Traefik the Reverse Proxy for Plebes

Image Credit: Traefik

All hail the king

Unless, of course, you need certificates, hate writing routes, or require load-balancing. While Nginx supports all this great technology, it is largely reliant on other stacks to complement it. Having spent more time than I will admit searching, yelling, and reviewing Stack Overflow answers. I decided to branch and found some better alternatives for my workflow.

Image Credit: Tim Gouw

Less is more

Traefik defines itself as:

“Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, …) and configures itself automatically and dynamically. Pointing Traefik at your orchestrator should be the only configuration step you need.“

Sounds too good to be true, right? I decided to test that statement to confirm if this new kid to the block could replace my own dependency on Nginx.

Prerequisites

  • You own or have access to a domain and have updated your A or CNAME to your test environment.
  • You have Docker and Docker-Compose installed.

Before telling docker-compose to run the container, we need to do some basic configuration to support basic authentication and provisioning a common network name. To do so, we will run and note the output of:

# docker network create public# openssl passwd insecure

The above snippets create a docker network called public, which is utilized by the docker-compose file below. We then create a password using a non-salted request to Open SSL to create basic authentication.

Configuration

To help facilitate our understanding of how docker interacts with this file, I have broken the Yaml file into two core parts for review. If you would prefer, the complete docker-compose.yml can be found here.

Labels in docker play an important role in the configuration as they supply metadata to docker objects. Traefik utilizes labels to understand better how we want to interact with the service and include other management services by Traefik.

Key changes required before startup include replacing <Your Domain> with your own Fully Qualified Domain Name (e.g., dev.some_name.com) and pasting the copied hashed output of the OpenSSL command after admin:. Rather than reiterating my own comments in the file and making this article longer than required. I exported the snippets to gist for review.

We also need to send several commands to docker. We configure the commands to rely on Lets Encrypt stage vs. production due to rate limits to their production environment. If preferred, we can comment out the caserver line to hit production servers instead.

Deployment

This step is optional because we can get to the dashboard without any services as the dashboard is a service in itself. If we want Trafik to monitor and manage our service via load-balancing, reverse proxy then we simply need to add labels to enable the functionality.

Conclusion

If all went well, when we visit our traefik.domain.com website, we should be asked for our specified administrative credentials. Finally, being allowed to see the fruit of our efforts in the Traefik dashboard. Having spent some time with the service, I believe that it excels in the approach outlined at this article's start. New services and applications are a breeze to incorporate, and I don’t really have to give it much afterthought.

Image Credit: Author

Information Systems Security Officer @ SAAS Company

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store