Traefik – Expose all your services/ports via single Reverse Proxy endpoint

proxy Apr 15, 2022

If you are familiar with Docker or any other Micro-services, you might be running multiple services with multiple ports on a single machine. Common approach is to expose all the ports to host machine and then access website by using DNS:PORT(Ex – https://sleepysoul.cc:83). But, what if, you never have to expose all the ports to host? and let Traefik handle all the ports, redirection, as well as SSL/TLS encryption for all the services, even if underlying container/service doesn’t support SSL/TLS.
Traefik is a beautifully designed Reverse Proxy to expose all your containers to Public Internet, without the need to map ports to host and Traefik can act as Load Balancer for the containers also. Although, its an advanced concept, we will keep that discussion for another day.

Pre-requisites

So, lets dive in. To deploy Traefik, you will need to
1. Install Docker on your machine/server. Common instructions for installing it can be found on the official Docker documentation. You can install the latest Stable version
2. Install Docker-compose also for easier deployment. You can install docker-compose via these instructions
You can verify docker and docker-compose versions once after installation via these commands

docker -v
OUTPUT : Docker version 20.10.9, build c2ea9bc
docker-compose -v
OUTPUT : docker-compose version 1.25.0

Running Traefik

Running traefik under docker is a piece of cake. All you need to understand is the basic syntax of YAML file used by docker-compose and labels used by traefik. Traefik uses “Labels” to communicate and monitor any new containers. Let’s say if you want to expose a simple web server nginx to outer world and reverse proxied by Traefik, all you need to do is add few labels to nginx or any container and boom! Traefik will make sure it creates proper routes, for all the services to be accessed by internet even without host port mapping.

PERSONAL SUGGESTION:

You can clone my Github repository and start traefik within 5 mins, by

git clone https://github.com/sleepyXspirit/traefik-docker-compose.git
  1. Change email in traefik.yml
  2. Change AUTH_STRING and DOMAIN_NAME in docker-compose.yml
  3. Go to the path of docker-compose.yml and run docker-compose up -d

Manual method

Before we proceed with docker-compose.yml file, we need to create traefik.yml file, so traefik gets this config during initialization.

traefik.yml

----
api:
  dashboard: true
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
certificatesResolvers:
  http:
    acme:
      email: YOUR_EMAIL   # CHANGE HERE
      storage: acme.json
      httpChallenge:
        entryPoint: http
----

Copy the contents above and create your own traefik.yml file. Further create a docker-compose.yml file as below

docker-compose.yml

----
version: '3'
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /path/to/traefik.yml:/traefik.yml:ro
      - /path/to/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`YOUR_DOMAIN_HERE`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=AUTH_STRING_HERE"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`YOUR_DOMAIN_HERE`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:
  proxy:
    external: true
----

Before you proceed, make sure you change YOUR_DOMAIN_HERE to your domain name and generate AUTH_STRING via below command.

echo $(htpasswd -nb USERNAME PASSWORD) | sed -e s/\\$/\\$\\$/g

Next, add paths to your respective traefik.yml file and acme.json. You only need to create empty file named acme.json where your certificate provider stores SSL certificates. Make sure to use chmod command to give 600 permissions to this file. You can manually add your own SSL certificates to this file if you want to use SSL certificate signed by other providers rather than using free one by Lets encrypt.
Note that we are mapping 80, 443 ports to host, so that any traffic destined to this host will be intercepted by Traefik and routed to its respective destination.
Once this is done, you can make the container running by using the command,

docker-compose up

This will run the container, but won’t detach the terminal, which means you will see container logs in terminal and container will be stopped if you close your session. So to detach from it, use -d parameter.

docker-compose up -d

Now, Traefik should be running and you can access Traefik via the domain/subdomain URL with SSL/TLS connection. You can check the running container list by using

docker ps

Tags