs/dynamic/dashboard.yml
)http: routers: traefik: rule: Host(`reverse-proxy.somedomain.com`) # ... traefik-http-redirect: rule: Host(`reverse-proxy.somedomain.com`) # ...
- Replace password for admin account (in
configs/dynamic/dashboard.yml
)http: # ... middlewares: dashboardauth: basicAuth: users: - "user1:$2y$05$/x10KYbrHtswyR8POT.ny.H4fFd1n.0.IEiYiestWzE1QFkYIEI3m"
- You can use a website like this to generate the hash (use Bcrypt).
- Or generate it with:
echo $(htpasswd -nB user1)
- Replace email for Let's encrypt (
[email protected]
inconfigs/traefik.yml
)certificatesResolvers: letsencrypt: acme: # ... email: [email protected]
- Start container
docker-compose up -d
- Check that traefik is running smoothly
docker-compose logs
The traefik dashboard is now available under:
https://reverse-proxy.somedomain.com
The dashboard shows you the configured routers, services, middleware, etc.
version: '3.7'
networks:
frontend:
external:
name: reverse-proxy-docker-traefik_routing
services:
someservice:
restart: always
# ...
labels:
- "traefik.enable=true"
- "traefik.docker.network=reverse-proxy-docker-traefik_routing"
# https
- "traefik.http.routers.someservice.rule=Host(`someservice.com`)"
- "traefik.http.routers.someservice.tls=true"
- "traefik.http.routers.someservice.tls.certresolver=letsencrypt"
- "traefik.http.routers.someservice.entrypoints=websecure"
# http (redirect to https)
- "traefik.http.routers.someservice-http.rule=Host(`someservice.com`)"
- "traefik.http.routers.someservice-http.entrypoints=web"
- "traefik.http.routers.someservice-http.middlewares=redirect-to-https@file"
networks:
- frontend
- ...
Password protection for service with basic auth
services:
someservice:
# ...
labels:
# ...
- "traefik.http.routers.someservice.middlewares=someservice-auth"
- "traefik.http.middlewares.someservice-auth.basicauth.users=user1:$2y$05$/x10KYbrHtswyR8POT.ny.H4fFd1n.0.IEiYiestWzE1QFkYIEI3m"
You can generate the escaped hash with the following command: echo $(htpasswd -nB user1) | sed -e s/\\$/\\$\\$/g
If you use a website like this to generate the hash remember to escape the dollar signs ($
-> $$
) and use Bcrypt.
Specifying port if service exposes multiple ports
If your service exposes multiple ports Traefik does not know which one it should use. With this line you can select one:
services:
someservice:
# ...
labels:
# ...
- "traefik.http.services.someservice.loadbalancer.server.port=8080"
-
Clone repository
git clone https://github.com/korridor/reverse-proxy-docker-traefik.git cd reverse-proxy-docker-traefik
-
Copy default config
ln -s docker-compose.local.yml docker-compose.yml ln -s configs-local configs
If you want to change the configuration copy the configuration instead of creating a symlink.
cp docker-compose.local.yml docker-compose.yml cp -r configs-local configs
-
If you want you can change the domain of the traefik dashboard (
reverse-proxy.test
inconfigs/dynamic/dashboard.yml
)http: routers: traefik: rule: Host(`reverse-proxy.test`) # ...
-
Start container
docker-compose up -d
-
Check that traefik is running smoothly
docker-compose logs
The traefik dashboard is now available under:
http://reverse-proxy.test
The dashboard shows you the configured routers, services, middlewares, etc.
DNSMasq is pre-installed and configured to redirect all *.test domains to traefik. To use DNSMasq for your *.test domains you can configure a resolver like this on macOS:
sudo mkdir /etc/resolver
sudo touch /etc/resolver/test
echo "nameserver 0.0.0.0" | sudo tee /etc/resolver/test
On other systems you can configure 127.0.0.1
as a DNS Server in your OS Settings.
The default fallback DNS Server is Cloudflare 1.0.0.1
and 1.1.1.1
. Feel free to change it in configs/dnsmasq.conf
.
version: '3.7'
networks:
frontend:
external:
name: reverse-proxy-docker-traefik_routing
services:
someservice:
restart: always
# ...
labels:
- "traefik.enable=true"
- "traefik.docker.network=reverse-proxy-docker-traefik_routing"
# http
- "traefik.http.routers.someservice.rule=Host(`someservice.test`)"
- "traefik.http.routers.someservice.entrypoints=web"
networks:
- frontend
- ...
Enabling service to send requests to itself (with someservice.test)
services:
someservice:
# ...
extra_hosts:
- "someservice.test:10.100.100.10"
Specifying port if service exposes multiple ports
If your service exposes multiple ports traefik does not know which one it should use. With this config line you can select one:
services:
someservice:
# ...
labels:
# ...
- "traefik.http.services.someservice.loadbalancer.server.port=8080"
I used the following resources to create this setup:
- Traefik docs
- Traefik v2 and Mastodon, a wonderful couple! by Nicolas Inden
- GitHub repo traefik-example by jamct
This configuration is licensed under the MIT License (MIT). Please see license file for more information.