Secure routing with Traefik reverse-proxy

By Anvesh

Published in reverse-proxy

October 16, 2022

2 min read

Secure routing with Traefik reverse-proxy

This blog will explain how to setup Traefik along with Portainer with Docker and Docker Compose on linux

Traefik

Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them

Use case

This setup is useful for many use cases, like hosting applications, microservices and/or REST API. For this document, our use case is: Single Server (Cloud, Virtual or Physical) hosting multiple applications like Drupal, Wordpress, Magento etc.using docker, with Traefik to route the traffic to appropriate docker containers and finally Portainer to provide a control panel o to manage Docker.

Setup instructions

You might find some instruction given below quite basic, but we have included them for the sake of completeness. Please skips the steps that you don’t need Setup secure Ubuntu server

You can follow the instructions on the Secure Ubuntu 18.04 Server Setup to setup a base secure ubuntu server

Assumptions

It is assumed that you have changed the DNS entry of your example.com domain and pointed the following sub-domain names to the server

docker.example.com traefik.example.com

Install Docker and Docker-Compose

Docker Install documentation

Docker-Compose Install documentation

Let’s start by making a new docker-compose.yml file with one service and one network

version: "3.3"
services:
  traefik:
    restart: always
    image: traefik:v2.10
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    command:
      - "--api"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecured"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--entrypoints.websecured.address=:443"
      - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
      - "[email protected]"
      - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.api.entrypoints=websecured"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls.certresolver=mytlschallenge"
    networks:
      - proxy
networks:
  proxy:
    driver: bridge
    name: proxy

dash

Most of this should be pretty familiar if you have already used docker-compose, so I’ll just go over the interesting lines.

I stated before that Traefik is aware of Docker. This means that, while it is actually running in a container, Traefik knows that Docker is running. It will listen to Docker and inspect the labels on every container that is started. If it finds labels it can do something with, it will work its magic. For Traefik to listen to Docker, it needs access to the Docker socket.

 volumes:
   - /var/run/docker.sock:/var/run/docker.sock:ro

Traefik comes by default with an API and a dashboard. It exposes both on port 8080. Since we don’t want to use ports anymore, we will add labels to the container so that it exposes both projects on the url: https://traefik.example.com. I’ll explain these labels a little later.

labels:
   - traefik.enable=true
   - traefik.http.routers.api.rule=Host(`traefik.example.com`)
   - traefik.http.routers.api.entrypoints=websecured
   - traefik.http.routers.api.service=api@internal

We create a network, called proxy. All containers that need to be made accessible through Traefik will have to be in this network.

 networks:
   proxy:
    driver: bridge
    name: proxy

Basic reverse proxy set-up

Traefik will look for certain labels on each container that is started, so we just need to provide the right ones when configuring the Apache container. We also have to add our container to the proxy network. This is what the updated docker-compose.yml file for our Apache service could look like.

 version: "3.8"
 services:
   apache:
     image: httpd:2.4-alpine
     container_name: apache
     ports:
       - 80
     labels:
       - traefik.enable=true
       - traefik.http.routers.apache.rule=Host(`docker.anvesh.cloud`)
       - traefik.http.routers.apache.entrypoints=web
       - traefik.port=80
     networks:
       - proxy
 networks:
   proxy:
     external: true

apache I’ll explain the different labels used here.

First of all, we need to make sure Traefik picks up this container. Because we disabled the exposedByDefault setting in the Traefik config, we need to explicitly say if we want the container exposed.

traefik.enable=true

We define a router named “apache” and make sure it routes the apache.docker url to our container.

traefik.http.routers.apache.rule=Host(`docker.example.com`)

We want the router we defined to use the web entrypoint which listens on port 80, the default HTTP port.

traefik.http.routers.apache.entrypoints=web

And last, but not least, we tell Traefik that our container is listening on port 80.

traefik.port=80

Run docker-compose up with your docker-compose file for Apache. Now you should be able to browse to https://docker.example.com/ and you should see the Apache test page.