Setup
Traefik
Before examining each directory and file individually, let’s look at the structure of my /srv/traefik directory to get a feel for where we’re going with this article:
/srv/traefik
├── disabled
├── logs
├── plugins
│ └── src
│ └── github.com
│ └── traefik
│ ├── plugin-blockpath
│ │ ├── blockpath.go
│ │ ├── blockpath_test.go
│ │ ├── .github
│ │ │ └── workflows
│ │ │ ├── go-cross.yml
│ │ │ └── main.yml
│ │ ├── .gitignore
│ │ ├── .golangci.yml
│ │ ├── go.mod
│ │ ├── LICENSE
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── .traefik.yml
│ └── plugin-rewritebody
│ ├── .github
│ │ └── workflows
│ │ ├── go-cross.yml
│ │ └── main.yml
│ ├── .gitignore
│ ├── .golangci.toml
│ ├── go.mod
│ ├── LICENCE
│ ├── Makefile
│ ├── README.md
│ ├── rewritebody.go
│ ├── rewritebody_test.go
│ └── .traefik.yml
├── traefik.d
│ ├── block-sensitive.toml
│ ├── core-admins.toml
│ ├── core-bastions.toml
│ ├── core-certificates.toml
│ ├── route-ltg.fyi.toml
│ ├── route-thad.getterman.org.toml
│ ├── route-traefik-dashboard.toml
│ ├── service-example.toml
│ ├── service-nginx.toml
│ └── service-whoami.toml
├── traefik.toml
└── users
└── admins
Let’s start by creating a path for Traefik’s logs, local plug-ins (without the need for Traefik Pilot!), dynamic configurations, and users for basic access authentication:
mkdir -pv /srv/traefik/{logs,plugins/src,traefik.d,users}
Static configuration
For Traefik’s static configuration, let’s aim for the following:
- Send anonymous usage statistics to Traefik Labs.
- Pass server and access logging to Docker Compose in the JSON format (there’s more information and the output is easy to parse with jq if needed).
- Dynamic configurations based on files in a directory.
- Docker integration.
- Traefik Dashboard that’s only accessible by you and available at the
/traefikpath of your site (this is set by the dynamic configuration that I’ll cover further in this article). - SSL with externally generated Let’s Encrypt certificates.
- HTTP (80/TCP) and HTTPS (443/TCP) while permanently redirecting (A.K.A. “301 redirects“) every unecrypted connection to an encrypted one.
- Local plug-ins
Pick either TOML or YAML.
/srv/traefik/traefik.toml
[global]
sendAnonymousUsage = true
[accessLog]
format = "json"
filePath = "os.Stdout"
# Alternative:
# filePath = "/logs/access.log"
[log]
format = "json"
level = "INFO"
filePath = "os.Stdout"
# Alternative:
# filePath = "/logs/traefik.log"
[providers]
[providers.file]
directory = "/etc/traefik"
watch = true
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = false
[api]
dashboard = true
insecure = false
[serversTransport]
insecureSkipVerify = false
rootCAs = ["/cacerts/ca-certificates.crt"]
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
permanent = true
[entryPoints.websecure]
address = ":443"
# Optional
# [pilot]
# token = "12-34-56-78-90"
[experimental.localPlugins]
[experimental.localPlugins.blockpath]
modulename = "github.com/traefik/plugin-blockpath"
[experimental.localPlugins.rewritebody]
modulename = "github.com/traefik/plugin-rewritebody"
/srv/traefik/traefik.yaml
global:
sendAnonymousUsage: true
accessLog:
format: json
filePath: os.Stdout
# Alternative:
# filePath: /logs/access.log
log:
format: json
level: INFO
filePath: os.Stdout
# Alternative:
# filePath: /logs/traefik.log
providers:
file:
directory: /etc/traefik
watch: true
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: false
api:
dashboard: true
insecure: false
serversTransport:
insecureSkipVerify: false
rootCAs:
- /cacerts/ca-certificates.crt
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
# Optional
# pilot:
# token: "12-34-56-78-90"
experimental:
localPlugins:
blockpath:
moduleName: "github.com/traefik/plugin-blockpath"
rewritebody:
moduleName: "github.com/traefik/plugin-rewritebody"
Administrative users
I have a bcrypt function defined in my dotfiles (source code), which wraps around htpasswd. The format of Traefik’s basic auth users file is simple enough: username:hash.
If I wanted to setup an admin user with the password b747bf685918430f2bfa2592a80c0cb4e021ce8b (with a hash value of $2a$12$HUALA5Lwpi3HNeHYAbPCqOxXaxFDj3IZjGa0uDN/KYD6oCg7172hS), my administrators’ user file would be:
/srv/traefik/users/admins
admin:$2a$12$HUALA5Lwpi3HNeHYAbPCqOxXaxFDj3IZjGa0uDN/KYD6oCg7172hS
Local plug-ins
To install the two plug-ins covered in this article:
{
# Create directories
mkdir -pv /srv/traefik/plugins/src/github.com/traefik
# Block Path
git clone \
https://github.com/traefik/plugin-blockpath \
/srv/traefik/plugins/src/github.com/traefik/plugin-blockpath
# Rewrite Body
git clone \
https://github.com/traefik/plugin-rewritebody \
/srv/traefik/plugins/src/github.com/traefik/plugin-rewritebody
}
Table of Contents
One reply on “Traefik 2.5 quick-start guide”
Great article. Will definitely try out the local plugins