Containr/templates/traefik.md

# Traefik Reverse Proxy Template

## Overview
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.

## Quick Start
```bash
# Create docker-compose.yml with the content below
docker-compose up -d
```

## Docker Compose
```yaml
version: '3.8'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    command:
      - "--api=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=your-email@example.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--global.checknewversion=false"
      - "--global.sendanonymoususage=false"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
      - ./traefik.yml:/traefik.yml:ro
    networks:
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"

volumes:
  letsencrypt:

networks:
  traefik-network:
    driver: bridge
```

## Configuration File (`traefik.yml`)
```yaml
api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
    network: traefik-network

certificatesResolvers:
  letsencrypt:
    acme:
      email: your-email@example.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web
```

## Environment Variables
- `TRAEFIK_API_DASHBOARD`: Enable dashboard (true/false)
- `TRAEFIK_API_INSECURE`: Enable insecure dashboard (true/false)
- `TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL`: Let's Encrypt email

## Setup Guide
1. **Generate Let's Encrypt Email**:
   ```bash
   # Use your actual email for certificate notifications
   EMAIL="your-email@example.com"
   ```

2. **Create Directories**:
   ```bash
   mkdir -p letsencrypt
   ```

3. **Configure DNS**:
   - Point `yourdomain.com` and `*.yourdomain.com` to your server IP
   - Ensure ports 80 and 443 are accessible

4. **Deploy**:
   ```bash
   docker-compose up -d
   ```

5. **Access**:
   - **Dashboard**: http://traefik.yourdomain.com:8080
   - **API**: http://traefik.yourdomain.com:8080/api/

## Service Integration Examples

### Basic Web Service
```yaml
services:
  whoami:
    image: traefik/whoami
    container_name: whoami
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
    networks:
      - traefik-network
```

### WordPress with HTTPS
```yaml
services:
  wordpress:
    image: wordpress:latest
    container_name: wordpress
    restart: unless-stopped
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
      WORDPRESS_DB_NAME: wordpress
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wordpress.rule=Host(`blog.yourdomain.com`)"
      - "traefik.http.routers.wordpress.entrypoints=websecure"
      - "traefik.http.routers.wordpress.tls.certresolver=letsencrypt"
      - "traefik.http.services.wordpress.loadbalancer.server.port=80"
    networks:
      - traefik-network
      - default
```

### Nextcloud with HTTPS
```yaml
services:
  nextcloud:
    image: nextcloud:latest
    container_name: nextcloud
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`cloud.yourdomain.com`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-headers"
    networks:
      - traefik-network
```

## Advanced Configuration

### Middleware Examples
```yaml
# Rate limiting
labels:
  - "traefik.http.middlewares.ratelimit.ratelimit.average=100"
  - "traefik.http.middlewares.ratelimit.ratelimit.burst=50"
  - "traefik.http.routers.api.middlewares=ratelimit"

# Basic auth
labels:
  - "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$hash"

# Compression
labels:
  - "traefik.http.middlewares.compress.compress=true"
  - "traefik.http.routers.api.middlewares=compress"

# Security headers
labels:
  - "traefik.http.middlewares.secure.headers.stsSeconds=31536000"
  - "traefik.http.middlewares.secure.headers.stsIncludeSubdomains=true"
  - "traefik.http.middlewares.secure.headers.stsPreload=true"
  - "traefik.http.middlewares.secure.headers.forceSTSHeader=true"
  - "traefik.http.middlewares.secure.headers.frameDeny=true"
  - "traefik.http.middlewares.secure.headers.contentTypeNosniff=true"
  - "traefik.http.middlewares.secure.headers.browserXSSFilter=true"
  - "traefik.http.middlewares.secure.headers.referrerPolicy=strict-origin-when-cross-origin"
```

