Traefik

1. Prerequisites

Docker and Docker Compose installed on your server.
Access to a domain and Cloudflare API credentials for SSL certificate management via ACME.

2. Traefik Configuration

Your Traefik setup is split into two main parts: the docker-compose.yml file and the traefik.yml configuration.

Docker Compose for Traefik

docker-compose.yml

---
networks:
  frontend:
    external: true
services:
  traefik_NESS:
    container_name: traefik_NESS
    image: traefik:2.10.5
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./config:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/conf/:/etc/traefik/conf/:ro
      - ./config/certs/:/etc/traefik/certs/
      - ./config/config.yml:/config.yml:ro
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
    networks:
      - frontend
    restart: unless-stopped

The docker-compose.yml file specifies the Traefik service, volumes for configuration, certificates, and Docker integration through the Docker socket. Ensure you have created the frontend.

Volumes:
- ./config:/etc/traefik: Location for Traefik configuration files.
- /var/run/docker.sock:/var/run/docker.sock:ro: Allows Traefik to communicate with the Docker API.
- The conf and certs folders for specific configurations and SSL certificates.

Traefik Configuration

Your traefik.yml file sets global parameters, logs, API and dashboard for Traefik, entry points, certificate resolvers, and service discovery via Docker.

API and Dashboard: Accessible insecurely for development. Should be secured for production use.
Entry Points: Defines ports for HTTP, HTTPS, and the Traefik dashboard.
Certificate Resolvers: Uses ACME with Cloudflare for automatic SSL certificate management.

traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false

# -- (Optional) Change Log Level and Format here...
#     - loglevels [DEBUG, INFO, WARNING, ERROR, CRITICAL]
#     - format [common, json, logfmt]
log:
  level: ERROR
#  format: common
#  filePath: /var/log/traefik/traefik.log

# -- (Optional) Enable Accesslog and change Format here...
#     - format [common, json, logfmt]
# accesslog:
#   format: common
#   filePath: /var/log/traefik/access.log

# -- (Optional) Enable API and Dashboard here, don't do in production
api:
   dashboard: true
   debug: true

# -- Change EntryPoints here...
entryPoints:
  web:
    address: :80
    http:
      #middlewares:
      #  - middlewares-authentik@file
      redirections:
        entrypoint:
          to: websecure
          scheme: https
  #   -- (Optional) Redirect all HTTP to HTTPS
  websecure:
    address: :443
    
  # -- (Optional) Add custom Entrypoint
  #traefik:
  #  address: :8080

# -- Configure your CertificateResolver here...
certificatesResolvers:
  cloudflare:
    acme:
      email: [email protected]
      storage: /etc/traefik/certs/acme.json
      caServer: 'https://acme-v02.api.letsencrypt.org/directory'
      keyType: EC256
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

# -- (Optional) Disable TLS Cert verification check
serversTransport:
   insecureSkipVerify: true

# -- (Optional) Overwrite Default Certificates
#tls:
#  stores:
#    default:
#      defaultCertificate:
#        certFile: /etc/traefik/certs/cert.pem
#        keyFile: /etc/traefik/certs/cert-key.pem
# -- (Optional) Disable TLS version 1.0 and 1.1
#   options:
#     default:
#       minVersion: VersionTLS12

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    # -- (Optional) Enable this, if you want to expose all containers automatically
    exposedByDefault: false
  file:
    directory: /etc/traefik
    #watch: true

3. Deploying an Example Application

docker-compose.yml

version: '3.8'

networks:
  frontend:
    external: true

services:
  webwelp: 
    image: welp93/webwelp:latest
    container_name: webwelp
    restart: always 
    networks:
      - frontend
    labels:
      - traefik.enable=true
      - traefik.http.routers.webwelp.rule=Host(`webwelp.your-domain.com`)
      - traefik.http.routers.webwelp.entrypoints=web
      - traefik.http.routers.webwelp-secure.entrypoints=websecure
      - traefik.http.routers.webwelp-secure.rule=Host(`webwelp.your-domain.com`)
      - traefik.http.routers.webwelp-secure.tls=true
      - traefik.http.routers.webwelp-secure.tls.certresolver=cloudflare

Your example application webwelp demonstrates how to expose a service through Traefik with specific Docker labels for routing configuration.

Network: The application needs to be connected to the frontend network to be accessible by Traefik.
Labels: Configure HTTP and HTTPS routing, entry point, and specify the certificate resolver for HTTPS.

4. Starting Traefik

Run Traefik using Docker Compose:

docker-compose up -d

This will launch Traefik as defined in your docker-compose.yml.

5. Deploying the Application

To deploy your example application, ensure its docker-compose.yml is properly set up, then launch it with Docker Compose:

docker-compose up -d

The webwelp application will now be accessible via Traefik, with routing configured for both HTTP and HTTPS.

6. Add password to dashboard

sudo apt install apache2-utils -y

echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g

copy to output and add label to traefik

Docker compose Traefik (add label)

---
networks:
  frontend:
    external: true
services:
  traefik_NESS:
    container_name: traefik_NESS
    image: traefik:2.10.5
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./config:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/conf/:/etc/traefik/conf/:ro
      - ./config/certs/:/etc/traefik/certs/
      - ./config/config.yml:/config.yml:ro
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
    networks:
      - frontend
    restart: unless-stopped
    labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.entrypoints=web"
        - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.your-domain.com`)"
        - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_PASSWORD}"
        - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
        - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=websecure"
        - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
        - "traefik.http.routers.traefik-secure.entrypoints=websecure"
        - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.your-domain.com`)"
        - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
        - "traefik.http.routers.traefik-secure.tls=true"
        - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
        - "traefik.http.routers.traefik-secure.service=api@internal"

7. Verification

Traefik Dashboard: Accessible at https://traefik-dashboard.your-domain.com to monitor the status of Traefik and routed services.
Web Application: Access https://webwelp.your-domain.com to test the HTTPS configurations.

Conclusion

You have configured Traefik to work with Docker, set up automatic SSL certificates with Cloudflare, and deployed an example application accessible via both HTTP and HTTPS. Ensure to secure access to Traefik’s API and dashboard for production environments.

Joan Larcher