Skip to main content

Installation

warning

Lo usaremos si desplegamos la infrascturcutra con Docker compose

In Kubernetes (k8s) use cert-manager

We are going to use traefik to generate and manage certificates with Let's Encrypt for this to work the first thing we have to create the acme.json file.

touch acme.json
chmod 600 acme.json

We create the traefik core network

docker networks create web

Traefik is configured through a TOML file structure or through tags in the containers that require it. We are going to use the tags because it saves us from keeping more disjoint files in our system.

Next we will see the settings we apply to our balancer.

  • --entrypoints.web.address=:80 Defines an entry point called "web" that listens on port 80 of the container.
  • --entrypoints.websecure.address=:443 Defines an entry point called "websecure" that listens on port 443 of the container (used for HTTPS connections).
  • --providers.docker Enables the Docker provider for Traefik to automatically detect containers running on your Docker system.
  • --providers.docker.exposedByDefault=false Tells Traefik not to automatically expose container ports discovered through Docker.
  • --api --Enables Traefik's web API for administration and monitoring.
  • --certificatesresolvers.le.acme.email=info@example.com Defines the email address used to obtain free SSL certificates from Let's Encrypt.
  • --certificatesresolvers.le.acme.storage=./acme.json Specifies the location of the file that stores the certificates issued by Let's Encrypt.
  • --certificatesresolvers.le.acme.tlschallenge=true Enables HTTP challenge for Let's Encrypt domain validation.
  • --log.level=DEBUG Sets Traefik's logging level to DEBUG to provide detailed information in the logs.
  • traefik.http.routers.traefik.rule=Host(`dashboard.example.com`) This tag defines a path to the Traefik administration dashboard. Only traffic coming from the host dashboard.example.com will access the dashboard.
  • traefik.http.routers.traefik.service=api@internal This tag specifies the internal service (defined as api) to which the dashboard traffic will be directed. @internal indicates that the service is running within the same swarm or internal network.
  • traefik.http.routers.traefik.tls=true This tag enables SSL/TLS encryption for dashboard access.
  • traefik.http.routers.traefik.tls.certresolver=le This tag instructs Traefik to use the Let's Encrypt certificate resolver to get the SSL/TLS certificate from the dashboard.
  • traefik.http.routers.traefik.entrypoints=websecure This tag specifies that dashboard traffic should use the websecure entry point defined in the --entrypoints.websecure.address=:443 (port 443) command.
  • traefik.http.routers.traefik.middlewares=authtraefik This tag indicates that dashboard traffic must pass through the authtraefik middleware which is configured to require basic authentication.
  • traefik.http.middlewares.authtraefik.basicauth.users=admin:$$2y$$10$$86tihy4eRLWLWLTExtMBEzKOHdh0hv8SbtaZVg3RwobqBGnK9WToa9q This tag defines the basic authentication credentials for accessing the dashboard. To create the user and password we will use htpasswd as follows htpasswd -nBC 10 admin
  • traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`) This tag defines a catch-all route that matches any host.
  • traefik.http.routers.http-catchall.entrypoints=web This tag indicates that catch-all traffic should use the web entry point defined in the --entrypoints.web.address=:80 (port 80) command.
  • traefik.http.routers.http-catchall.middlewares=redirect-to-https This tag indicates that catch-all traffic must pass through the redirect-to-https middleware that is configured to redirect HTTP traffic to the HTTPS equivalent.
  • traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https This tag defines the redirection scheme for the redirect-to-https middleware, in this case, it will redirect to HTTPS.
docker-compose.yml
services:
  traefik:
    image: traefik@sha256:00cefa1183ba9d8972b24cca4f53f52cad38599ac01f225d11da004ac907c2db
    container_name: traefik
    hostname: traefik
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      - --api
      - --certificatesresolvers.le.acme.email=info@example.com
      - --certificatesresolvers.le.acme.storage=./acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --log.level=INFO
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
    labels:
      - "traefik.enable=true"
      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.middlewares=authtraefik"
      - "traefik.http.middlewares.authtraefik.basicauth.users=admin:$$2y$$10$$86tihy4eRLWLTExtMBEzKOHdh0hv8SbtaZVg3RwobqBGnK9WToa9q" #admin:demo_
        # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    restart: unless-stopped
    networks:
      - web

networks:
  web:
    external: true

We started up the containers.

docker-compose up -d

The containers that we want to output through traefik we have to add the following labels in those containers.

  • traefik.enable=true This tag enables Traefik on the container, allowing Traefik to manage it and configure its routing and load balancing.
  • traefik.http.routers.container.rule=Host(container.example.com) This tag defines a routing rule for traffic directed to the container.example.com domain. This rule instructs Traefik to route traffic to this container when the request is directed to that specific domain name.
  • traefik.http.routers.container.entrypoints=websecure This tag specifies that container traffic should use the websecure entry point. This indicates that traffic will only be accepted over secure HTTPS connections.
  • traefik.http.routers.container.tls=true This tag enables TLS/SSL encryption for container traffic, ensuring secure communications.
  • traefik.http.routers.container.tls.certresolver=le This tag instructs Traefik to use Let's Encrypt to obtain the TLS/SSL certificates required for container encryption, automating certificate management.
  • traefik.http.services.container-service.loadbalancer.server.port=XXXXXX This tag defines the internal port of the container to which Traefik should redirect traffic. In this case, the container is listening on a port other than port 80.
note

Recordar agregar al fichero docker-compose.yml de trafik las redes creadas en los contenedores que se quieran conectar.

    networks:
      - web
      - extra

networks:
  web:
    external: true
  extra:
    extenral: true