Need to set up Traefik Reverse Proxy for Docker Containers on Ubuntu 20.04?
At Bobcares we often handle similar requests from our customers as a part of our Server Management Services.
Today let’s see how our Support Engineers do this for our customers with ease.
How to set up Traefik Reverse Proxy for Docker Containers on Ubuntu 20.04
Before going into the steps to set up Traefik Reverse Proxy for Docker Containers, we will take a glimpse of Traefik.
What is Traefik Reverse Proxy?
Traefik is one of the methods used to set reverse proxy on Docker when we want to run multiple applications which results in the exposure of 80 and 443 ports.
And traefik has its own monitoring dashboard. It is easy to configure many services at the application container level due to the declarative configuration of Traefik.
Also, we will not have to restart the traefik container when a new application is added to proxy traffic. This is because Traefik monitors the Docket socket files and will notice the changes made to it.
Steps to set up Traefik Reverse Proxy for Docker Containers on Ubuntu 20.04
We will check the steps that our Support Techs follow to set up Traefik Reverse Proxy for Docker.
Here will take a Docker container on Ubuntu 20.04 and use Traefik to route requests to two different web applications.
One of them will be a WordPress container and the other one will be an Adminer container, each communicating to a MySQL database.
We will configure Traefik to serve everything over HTTPS using Let’s Encrypt.
The following are the steps to follow for the set up:
1. Configuring Traefik
First, we need to create a configuration file and set up an encrypted password so we can access the monitoring dashboard.
We will use the htpasswd utility to create this encrypted password.
Install the utility with the following command:
$ sudo apt-get install apache2-utils
Then we can generate the password with htpasswd.
And substitute secure_password with the password we like to use for the Traefik admin user:
$ htpasswd -nb admin secure_password
We will get an output as shown below:
admin:$apr1$ruca84Hq$mbjdMZBAG.KWn7vfN/SNK/
We must copy the output we receive as we will use it in the Traefik configuration file to set up HTTP Basic Authentication for the Traefik health check and the monitoring dashboard.
Next we will create a configuration file called traefik.toml using the TOML format.
We will use three of Traefik’s available providers: api, docker, and acme. The last of these, acme supports TLS certificates using Let’s Encrypt.
Open the new file text editor:
$ nano traefik.toml
First, we need to add two named entry points, http and https, to which all backends have access by default:
defaultEntryPoints = ["http", "https"]
Next, access to a dashboard interface and paste the output from the htpasswd command:
... [entryPoints] [entryPoints.dashboard] address = ":8080" [entryPoints.dashboard.auth] [entryPoints.dashboard.auth.basic] users = ["admin:your_encrypted_password"] [api] entrypoint="dashboard"
We set the dashboard to run on port 8080.
We have defined our first entryPoint.
The entryPoints section configures the addresses that Traefik and the proxied containers get listed on.
We need to add these lines to the file
... [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] ...
The HTTP entry point handles port 80, while the HTTPS entry point uses port 443 for TLS/SSL.
We automatically redirect all of the traffic on port 80 to the HTTPS entry point to force secure connections for all requests.
Next, add the below lines to configure Let’s Encrypt certificate support for Traefik:
... [acme] email = "your_email@your_domain" storage = "acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http"
Finally, we will configure the docker provider by adding these lines to the file:
... [docker] domain = "your_domain" watch = true network = "web"
The docker provider enables Traefik to act as a proxy in front of Docker containers.
Save the file and exit the editor.
[Facing difficulty to configure Traefik? We are happy to help you!]
2. Running the Traefik Container
Next, we need to create a Docker network for the proxy to share with containers.
The following command can be used:
$ docker network create web
When the Traefik container starts, we will add it to this network.
Then we can add additional containers to this network for Traefik to proxy to.
Create an empty file that will hold our Let’s Encrypt information.
We will share this into the container by using the following command:
$ touch acme.json
The root user inside of the container must have unique read and write access to it so that Traefik can use it. We can change the permission using the following command:
$ chmod 600 acme.json
Once the file moves to Docker, the owner gets changed to root automatically inside the container.
Finally, we will create the Traefik container with this command:
$ docker run -d \
$ -v /var/run/docker.sock:/var/run/docker.sock \
$ -v $PWD/traefik.toml:/traefik.toml \
$ -v $PWD/acme.json:/acme.json \
$ -p 80:80 \
$ -p 443:443 \
$ -l traefik.frontend.rule=Host:monitor.your_domain \
$ -l traefik.port=8080 \
$ --network web \
$ --name traefik \
$ traefik:1.7-alpine
Now that the container is running we will have a dashboard to access and monitor the health of the containers.
We can access the monitoring dashboard by pointing the browser to https://monitor.your_domain.
By using the admin login credentials we will be able to see the dashboard. But we can see contents only after adding containers.
3. Adding Containers to Traefik
Now that we have our Traefik proxy running, configured to work with Docker, and ready to monitor other Docker containers
We will add the below containers for Traefik to proxy.
1. A blog using the official WordPress image.
2. A database management server using the official Adminer image.
We will manage both of these applications with Docker Compose using a docker-compose.yml file.
First, create and open the docker-compose.yml file in your editor:
$ nano docker-compose.yml
Then we need to add the following lines to specify the version and the networks we use:
version: "3" networks: web: external: true internal: external: false
Here we will use the Docker Compose version 3 as it’s the newest major version of the Compose file format.
Next, we will define the services of the blog container, which is based on an official WordPress image.
Add these lines to the bottom of the configuration file:
... services: blog: image: wordpress:4.9.8-apache environment: WORDPRESS_DB_PASSWORD: labels: - traefik.backend=blog - traefik.frontend.rule=Host:blog.your_domain - traefik.docker.network=web - traefik.port=80 networks: - internal - web depends_on: - mysql
Now all traffic to our Docker host’s port 80 will be routed to the blog container.
We will assign this container to two different networks so that Traefik can find it via the web network and can communicate with the database container through the internal network.
Lastly, the depends_on key tells Docker Compose that this container needs to start after its dependencies are running.
Since WordPress needs a database to run, we must run our MySQL container before starting our blog container.
After that we can configure the MySQL service by adding the following lines to the bottom of the configuration file:
... mysql: image: mysql:5.7 environment: MYSQL_ROOT_PASSWORD: networks: - internal labels: - traefik.enable=false
Finally, we can add this configuration to the bottom of the configuration file to define the Adminer container:
... adminer: image: adminer:4.6.3-standalone labels: - traefik.backend=adminer - traefik.frontend.rule=Host:db-admin.your_domain - traefik.docker.network=web - traefik.port=8080 networks: - internal - web depends_on: - mysql
Save the file and exit.
Next, we will set values in the shell for the WORDPRESS_DB_PASSWORD and MYSQL_ROOT_PASSWORD variables before starting the containers:
$ export WORDPRESS_DB_PASSWORD=secure_database_password
$ export MYSQL_ROOT_PASSWORD=secure_database_password
We can substitute secure_database_password with the desired database password.
But we must use the same password for both WORDPRESS_DB_PASSWORD and MYSQL_ROOT_PASSWORD.
Finally, we can run the containers using docker-compose:
$ docker-compose up -d
Both sites will be working, and we can use the Traefik dashboard for monitoring the containers.
[Need assistance to use Traefik? We are here for you!]
Conclusion
To conclude, we saw how to set up traefik reverse proxy for docker on ubuntu 20.04. Also, saw the method followed by our Support Engineers to set this up.
Hello. Thank you for writing your post about Traefik. We’d like to send you some swag as thanks. Please fill this form out and we’ll send soon. Thanks! https://traefikambassador.typeform.com/to/nHCbC0