7c2ba62b56
- user-guide review. - add DataDog and StatD configuration. - sync sample.toml and doc. - split entry points doc. - Deprecated.
213 lines
9.3 KiB
Markdown
213 lines
9.3 KiB
Markdown
# Docker & Traefik
|
|
|
|
In this use case, we want to use Traefik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.
|
|
We also want to automatically _discover any services_ on the Docker host and let Traefik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.
|
|
In addition, we want to use Let's Encrypt to automatically generate and renew SSL certificates per hostname.
|
|
|
|
## Setting Up
|
|
|
|
In order for this to work, you'll need a server with a public IP address, with Docker installed on it.
|
|
In this example, we're using the fictitious domain _my-awesome-app.org_.
|
|
In real-life, you'll want to use your own domain and have the DNS configured accordingly so the hostname records you'll want to use point to the aforementioned public IP address.
|
|
|
|
## Networking
|
|
|
|
Docker containers can only communicate with each other over TCP when they share at least one network.
|
|
This makes sense from a topological point of view in the context of networking, since Docker under the hood creates IPTable rules so containers can't reach other containers _unless you'd want to_.
|
|
In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Traefik) will reside in.
|
|
|
|
On the Docker host, run the following command:
|
|
|
|
`$ docker network create web`
|
|
|
|
Now, let's create a directory on the server where we will configure the rest of Traefik:
|
|
|
|
`$ mkdir -p /opt/traefik`
|
|
|
|
Within this directory, we're going to create 3 empty files:
|
|
|
|
```sh
|
|
$ touch /opt/traefik/docker-compose.yml
|
|
$ touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
|
|
$ touch /opt/traefik/traefik.toml
|
|
```
|
|
|
|
The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik.
|
|
The contents of the file is as follows:
|
|
|
|
```yaml
|
|
version: '2'
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:1.3.5
|
|
restart: always
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
networks:
|
|
- web
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- /srv/traefik/traefik.toml:/traefik.toml
|
|
- /srv/traefik/acme.json:/acme.json
|
|
container_name: traefik
|
|
|
|
networks:
|
|
web:
|
|
external: true
|
|
```
|
|
|
|
As you can see, we're mounting the `traefik.toml` file as well as the (empty) `acme.json` file in the container.
|
|
Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Traefik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).
|
|
Also, we're making sure the container is automatically restarted by the Docker engine in case of problems (or: if the server is rebooted).
|
|
We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.
|
|
Finally, we're giving this container a static name called `traefik`.
|
|
|
|
Let's take a look at a simply `traefik.toml` configuration as well before we'll create the Traefik container:
|
|
|
|
```toml
|
|
debug = false
|
|
checkNewVersion = true
|
|
logLevel = "ERROR"
|
|
defaultEntryPoints = ["https","http"]
|
|
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
[entryPoints.http.redirect]
|
|
entryPoint = "https"
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
|
|
[retry]
|
|
|
|
[docker]
|
|
endpoint = "unix:///var/run/docker.sock"
|
|
domain = "my-awesome-app.org"
|
|
watch = true
|
|
exposedbydefault = false
|
|
|
|
[acme]
|
|
email = "your-email-here@my-awesome-app.org"
|
|
storage = "acme.json"
|
|
entryPoint = "https"
|
|
OnHostRule = true
|
|
```
|
|
|
|
This is the minimum configuration required to do the following:
|
|
|
|
- Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messagse
|
|
- Check for new versions of Traefik periodically
|
|
- Create two entry points, namely an `HTTP` endpoint on port `80`, and an `HTTPS` endpoint on port `443` where all incoming traffic on port `80` will immediately get redirected to `HTTPS`.
|
|
- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!**
|
|
- Enable automatic request and configuration of SSL certificates using Let's Encrypt. These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises.
|
|
|
|
Alright, let's boot the container. From the `/opt/traefik` directory, run `$ docker-compose up -d` which will create and start the Traefik container.
