Traefik is a robust reverse proxy and load balancer tailored for modern microservices and containerized applications. It’s a modern, cloud-native reverse proxy and load balancer designed to address these challenges seamlessly. It natively integrates with orchestrators like Docker, automatically discovering deployed containers and dynamically updating its routing configuration in real time.
By integrating Traefik with Docker, you can automate routing, SSL, and management for your apps with minimal manual configuration.
This guide will walk you through a basic configuration of Traefik set up as a secure, scalable front-end for your Dockerized services.
You’ll need Docker Compose installed. Check out our article on How to Install Docker for detailed steps.
- A Linux-based server with root or sudo permissions
- A domain name or subdomain pointed to your server’s IP
Set Up Traefik
To manage Compose stacks with systemctl, first create a directory for your services:
sudo mkdir -p /etc/docker/composeCreate a systemd template unit for Compose:
sudo tee /etc/systemd/system/[email protected] > /dev/null << EOF
[Unit]
Description=%i service with Docker Compose
PartOf=docker.service
After=docker.service
[Service]
Type=oneshot
RemainAfterExit=true
WorkingDirectory=/etc/docker/compose/%i
ExecStart=/usr/bin/docker compose up -d --remove-orphans
ExecStop=/usr/bin/docker compose down
[Install]
WantedBy=multi-user.target
EOFThen run daemon-reload to appy changes:
sudo systemctl daemon-reloadCreate a dedicated directory, and Docker network for Traefik and your apps:
sudo mkdir -p /etc/docker/compose/traefik/config
sudo docker network create traefik-servicenetSecure the Traefik Dashboard
Generate a username and password hash for HTTP Basic Auth. On Debian/Ubuntu, you can use the htpasswd tool from the apache2-utils package.
You can replace traefikadmin with desired username and YourSecurePassword with a strong password:
sudo apt install apache2-utils
htpasswd -nbB traefikadmin 'YourSecurePassword' | sed 's/\$/\$\$/g'Save the output (e.g., traefikadmin:$$2y$$…) for use in the next step.
Create the Traefik Docker Compose File
Create /etc/docker/compose/traefik/compose.yml with the following content (replace domains and credentials):
services:
traefik:
image: traefik:v2.10
container_name: traefik
restart: unless-stopped
hostname: traefik.yourdomain.com
networks:
- traefik-servicenet
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ./config/dynamic.yaml:/etc/traefik/dynamic.yaml:ro
- ./config/acme.json:/etc/traefik/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(traefik.yourdomain.com)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.entrypoints=web-secure"
- "traefik.http.routers.traefik.middlewares=dashboard-auth,secHeaders@file"
- "traefik.http.middlewares.dashboard-auth.basicauth.removeheader=true"
- "traefik.http.middlewares.dashboard-auth.basicauth.users=traefikadmin:$$2y$$…"
networks:
traefik-servicenet:
external: trueConfigure Traefik
Create the static configuration file at /etc/docker/compose/traefik/config/traefik.yaml:
log:
level: WARN
providers:
docker:
exposedByDefault: false
network: traefik-servicenet
file:
filename: /etc/traefik/dynamic.yaml
watch: true
api:
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
scheme: https
web-secure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /etc/traefik/acme.json
tlsChallenge: {}Create the dynamic configuration file at /etc/docker/compose/traefik/config/dynamic.yaml
http:
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
customResponseHeaders:
server: ""
x-powered-by: ""
tls:
options:
default:
minVersion: VersionTLS12Prepare the ACME file for Let’s Encrypt:
sudo touch /etc/docker/compose/traefik/config/acme.json
sudo chmod 600 /etc/docker/compose/traefik/config/acme.jsonStart Traefik & Enable Traefik
Navigate to the Traefik directory and launch:
systemctl start [email protected]
systemctl enable [email protected]After a minute or less, you should be able to visit Traefik with your set hotname in your browser, and log in with the credentials you set up.
Deploying Docker Apps Behind Traefik
For each app, add labels and network settings to its Compose file. For example:
services:
myapp:
image: yourappimage
networks:
- traefik-servicenet
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(app.yourdomain.com)"
- "traefik.http.routers.myapp.entrypoints=web-secure"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
networks:
traefik-servicenet:
external: true
Deploy your app:cd /etc/docker/compose/myapp
sudo systemctl start docker-compose@myapp
With this setup, Traefik manages HTTPS certificates and securely routes requests to your Dockerized apps with minimal manual intervention. This approach ensures scalability and maintainability for your container infrastructure.
Explore Traefik’s documentation for advanced features such as rate limiting, IP whitelisting, middlewares, and more customization.
Leave a Reply