1. Home
  2. Docker
  3. Introduction to Traefik, a reverse proxy for Docker containers

Introduction to Traefik, a reverse proxy for Docker containers

Traefik is a popular tool for handling web traffic to your Docker containers.

If you want to run several containers on a single server and have more than one of them respond to web traffic, you have to use a reverse proxy like Traefik.

Traefik is free and open source, easy to configure, and handles Let’s Encrypt SSL certificates for you. It also comes with a lovely dashboard of metrics.

Configure the Traefik container

The best way to use Traefik is with Docker Compose. In this guide, we’ll assume you’re using /root/compose to store your configuration.

Create a file called /root/compose/traefik.toml and paste in the following text:

# Traefik will listen for traffic on both HTTP and HTTPS.
defaultEntryPoints = ["http", "https"]

# Network traffic will be entering our Docker network on the usual web ports
# (ie, 80 and 443), where Traefik will be listening.
[entryPoints]
  [entryPoints.http]
  address = ":80"
  # Uncomment the following two lines to redirect HTTP to HTTPS.
  #  [entryPoints.http.redirect]
  #  entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

# These options are for Traefik's integration with Docker.
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "docker.localhost"
watch = true
exposedByDefault = false

# These options are for Traefik's integration with Let's Encrypt.
# Your certificates are stored inside /acme.json inside the container,
# which is /root/compose/acme.json on your server.
[acme]
storage = "acme.json"
onHostRule = true
entryPoint = "https"
  [acme.httpChallenge]
  entryPoint = "http"

# https://docs.traefik.io/configuration/logs/
# Comment out the next line to enable Traefik's access logs.
# [accessLog]

Traefik needs somewhere to store Let’s Encrypt certificates, so create an empty file called /root/compose/acme.json with restricted access permissions:

touch /root/compose/acme.json
chmod 0600 /root/compose/acme.json

It’s often useful to start by segregating containers into separate networks depending on whether they’re meant to handle public web traffic, and whether they need access to backend containers. Add this to your /root/compose/docker-compose.yml file:

# Create two networks: one for front-end containers that we'll make
# publicly accessible to the internet, and one for private back-end.
networks:
  frontend:
  backend:

After that, configure a container to run Traefik in your /root/compose/docker-compose.yml file:

services:
  # Traefik is a reverse proxy. It handles SSL and passes traffic to
  # Docker containers via rules you define in docker-compose labels.
  # Its dashboard is at http://example.com/traefik/ (behind a login).
  traefik:
    # https://hub.docker.com/_/traefik/
    image: traefik:latest
    command: --api --docker --acme.email="hello@example.com"
    restart: always
    networks:
      - backend
      - frontend
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # Access to Docker
      - ./traefik.toml:/traefik.toml              # Traefik configuration
      - ./acme.json:/acme.json                    # SSL certificates
    ports:
      # Map port 80 and 443 on the host to this container.
      - "80:80"
      - "443:443"
    labels:
      - "traefik.docker.network=frontend"
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:example.com,www.example.com; PathPrefixStrip:/traefik"
      - "traefik.port=8080"
      - "traefik.protocol=http"

Use labels to configure Traefik

To tell Traefik which container to forward web traffic to, you can use labels. In the labels just above, we’ve told Traefik:

  • to use the “frontend” network for connections to this container;
  • that any HTTP web traffic to example.com/traefik or www.example.com/traefik should be reverse proxied to port 8080 on this container (which is the port that the Traefik container makes the dashboard available on).

Here’s an example adapted from our WordPress on Docker guide:

wp:
  image: wordpress:latest
  networks:
    - backend
    - frontend
  labels:
    - "traefik.enable=true"
    - "traefik.docker.network=frontend"
    - "traefik.frontend.rule=Host:example.com,www.example.com"
    - "traefik.port=80"
    - "traefik.protocol=http"

Here we’ve told Traefik:

  • to use the “frontend” network for connections to this container;
  • that any HTTP web traffic to example.com or www.example.com should be reverse proxied to port 80 on this container.

Enable SSL/TLS

Traefik will generate Let’s Encrypt SSL certificates for you automatically, but only if the domains have valid DNS records that point to your Docker server. If that’s already the case, you should have working SSL!

Redirect all HTTP traffic to HTTPS

If you want to redirect all HTTP traffic to HTTPS (as is recommended these days), open /root/compose/traefik.toml in a text editor and uncomment two lines so that it looks like this:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  # Uncomment the following two lines to redirect HTTP to HTTPS.
    [entryPoints.http.redirect]
    entryPoint = "https"

Open /root/compose/docker-compose.yml in a text editor. Under the wp: section, uncomment the bottom line so that it looks like this:

      # Uncomment the next line to enable HSTS header.
      - "traefik.frontend.headers.STSSeconds=15768000"

Restart your Docker containers to apply the change:

cd /root/compose
docker-compose down
docker-compose up -d

Customize SSL/TLS security

Traefik’s default SSL/TLS settings are pretty modern, but Traefik does let you configure these to your own needs.

You can declare which versions of TLS and which ciphers you want by adding some lines to /root/compose/traefik.toml. Find the [entryPoints.https.tls] line, which is where you can specify your desired settings:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  # Uncomment the following two lines to redirect HTTP to HTTPS.
  #  [entryPoints.http.redirect]
  #  entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_GCM_SHA384"
    ]

Traefik metrics dashboard

Traefik comes with a nice dashboard that lists the containers it knows about, and a collection of health metrics. Browse to www.example.com/traefik to see your dashboard:

You might not want this dashboard to be available to the whole internet. Fortunately, it’s straightforward to put a login prompt in front.

First, install the tool we need to generate a password:

apt-get install apache2-utils

Pick a username. Here we’ve chosen the username “admin“. Run this command, which will prompt you for a password:

htpasswd -n admin
New password:
Re-type new password:
admin:$apr1$gvliEVWJ$FTtfyaV5P7vZL5du194c30

Create a file called /root/compose/.env. Using the output from above, insert the following line:

BASIC_AUTH=admin:$apr1$gvliEVWJ$FTtfyaV5P7vZL5du194c30

In your /root/compose/docker-compose.yml file, add this label to the Traefik container:

      - "traefik.frontend.auth.basic=${BASIC_AUTH}"

Restart your Docker containers to apply the change:

cd /root/compose
docker-compose down
docker-compose up -d

Now when you browse to your dashboard, you’ll be prompted for the above username and password.

Updated on November 7, 2018

Was this article helpful?

Related Articles