Traefik the Reverse Proxy for Plebes
All hail the king
Nginx is the existing gold standard of reverse proxies. Released in 2004, it has dominated the proxy server market for the better part of 20 years. Nginx is also extremely frustrating for your average tinkerer, like me. It’s an old-school, no-frills, jack of all trades application. Which, when utilized correctly, meets and exceeds most business cases.
Unless, of course, you need certificates, hate writing routes, or require load-balancing. While Nginx supports all this great technology, it is largely reliant on other stacks to complement it. Having spent more time than I will admit searching, yelling, and reviewing Stack Overflow answers. I decided to branch and found some better alternatives for my workflow.
Less is more
I’ll be the first to admit I’m lazy; I want my reverse proxy to emulate my workflow. I want it to handle my routes, certificates, and services as seamlessly as possible. Enter Traefik, a relative newcomer having only been brought to market in the last few years.
Traefik defines itself as:
“Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, …) and configures itself automatically and dynamically. Pointing Traefik at your orchestrator should be the only configuration step you need.“
Sounds too good to be true, right? I decided to test that statement to confirm if this new kid to the block could replace my own dependency on Nginx.
Some assumptions for those who choose to follow along:
- You own or have access to a domain and have updated your A or CNAME to your test environment.
- You have Docker and Docker-Compose installed.
Before telling docker-compose to run the container, we need to do some basic configuration to support basic authentication and provisioning a common network name. To do so, we will run and note the output of:
# docker network create public# openssl passwd insecure
The above snippets create a docker network called public, which is utilized by the docker-compose file below. We then create a password using a non-salted request to Open SSL to create basic authentication.
Configuration is handled for this project by Docker-Compose, which acts as an orchestration tool to handle micro-services like the Traefik Proxy and any other services you may want to expose.
To help facilitate our understanding of how docker interacts with this file, I have broken the Yaml file into two core parts for review. If you would prefer, the complete
docker-compose.yml can be found here.
Labels in docker play an important role in the configuration as they supply metadata to docker objects. Traefik utilizes labels to understand better how we want to interact with the service and include other management services by Traefik.
Key changes required before startup include replacing
<Your Domain> with your own Fully Qualified Domain Name (e.g., dev.some_name.com) and pasting the copied hashed output of the OpenSSL command after
admin:. Rather than reiterating my own comments in the file and making this article longer than required. I exported the snippets to gist for review.
We also need to send several commands to docker. We configure the commands to rely on Lets Encrypt stage vs. production due to rate limits to their production environment. If preferred, we can comment out the
caserver line to hit production servers instead.
Deploying Traefik is arguably one of the easiest parts of the process, having done most of the compose file's work. We are now left with one optional requirement. To declare a service such as Node, Postgres, or your own custom application to be handled by Traefik.
This step is optional because we can get to the dashboard without any services as the dashboard is a service in itself. If we want Trafik to monitor and manage our service via load-balancing, reverse proxy then we simply need to add labels to enable the functionality.
If all went well, when we visit our traefik.domain.com website, we should be asked for our specified administrative credentials. Finally, being allowed to see the fruit of our efforts in the Traefik dashboard. Having spent some time with the service, I believe that it excels in the approach outlined at this article's start. New services and applications are a breeze to incorporate, and I don’t really have to give it much afterthought.