Categories
DevOps Networking Server

Traefik 2.5 quick-start guide

How to use TOML, YAML, or Docker Labels to hit the ground running with Traefik 2.5 under Docker Compose.

Setup

Traefik

Before examining each directory and file individually, let’s look at the structure of my /srv/traefik directory to get a feel for where we’re going with this article:

/srv/traefik
├── disabled
├── logs
├── plugins
│   └── src
│       └── github.com
│           └── traefik
│               ├── plugin-blockpath
│               │   ├── blockpath.go
│               │   ├── blockpath_test.go
│               │   ├── .github
│               │   │   └── workflows
│               │   │       ├── go-cross.yml
│               │   │       └── main.yml
│               │   ├── .gitignore
│               │   ├── .golangci.yml
│               │   ├── go.mod
│               │   ├── LICENSE
│               │   ├── Makefile
│               │   ├── README.md
│               │   └── .traefik.yml
│               └── plugin-rewritebody
│                   ├── .github
│                   │   └── workflows
│                   │       ├── go-cross.yml
│                   │       └── main.yml
│                   ├── .gitignore
│                   ├── .golangci.toml
│                   ├── go.mod
│                   ├── LICENCE
│                   ├── Makefile
│                   ├── README.md
│                   ├── rewritebody.go
│                   ├── rewritebody_test.go
│                   └── .traefik.yml
├── traefik.d
│   ├── block-sensitive.toml
│   ├── core-admins.toml
│   ├── core-bastions.toml
│   ├── core-certificates.toml
│   ├── route-ltg.fyi.toml
│   ├── route-thad.getterman.org.toml
│   ├── route-traefik-dashboard.toml
│   ├── service-example.toml
│   ├── service-nginx.toml
│   └── service-whoami.toml
├── traefik.toml
└── users
    └── admins

Let’s start by creating a path for Traefik’s logs, local plug-ins (without the need for Traefik Pilot!), dynamic configurations, and users for basic access authentication:

mkdir -pv /srv/traefik/{logs,plugins/src,traefik.d,users}

Static configuration

For Traefik’s static configuration, let’s aim for the following:

  • Send anonymous usage statistics to Traefik Labs.
  • Pass server and access logging to Docker Compose in the JSON format (there’s more information and the output is easy to parse with jq if needed).
  • Dynamic configurations based on files in a directory.
  • Docker integration.
  • Traefik Dashboard that’s only accessible by you and available at the /traefik path of your site (this is set by the dynamic configuration that I’ll cover further in this article).
  • SSL with externally generated Let’s Encrypt certificates.
  • HTTP (80/TCP) and HTTPS (443/TCP) while permanently redirecting (A.K.A. “301 redirects“) every unecrypted connection to an encrypted one.
  • Local plug-ins

Pick either TOML or YAML.

/srv/traefik/traefik.toml

[global]
    sendAnonymousUsage = true

[accessLog]

    format = "json"
    filePath = "os.Stdout"

    # Alternative:
    # filePath = "/logs/access.log"

[log]

    format = "json"
    level = "INFO"
    filePath = "os.Stdout"

    # Alternative:
    # filePath = "/logs/traefik.log"

[providers]

    [providers.file]
        directory = "/etc/traefik"
        watch = true

    [providers.docker]
        endpoint = "unix:///var/run/docker.sock"
        watch = true
        exposedByDefault = false

[api]
    dashboard = true
    insecure = false

[serversTransport]
    insecureSkipVerify = false
    rootCAs = ["/cacerts/ca-certificates.crt"]

[entryPoints]
    [entryPoints.web]
        address = ":80"
        [entryPoints.web.http]
            [entryPoints.web.http.redirections]
                [entryPoints.web.http.redirections.entryPoint]
                    to = "websecure"
                    scheme = "https"
                    permanent = true
    [entryPoints.websecure]
        address = ":443"

# Optional
# [pilot]
#     token = "12-34-56-78-90"

[experimental.localPlugins]

    [experimental.localPlugins.blockpath]
        modulename = "github.com/traefik/plugin-blockpath"

    [experimental.localPlugins.rewritebody]
        modulename = "github.com/traefik/plugin-rewritebody"

/srv/traefik/traefik.yaml

global:
    sendAnonymousUsage: true

accessLog:

    format: json
    filePath: os.Stdout

    # Alternative:
    # filePath: /logs/access.log

log:

    format: json
    level: INFO
    filePath: os.Stdout

    # Alternative:
    # filePath: /logs/traefik.log

providers:

    file:
        directory: /etc/traefik
        watch: true

    docker:
        endpoint: unix:///var/run/docker.sock
        watch: true
        exposedByDefault: false

api:
    dashboard: true
    insecure: false

serversTransport:
    insecureSkipVerify: false
    rootCAs:
        - /cacerts/ca-certificates.crt

entryPoints:
    web:
        address: ":80"
        http:
            redirections:
                entryPoint:
                    to: websecure
                    scheme: https
                    permanent: true
    websecure:
        address: ":443"

# Optional
# pilot:
#     token: "12-34-56-78-90"

experimental:

    localPlugins:

        blockpath:
            moduleName: "github.com/traefik/plugin-blockpath"

        rewritebody:
            moduleName: "github.com/traefik/plugin-rewritebody"

Administrative users

I have a bcrypt function defined in my dotfiles (source code), which wraps around htpasswd. The format of Traefik’s basic auth users file is simple enough: username:hash.

If I wanted to setup an admin user with the password b747bf685918430f2bfa2592a80c0cb4e021ce8b (with a hash value of $2a$12$HUALA5Lwpi3HNeHYAbPCqOxXaxFDj3IZjGa0uDN/KYD6oCg7172hS), my administrators’ user file would be:

/srv/traefik/users/admins

admin:$2a$12$HUALA5Lwpi3HNeHYAbPCqOxXaxFDj3IZjGa0uDN/KYD6oCg7172hS

Local plug-ins

To install the two plug-ins covered in this article:

{

# Create directories
mkdir -pv /srv/traefik/plugins/src/github.com/traefik

# Block Path
git clone \
    https://github.com/traefik/plugin-blockpath \
    /srv/traefik/plugins/src/github.com/traefik/plugin-blockpath

# Rewrite Body
git clone \
    https://github.com/traefik/plugin-rewritebody \
    /srv/traefik/plugins/src/github.com/traefik/plugin-rewritebody

}

One reply on “Traefik 2.5 quick-start guide”

Leave a Reply

Your email address will not be published.