### Load Balancing
```yaml
services:
  app1:
    image: myapp:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.yourdomain.com`)"
      - "traefik.http.routers.app.entrypoints=websecure"
      - "traefik.http.routers.app.tls.certresolver=letsencrypt"
      - "traefik.http.services.app.loadbalancer.server.port=8080"
      - "traefik.http.services.app.loadbalancer.passHostHeader=true"

  app2:
    image: myapp:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.app.loadbalancer.server.port=8080"
```

## Monitoring and Metrics

### Prometheus Metrics
```yaml
# Add to traefik command
- "--metrics.prometheus=true"
- "--metrics.prometheus.addEntryPointsLabels=true"
- "--metrics.prometheus.addServicesLabels=true"
- "--entrypoints.metrics.address=:8082"
```

### Grafana Dashboard
```yaml
# Add to Prometheus scrape config
- job_name: 'traefik'
  static_configs:
    - targets: ['traefik:8082']
```

## Security Best Practices

### Secure Dashboard
```yaml
# Remove insecure dashboard
command:
  - "--api.dashboard=true"
  - "--api.insecure=false"
  - "--entrypoints.traefik.address=:8443"

labels:
  - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
  - "traefik.http.routers.traefik.entrypoints=websecure"
  - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
  - "traefik.http.routers.traefik.middlewares=auth"
  - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$hash"
```

### Network Security
```yaml
# Create internal network for services
networks:
  traefik-public:
    driver: bridge
  traefik-internal:
    driver: bridge
    internal: true

services:
  traefik:
    networks:
      - traefik-public
      - traefik-internal

  database:
    networks:
      - traefik-internal
```

## Backup Strategy
```bash
# Backup Let's Encrypt certificates
tar czf letsencrypt-backup.tar.gz letsencrypt/

# Backup Traefik configuration
cp traefik.yml traefik-backup.yml

# Restore certificates
tar xzf letsencrypt-backup.tar.gz
docker-compose restart traefik
```

## Performance Optimization
```yaml
# Enable connection reuse
command:
  - "--serversTransport.maxIdleConnsPerHost=100"
  - "--entrypoints.web.forwardingTimeouts.dialTimeout=30s"
  - "--entrypoints.web.forwardingTimeouts.responseHeaderTimeout=30s"
  - "--entrypoints.web.forwardingTimeouts.idleTimeout=180s"

# Resource limits
deploy:
  resources:
    limits:
      memory: 512M
      cpus: '0.5'
    reservations:
      memory: 256M
      cpus: '0.2'
```

## Troubleshooting
- **Certificate issues**: Check DNS and port 80 accessibility
- **Service not reachable**: Verify labels and network configuration
- **Performance problems**: Check resource usage and connection limits
- **Dashboard access**: Verify authentication configuration

## Maintenance
```bash
# Check logs
docker-compose logs -f traefik

# Check certificates
docker exec traefik ls -la /letsencrypt/

# Renew certificates (automatic)
# Traefik automatically renews certificates 30 days before expiry

# Update Traefik
docker-compose pull && docker-compose up -d
```

## Common Use Cases

### Multi-tenant Setup
```yaml
# Different domains for different services
services:
  service1:
    labels:
      - "traefik.http.routers.service1.rule=Host(`service1.yourdomain.com`)"

  service2:
    labels:
      - "traefik.http.routers.service2.rule=Host(`service2.yourdomain.com`)"
```

### Path-based Routing
```yaml
services:
  api:
    labels:
      - "traefik.http.routers.api.rule=Host(`yourdomain.com`) && PathPrefix(`/api`)"

  web:
    labels:
      - "traefik.http.routers.web.rule=Host(`yourdomain.com`)"
```

### WebSocket Support
```yaml
services:
  websocket-app:
    labels:
      - "traefik.http.routers.ws.rule=Host(`ws.yourdomain.com`)"
      - "traefik.http.routers.ws.entrypoints=websecure"
      - "traefik.http.services.ws.loadbalancer.server.port=8080"
```