Getting started with Traefik as an alternative and easy to use reverse proxy

After having discovered Traefik accidentally via a simple HN comment from the community, I find it fantastic. It's a great alternative and relatively simple to use reverse proxy and load balancer. Especially for dockerized web applications.

In my previous post I wrote about setting up Nginx as a reverse proxy as well adding SSL with Let's Encrypt. Whilst that works, and Nginx is a great reverse proxy and it also provides load balancing as well as many other things, I personally found it tricky to configure in Docker. This is most likely due to my limited knowledge of Nginx and how to get it setup in a Docker container.

This is why I find Traefik relatively easier to setup and it has some great documentation on their website and also some basic concepts of Traefik which is really helpful.

In this post, I will describe how to setup Traefik as a reverse proxy in just a few minutes.

Pre-requisites

  • A Linux machine
  • Docker and Docker Compose installed

Create a Docker Compose file

In this example, I will be using Docker to launch Traefik. We shall start with a simple Docker Compose file as shown below.

Go ahead and create a Docker Compose file in a file directory of your choice like so:

nano /home/traefik/docker-compose-traefik.yml

Then add the following:

version: '3.4'

services:
  reverse-proxy:
    image: traefik:latest # The official Traefik docker image
    container_name: traefik
    command: --api --docker --docker.domain=docker.localhost --logLevel=DEBUG # Enables the web UI and tells Traefik to listen to docker
    ports:
      - "80:80"        # The HTTP port
      - "8080:8080"    #- "8080:8080" # The Web UI (enabled by --api)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock #So that Traefik can listen to the Docker events

This is the simplest configuration for Traefik. We specify the Traefik docker image with traefik:latest, followed by specifying a container name and a command. This setting tells Traefik to include its standard dashboard, which we shall see in a bit.

Launch Traefik

With the Docker Compose file saved, all you need to do is launch it.

docker-compose -f /home/traefik/docker-compose-traefik.yml up -d

Thats it!

Now go ahead to a browser and visit port 8080 which is Traefik's dashboard and you should see something like this:
traefik-monitor-example-1

We're done. Its that simple!

Add a Web app

To demonstrate how easy it is to add a web application so that Traefik recognises it and starts to route traffic to it, I am going to setup a sample ASP.NET core app.

Go ahead and create another docker compose file:

nano /home/traefik/docker-compose-web.yml

Then copy the sample Docker Compose file as shown below.

version: '3.4'

services:
  aspnetapp:
    image: microsoft/dotnet-samples:aspnetapp
    ports:
      - "81:80"
    labels:
      - traefik.backend=aspnetwebapp

The image I am using here is the classic ASP.NET Core app provided by Microsoft. Notice that the port I am exposing here is 81. This is so that we can visit the app via port 81.

Notice there is an additional labels section as part of the yaml file. This section is for Traefik to understand. Here I am just using a basic label which is optional and not required. But for demonstration purposes, I have added a backend label.
The Traefik website has many labels to configure from.

Launch the web app

Now, we can launch the service.

docker-compose -f docker-compose-web.yml up -d

If we run docker ps we should have two containers running as shown:

CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS              PORTS                                        NAMES
eac6d7f37b03        microsoft/dotnet-samples:aspnetapp   "dotnet aspnetapp.dll"   25 minutes ago      Up 5 minutes       0.0.0.0:81->80/tcp                           traefik_aspnetapp_1
4364f5526b6c        traefik:latest                       "/traefik --api --do…"   36 minutes ago      Up 6 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:8080->8080/tcp   traefik

Now, if we re-visit the dashboard, you will have noticed Traefik has detected an additional docker container.

traefik-monitor-example-service

If we visit port 81, we should see the sample ASP.NET core application.

traefik-monitor-aspnet-service

Adding Basic Auth Security to Traefik's dashboard

Traefik offers Basic Authentication for web applications. This is great. However, passwords must be created using the htpasswd tool. The good news is that it doesn't take long to generate or use.

Create a username and password using htpasswd

  1. You can check if you have htpasswd installed by simply typing htpasswd in the terminal.
htpasswd
  1. If you don't have htpasswd installed, you can install it by running the following command:
sudo apt install apache2-utils
  1. If I wanted a username of admin and my super secure password to be Jqhdsd2YDd74vVnn9sJBPoBV, then, the command to create a username and password would be:
htpasswd -nb admin Jqhdsd2YDd74vVnn9sJBPoBV

It will then output:

admin:$apr1$GbgwmElw$5H80qe5cCLtKdcpK5oi8L1

Make a note of this.

Create a basic TOML config file

Traefik uses a config file called traefik.toml. It uses the TOML format. You can find out more from the TOML Github repository.

Here, I'm going to demonstrate how to setup a basic traefik.toml config file so that we can add some basic authentication for Traefik's dashboard.

  1. Create a basic traefik.toml file. You can also start off with one provided by Traefik
nano /home/traefik/traefik.toml
  1. Enter the following:
################################################################
# Global configuration
################################################################

# Log level
logLevel = "INFO"

defaultEntryPoints = ["http"]

################################################################
# Entrypoints configuration
################################################################

# Entrypoints definition
[entryPoints]

  [entryPoints.dashboard]
    address = ":8080"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        # This is where we set the username and password from the htpasswd tool
        users = ["admin:$apr1$GbgwmElw$5H80qe5cCLtKdcpK5oi8L1"]

  [entryPoints.http]
    address = ":80"

################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
[api]
entrypoint="dashboard"

If you notice the [api] section are settings for Traefik's dashboard.
Also, I have defined an entrypoint called "dashboard". I could have named this anything. But the important part is that whatever is set here, the entry point can be referenced in the entry points configuration.

So, if you notice in the entrypoints configuration, I have a section called [entryPoints.dashboard]. This is because I have a defined an entry point called "dashboard". If I have defined the entrypoint as monitoring, then to reference it, I would use [entrypoints.monitoring]. You can read more about entrypoints from Traefik's website.

Then you will notice the auth setting [entryPoints.dashboard.auth] and this is where we enter the username and password we generated using the htpasswd tool earlier.

Modify the docker compose file

Now that we have defined the traefik.toml file, we need to modify the original docker compose file so that it references the file and also we no longer need to enable the dashboard via the docker compose file as it is now defined in the traefik.toml config file.

So the final file will be:

version: '3.4'

services:
  reverse-proxy:
    image: traefik:latest # The official Traefik docker image
    restart: always
    container_name: traefik
    ports:
      - "80:80"      # The HTTP port
      - "8080:8080"    #- "8080:8080" # The Web UI (enabled by --api)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock #So that Traefik can listen to the Docker events
      - /home/traefik/traefik.toml:/traefik.toml
    labels:
      - traefik.port=8080
      - traefik.frontend.rule=Host:reverse-proxy.traefik.localhost

Restart both docker containers

Stop the Traefik container earlier and restart it with the new configuration and if all goes well, you will be prompted with authentication as shown below:

traefik-basic-auth-example

Summary

I demonstrated how to setup Traefik as a reverse proxy within a few minutes and also configure its dashboard to have some basic authentication.

If you would like to explore more, Traefik's website has a wealth of information to get started and more.

Newsletter

Receive new content like this and more. No spam. Ever. Unsubscribe whenever you want.

or subscribe via RSS with Feedly!