Categories
DevOps Networking Server

Traefik 2.5 quick-start guide

How to use TOML, YAML, or Docker Labels to hit the ground running with Traefik 2.5 under Docker Compose.

Docker Compose

I implore you to use a CIDR Calculator and IPAM to keep track of what addresses that you’re using. Whether you’re managing 1 server or 1,000 servers, it’s good practice to get in the habit of doing so.

With Traefik in front of multiple services, I prefer to run each service on its segmented network instead of a flat network. Ideally, if a service is compromised, this may help reduce it being used as a springboard to launch attacks against peer containers. Although this example is over-engineered, it serves as a guide for what you’d encounter in a real-world deployment.

To avoid conflicts with the host or other networks, I use the Link-local address segment (169.254.0.0/16 — 169.254.0.0 through 169.254.255.255) with a /29 subnet (8 addresses, 6 being usable) for each service since a /30 (4 addresses, 2 being usable) is too small for Docker. In this Docker Compose file, I’ll define two networks for three services:

Networks:

  1. Who am I?
  2. Nginx

Services:

  1. Traefik
  2. WhoAmI
  3. Nginx

/etc/docker/compose/web/docker-compose.yaml

---
version: "3.9"

networks:

    whoami:
        driver: bridge
        ipam:
            config:
                - subnet: 169.254.0.0/29

    nginx:
        driver: bridge
        ipam:
            config:
                - subnet: 169.254.0.8/29

services:

#-------------------------------------------------------------------------------

    traefik:

        depends_on:
            - whoami
            - nginx

        container_name: traefik
        image: traefik:v2.5
        restart: always

        # Peer networks
        networks:
            - whoami
            - nginx

        # Public
        ports:
            - "80:80/tcp"
            - "443:443/tcp"

        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro  # Listen to the Docker events
            - /srv/traefik/traefik.toml:/traefik.toml:ro    # Static config.
            - /srv/traefik/traefik.d:/etc/traefik:ro        # Dynamic config.
            - /srv/traefik/logs:/logs                       # Diagnosis / Traffic
            - /srv/traefik/users:/users:ro                  # Basic auth. users
            - /srv/traefik/plugins:/plugins-local:ro        # Local plugins without Traefik Pilot
            - /srv/letsencrypt:/letsencrypt:ro              # Offsite certs.
            - /etc/ssl/certs/:/cacerts:ro                   # Certificate Authorities

#-------------------------------------------------------------------------------

    whoami:

        container_name: whoami
        image: traefik/whoami
        restart: always

        # Peer networks
        networks:
            - whoami

        # Peer containers
        expose:
            - 80/tcp

#-------------------------------------------------------------------------------

    nginx:

        container_name: nginx
        image: nginx:1
        restart: always

        # Peer networks
        networks:
            - nginx

        # Peer containers
        expose:
            - 80/tcp

        volumes:
            - /srv/nginx/sites/:/var/www/
            - /srv/nginx/log:/var/log/nginx

To start this service and enable it if the startup succeeded:

systemctl start docker-compose@web && systemctl enable docker-compose@web

One reply on “Traefik 2.5 quick-start guide”

Leave a Reply

Your email address will not be published.