mirror of
https://github.com/Dvorinka/Containr.git
synced 2026-06-04 12:32:58 +00:00
Tomas Dvorak
9.7 KiB
9.7 KiB
Traefik Reverse Proxy Template
Overview
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
Quick Start
# Create docker-compose.yml with the content below
docker-compose up -d
Docker Compose
version: '3.8'
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
command:
- "--api=true"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencrypt.acme.email=your-email@example.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--global.checknewversion=false"
- "--global.sendanonymoususage=false"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./traefik.yml:/traefik.yml:ro
networks:
- traefik-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
volumes:
letsencrypt:
networks:
traefik-network:
driver: bridge
Configuration File (traefik.yml)
api:
dashboard: true
insecure: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
exposedByDefault: false
network: traefik-network
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: /letsencrypt/acme.json
httpChallenge:
entryPoint: web
Environment Variables
TRAEFIK_API_DASHBOARD: Enable dashboard (true/false)TRAEFIK_API_INSECURE: Enable insecure dashboard (true/false)TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: Let's Encrypt email
Setup Guide
-
Generate Let's Encrypt Email:
# Use your actual email for certificate notifications EMAIL="your-email@example.com" -
Create Directories:
mkdir -p letsencrypt -
Configure DNS:
- Point
yourdomain.comand*.yourdomain.comto your server IP - Ensure ports 80 and 443 are accessible
- Point
-
Deploy:
docker-compose up -d -
Access:
Service Integration Examples
Basic Web Service
services:
whoami:
image: traefik/whoami
container_name: whoami
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
- traefik-network
WordPress with HTTPS
services:
wordpress:
image: wordpress:latest
container_name: wordpress
restart: unless-stopped
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
WORDPRESS_DB_NAME: wordpress
labels:
- "traefik.enable=true"
- "traefik.http.routers.wordpress.rule=Host(`blog.yourdomain.com`)"
- "traefik.http.routers.wordpress.entrypoints=websecure"
- "traefik.http.routers.wordpress.tls.certresolver=letsencrypt"
- "traefik.http.services.wordpress.loadbalancer.server.port=80"
networks:
- traefik-network
- default
Nextcloud with HTTPS
services:
nextcloud:
image: nextcloud:latest
container_name: nextcloud
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`cloud.yourdomain.com`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
- "traefik.http.routers.nextcloud.middlewares=nextcloud-headers"
networks:
- traefik-network
Advanced Configuration
Middleware Examples
# Rate limiting
labels:
- "traefik.http.middlewares.ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.ratelimit.ratelimit.burst=50"
- "traefik.http.routers.api.middlewares=ratelimit"
# Basic auth
labels:
- "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$hash"
# Compression
labels:
- "traefik.http.middlewares.compress.compress=true"
- "traefik.http.routers.api.middlewares=compress"
# Security headers
labels:
- "traefik.http.middlewares.secure.headers.stsSeconds=31536000"
- "traefik.http.middlewares.secure.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.secure.headers.stsPreload=true"
- "traefik.http.middlewares.secure.headers.forceSTSHeader=true"
- "traefik.http.middlewares.secure.headers.frameDeny=true"
- "traefik.http.middlewares.secure.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.secure.headers.browserXSSFilter=true"
- "traefik.http.middlewares.secure.headers.referrerPolicy=strict-origin-when-cross-origin"
Load Balancing
services:
app1:
image: myapp:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.app.rule=Host(`app.yourdomain.com`)"
- "traefik.http.routers.app.entrypoints=websecure"
- "traefik.http.routers.app.tls.certresolver=letsencrypt"
- "traefik.http.services.app.loadbalancer.server.port=8080"
- "traefik.http.services.app.loadbalancer.passHostHeader=true"
app2:
image: myapp:latest
labels:
- "traefik.enable=true"
- "traefik.http.services.app.loadbalancer.server.port=8080"
Monitoring and Metrics
Prometheus Metrics
# Add to traefik command
- "--metrics.prometheus=true"
- "--metrics.prometheus.addEntryPointsLabels=true"
- "--metrics.prometheus.addServicesLabels=true"
- "--entrypoints.metrics.address=:8082"
Grafana Dashboard
# Add to Prometheus scrape config
- job_name: 'traefik'
static_configs:
- targets: ['traefik:8082']
Security Best Practices
Secure Dashboard
# Remove insecure dashboard
command:
- "--api.dashboard=true"
- "--api.insecure=false"
- "--entrypoints.traefik.address=:8443"
labels:
- "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$hash"
Network Security
# Create internal network for services
networks:
traefik-public:
driver: bridge
traefik-internal:
driver: bridge
internal: true
services:
traefik:
networks:
- traefik-public
- traefik-internal
database:
networks:
- traefik-internal
Backup Strategy
# Backup Let's Encrypt certificates
tar czf letsencrypt-backup.tar.gz letsencrypt/
# Backup Traefik configuration
cp traefik.yml traefik-backup.yml
# Restore certificates
tar xzf letsencrypt-backup.tar.gz
docker-compose restart traefik
Performance Optimization
# Enable connection reuse
command:
- "--serversTransport.maxIdleConnsPerHost=100"
- "--entrypoints.web.forwardingTimeouts.dialTimeout=30s"
- "--entrypoints.web.forwardingTimeouts.responseHeaderTimeout=30s"
- "--entrypoints.web.forwardingTimeouts.idleTimeout=180s"
# Resource limits
deploy:
resources:
limits:
memory: 512M
cpus: '0.5'
reservations:
memory: 256M
cpus: '0.2'
Troubleshooting
- Certificate issues: Check DNS and port 80 accessibility
- Service not reachable: Verify labels and network configuration
- Performance problems: Check resource usage and connection limits
- Dashboard access: Verify authentication configuration
Maintenance
# Check logs
docker-compose logs -f traefik
# Check certificates
docker exec traefik ls -la /letsencrypt/
# Renew certificates (automatic)
# Traefik automatically renews certificates 30 days before expiry
# Update Traefik
docker-compose pull && docker-compose up -d
Common Use Cases
Multi-tenant Setup
# Different domains for different services
services:
service1:
labels:
- "traefik.http.routers.service1.rule=Host(`service1.yourdomain.com`)"
service2:
labels:
- "traefik.http.routers.service2.rule=Host(`service2.yourdomain.com`)"
Path-based Routing
services:
api:
labels:
- "traefik.http.routers.api.rule=Host(`yourdomain.com`) && PathPrefix(`/api`)"
web:
labels:
- "traefik.http.routers.web.rule=Host(`yourdomain.com`)"
WebSocket Support
services:
websocket-app:
labels:
- "traefik.http.routers.ws.rule=Host(`ws.yourdomain.com`)"
- "traefik.http.routers.ws.entrypoints=websecure"
- "traefik.http.services.ws.loadbalancer.server.port=8080"