|
|
|
|
## Exposing Web Services to the Outside World
|
|
|
|
Now that we've fully configured and started Traefik, it's time to get our applications running!
|
|
|
|
Let's take a simple example of a micro-service project consisting of various services, where some will be exposed to the outside world and some will not. The `docker-compose.yml` of our project looks like this:
|
|
|
|
```yaml
|
|
version: "2.1"
|
|
|
|
services:
|
|
app:
|
|
image: my-docker-registry.com/my-awesome-app/app:latest
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
restart: always
|
|
networks:
|
|
- web
|
|
- default
|
|
expose:
|
|
- "9000"
|
|
labels:
|
|
- "traefik.backend=my-awesome-app-app"
|
|
- "traefik.docker.network=web"
|
|
- "traefik.frontend.rule=Host:app.my-awesome-app.org"
|
|
- "traefik.enable=true"
|
|
- "traefik.port=9000"
|
|
|
|
db:
|
|
image: my-docker-registry.com/back-end/5.7
|
|
restart: always
|
|
|
|
redis:
|
|
image: my-docker-registry.com/back-end/redis:4-alpine
|
|
restart: always
|
|
|
|
events:
|
|
image: my-docker-registry.com/my-awesome-app/events:latest
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
restart: always
|
|
networks:
|
|
- web
|
|
- default
|
|
expose:
|
|
- "3000"
|
|
labels:
|
|
- "traefik.backend=my-awesome-app-events"
|
|
- "traefik.docker.network=web"
|
|
- "traefik.frontend.rule=Host:events.my-awesome-app.org"
|
|
- "traefik.enable=true"
|
|
- "traefik.port=3000"
|
|
|
|
networks:
|
|
web:
|
|
external: true
|
|
```
|
|
|
|
Here, we can see a set of services with two applications that we're actually exposing to the outside world.
|
|
Notice how there isn't a single container that has any published ports to the host -- everything is routed through Docker networks.
|
|
Also, only the containers that we want traffic to get routed to are attached to the `web` network we created at the start of this document.
|
|
Since the `traefik` container we've created and started earlier is also attached to this network, HTTP requests can now get routed to these containers.
|
|
|
|
### Labels
|
|
|
|
As mentioned earlier, we don't want containers exposed automatically by Traefik.
|
|
The reason behind this is simple: we want to have control over this process ourselves.
|
|
Thanks to Docker labels, we can tell Traefik how to create it's internal routing configuration.
|
|
Let's take a look at the labels themselves for the `app` service, which is a HTTP webservice listing on port 9000:
|
|
|
|
```yaml
|
|
- "traefik.backend=my-awesome-app-app"
|
|
- "traefik.docker.network=web"
|
|
- "traefik.frontend.rule=Host:app.my-awesome-app.org"
|
|
- "traefik.enable=true"
|
|
- "traefik.port=9000"
|
|
```
|
|
|
|
First, we specify the `backend` name which corresponds to the actual service we're routing **to**.
|
|
We also tell Traefik to use the `web` network to route HTTP traffic to this container. With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
|
|
Essentially, this is the actual rule used for Layer-7 load balancing.
|
|
With the `traefik.enable` label, we tell Traefik to include this container in it's internal configuration.
|
|
Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
|
|
|
|
#### Gotchas and tips
|
|
|
|
- Always specify the correct port where the container expects HTTP traffic using `traefik.port` label.
|
|
If a container exposes multiple ports, Traefik may forward traffic to the wrong port.
|
|
Even if a container only exposes one port, you should always write configuration defensively and explicitly.
|
|
- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see.
|
|
Usually, this is a bad idea.
|
|
- With the `traefik.frontend.auth.basic` label, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
|
|
- Traefik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
|
|
- Traefik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
|
|
Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)
|
|
|
|
### Final thoughts
|
|
|
|
Using Traefik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, performant and self-configuring solution for your projects.
|
|
With Let's Encrypt, your endpoints are automatically secured with production-ready SSL certificates that are renewed automatically as well.
|