Traefik Config Notes #
Traefik config comprise of two parts:
- static config
traefik.yaml - dynamic config (from files in a directory, docker socket, etc.)
Static Config #
In the static config, we define entry points, the cert resolvers for SSL/TLS (and cert renewal params) and providers of dynamic configs.
core:
defaultRuleSyntax: v2
#log:
# level: DEBUG
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
certResolver: "CertificateResolver0"
domains:
- main: "example.org"
sans:
- "*.example.org"
providers:
docker:
exposedByDefault: false
file:
directory: "/dynamic-conf"
serversTransport:
insecureSkipVerify: true
api:
#insecure: true
dashboard: true
#debug: true
#disabledashboardad: false
certificatesResolvers:
CertificateResolver0:
acme:
email: "[email protected]"
storage: "/path/to/acme-mydomain.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: "cloudflare"
delayBeforeCheck: "60s"
resolvers:
# specify multiple if desired
- "1.1.1.1:53"
Let’s Encrypt Certificates #
Note Let’s Encrypt allows wildcard domains when ACME verification is done through a DNS challenge menthod. This is especially convenient for internal services, i.e., services exposed to local networks.
Conveniently, Traefik can automatically update Let’s Encrypt certificates when necessary. It uses the LEGO Client under the hood, so it can be configured with many DNS providers supported by LEGO. See: https://github.com/go-acme/lego
Dynamic Config (directory) #
If a local directory is used as a dynamic config provider, Traefik monitors the contents of the specified directory (/dynamic-conf in the above example) and reconfigures its routers and services.
We can organize the dynamic config in multiple files, e.g.:
/dyanmic-conf/general.yaml/dynamic-conf/cluster55.yaml- etc.
Here’s an example dynamic config file:
http:
routers:
site1Router:
entryPoints:
- "websecure"
rule: "Host(`site1.example.org`)"
service: "site1Service"
site2Router:
entryPoints:
- "websecure"
rule: "Host(`site2.example.org`)"
service: "site2Service"
serversTransports:
skipVerifyTransport:
insecureSkipVerify: true
services:
site1Service:
loadBalancer:
servers:
- url: "http://192.168.0.10"
site2Service:
loadBalancer:
servers:
- url: "https://192.168.0.20:443"
Internally, “site1” is served over HTTP and “site2” - over HTTPS.
Traefik proxies both of them over HTTPS (through the entry point websecure), serving both with the wildcard LE cert.
Dynamic Config (docker socket) #
To provide dynamic config to Traefik from docker, we need to expose the docker socket to the traefik process. In the following example, the docker socket is passed to the container running traefik process, and the dynamic configuration for the Traefik instance’s dashboard is specified.
version: "3.3"
services:
reverse-proxy:
image: "traefik:v3.0"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- "MY_DNS_PROVIDER_API_TOKEN=${MY_DNS_PROVIDER_API_TOKEN}"
volumes:
- "./config/traefik.yaml:/etc/traefik/traefik.yaml:ro"
- "./dynamic-conf:/dynamic-conf:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./letsencrypt:/letsencrypt"
labels:
- "traefik.enable=true"
- "traefik.http.routers.myrouter.rule=Host(`traefik.example.org`)"
- "traefik.http.routers.myrouter.entrypoints=websecure"
- "traefik.http.routers.myrouter.tls=true"
- "traefik.http.services.myservice.loadbalancer.server.port=8080"
restart: always
This compose file exposes the Traefik web UI directly on the host port 8080, and at https://traefik.example.org (on port 443).
Traefik uses labels as the dynamic config, and we can see how the label names for this docker container are constructed in a way that reproduces the YAML config structure (see how it compares with the YAML example from the previous section).