Has anyone explored using Traefik with Tutor as a frontend proxy? Régis briefly mentioned it a while ago. I spun up Traefik on the same VPS as Tutor and then realized that exclusions would have to go in the docker-compose.yml file to prevent Traefik from picking up the non-web-accessible containers. I’m not keen on migrating all of the settings each update, so I stopped looking at that point.
As someone not so familiar with traefik, could you explain to me what benefits we could get from using it? Would it be a replacement for nginx? Would it allow multi server deployments?
I lack knowledge of Tutor to say if Traefik if a good fit for the project. Additionally, I just started using Traefik. However, I recognized its strengths straight away.
In my option, here is what does well:
- It can seamlessly replace Nginx as a frontend proxy for docker-based applications. You put the essential configuration data in a single
traefik.tomlfile. It then watches all Docker containers and tries to build a frontend proxy to them.
1.1. You have to configure thedocker-compose.ymlfile for each service.
1.2. You can tell Traefik to ignore containers that you don’t want to access through a proxy, such as a database. - It can provide a reverse proxy to a service running on localhost, much the same that Nginx does with
proxy_pass.
2.1. Traefik calls this feature afileprovider. - It automatically generates an SSL certificate through Let’s Encrypt for each defined service.
Yes, if you are using Nginx for a reverse proxy. It also replaces the need to specify additional Let’s Encrypt information because Traefik generates the certs when the service starts. Personally, I have no intention of using Nginx locally unless I need to, such as with Tutor.
Good question. This is something to explore. Traefik should be able to provide most of the common proxy and load balancing services as Nginx.
Here is a basic config that I use in Docker. It might help you to understand what a Traefik configuration looks like or to get going if you want to explore it.
All files go in the same directory.
-
Create
acme.jsonfor let’s encrypt.
touch acme.json && chmod 0600 acme.json -
Create the network for Traefik and Docker.
docker network create web -
Configure Traefik using
traefik.toml. Please note acme fails if you use an @example.com email address.defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [acme] email = "real@example.com" storage = "acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http" [docker] domain = "example.com" watch = true network = "web" -
Configure
docker-compose.ymlor you can usedocker run.version: '3' services: traefik: restart: always image: traefik:alpine hostname: traefik container_name: traefik ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock - ./traefik.toml:/traefik.toml - ./acme.json:/acme.json labels: - traefik.enable=false networks: - web networks: web: external: name: web
At this point, you can start Traefik, and it should be functioning.
You can then spin up a docker-compose.yml stack specifying the traefik settings in labels. For example, this configuration shows the default Nginx banner with an SSL cert already created. I left some of the HTTP headers to demonstrate the inclusion of features.
version: '3'
networks:
web:
external: true
internal:
external: false
services:
web:
image: nginx:latest
## Needed for a real site
# volumes:
# - ./code:/code
# - ./site.conf:/etc/nginx/conf.d/site.conf
restart: always
depends_on:
- php
labels:
- traefik.backend=Backend site name
- traefik.frontend.rule=Host:www.example.com
- traefik.docker.network=web
- traefik.port=80
#
# Security settings
#
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.contentTypeNosniff=true
- traefik.frontend.headers.frameDeny=true
- traefik.frontend.headers.browserXSSFilter=true
networks:
- internal
- web
php:
image: php:7-fpm
## Needed for a real site
# volumes:
# - ./code:/code
networks:
- internal
labels:
- traefik.enable=false
- Traefik will register the
webservice and create a proxy to the value defined intraefik.port=. In this case, it is 80 as defined by imagenginx:latest - It will generate the cert for the site defined in
traefik.frontend.rule=Host:. - Traefik will ignore service
phpbecause of labeltraefik.enable=false.
3.1 Omitting this value will cause Traefik to try to create a proxy to the service and generate an SSL cert for it. Let’s Encrypt will register the failure in the traefik container.
There’s something I don’t quite understand, as nginx does more than just routin: it serves static assets, caches some resources and sets http headers, for instance. Traefik does not perform all these tasks, unless I’m mistaken?
Correct. Traefik is not a webserver, so it cannot define static assets, such as those definied incms.conf.
It can set HTTP headers. https://docs.traefik.io/v2.0/middlewares/headers/
My interest in using it is to use it as a proxy on the VPS to access the Tutor stack.
I understand. In that case, the only container that you need to redirect traffic to is the nginx container. This container is in charge of dispatching the traffic to the other containers. That way, you could get rid of the nginx running on the host.
I think Traefik could be serve as a routing layer in a multi-server platform deployed, for instance, with docker swarm. That might be a low hanging fruit to allow multi-server deployments with Tutor. I’m currently working on something else but I’ll certainly investigate that in the near future.