Tips & Tricks for working with Traefik

Working with a new technology or tool has a learning curve and the initial work of learning something new can be frustrating. I recently started using Traefik, a modern reverse proxy and load balancer designed to make working with microservices easy and am getting to the point where the documentation is starting to make sense. Here are a few tips and tricks for working with Traefik that I hope you find useful.

Example docker-compose.yml

version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik:v2.4
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--api.insecure=true"
      - "--log.level=debug"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--certificatesResolvers.le.acme.email=youremail@domain.com"
      - "--certificatesResolvers.le.acme.storage=acme.json"
      - "--certificatesResolvers.le.acme.tlsChallenge=true"
      - "--certificatesResolvers.le.acme.httpChallenge=true"
      - "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
      - "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"

    networks:
      - proxy

    ports:
      - 80:80
      - 443:443
      - "8080:8080"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/acme.json:/acme.json

Dashboard

"--api.insecure=true"

This command enables the Traefik Dashboard, which can be useful to understanding interactions and connections between entrypoints, routers, services and middlewares.

It is possible to password protect and encrypt the Traefik Dashboard and I have not bothered. Once everything is setup and I am no longer debugging Traefik I just comment out the line in my docker-compose.yml.

Logging

"--log.level=debug"

This command enables logging. It is possible to direct the Traefik logs to a log file with "--log.filepath=path/to/your/logfile" and I do not use this. By default Traefik redirects logs to standard out (stdout). When debugging I start Traefik with "docker-compose up" and am able to view the log information in a terminal window.

Let's Encrypt Staging Server

"--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"

This command tells Traefik to use Let's Encrypt's staging server. This is useful in avoiding Let's Encrypts rate limiting when you are setting up a system and testing. When you are done testing and verified that everything is working you can just remove this line from your docker-compose.yml to migrate to Let's Encrypt's production environment

External files & Commands

Create your proxy network

While it is possible to create a proxy network for Traefik automatically. I have found it easier and cleaner to just create this network manually, so remember to run the following before starting up Traefik (and remember you only have to do this once).

docker create network proxy-network-name

Create your acme.json file

Remember to create and set permissions on your acme.json file.

mkdir data
touch acme.json
chmod 600 acme.json

Docker Stacks with Multiple Networks

Simple docker stacks (e.g. applications that only rely on one network like a simple web server) will work without any special configuration.

More complex docker stacks (e.g. applications that use multiple networks like a webserver that connects to Traefik via proxy network and a connects to a back-end database server via another private network) require additional configuration to inform the container which network traffic should be proxied on. Use this label in the containers' docker-compose.yml to do this:

traefik.docker.network=proxy-network-name