Traefik is an edge router (for the full information that they put forward you can check their documentation). Basically this means that it will listen to all the incoming traffic on a particular server and then dispatch it to different places. It has many features, some of which I will not talk about yet, but helps me get stuff done locally or put in productions in different ways we will talk about.
Why would you need an edge router ?
The addresses on a server
As a user you are used to typing in a name to get to the website that you want to see (like https://google.com). However this is not how the Internet will get you the specific apartment number you are trying to get to. It will mainly tell you which building will contain it. When you look for a name some Domain Name System servers will translate the text to an actual IP address. So now you know where the building is how do you get to the right apartment ?
This is where the edge router will, more or less, work as a valet. When you get to the correct building and ask the apartment number with the name of the place you are trying to reach he will give you the precise destination.
Spend less money !
If you need many different websites (related to apartments we just discussed) it is more affordable to rent a building ! The building only having a general address will just mean you need someone at the entry who can tell people which floor and apartment number they need to go to.
How does this work ?
When running a server with a single IP to which you want to send multiple addresses the idea is to have someone read all the post that comes in to the building and distributes it to the correct places inside of it.
This is why our server will listen to everything coming by his 80 and 443 ports directly by Traefik. These are the routes messages will come into our building. He will then read the actual name that was asked for and get the message to the correct post box.
Let's get technical
This is the general way I think about this kind of stuff. Let's have a look about how we put this in place technically.
First off the main thing for us is that we will run most of our projects on Docker containers (this is a small virtual kind of machine we will talk about soon). These will represent the apartments in our building. The valet, Traefik, will also run inside a docker container.
This means that all the main traffic will have to go past him first. In order to do so we will set-up a docker-compose configuration that makes sure that all the messages coming in from the 80 or 443 port will go to him first :
version: "3" services: traefik: image: traefik:1.7 restart: always ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.toml:/traefik.toml networks: - web labels: - traefik.enable=true - traefik.backend=traefik - traefik.frontend.rule=Host:traefik.mywebsite.org - traefik.frontend.protocol=https - traefik.frontend.redirect.entryPoint=https - traefik.frontend.headers.SSLRedirect=true - firstname.lastname@example.org:$$apr1$$efgdfegdf$$fbfdggdfgdfgdfz. - traefik.port=8080 networks: web: external: true
A few things to see here. The
ports 80 and 443 from the docker container are related to those of the server. this means that anything coming in from these ports on the server will be sent to the Traefik docker container.
Next is the networks, this will allow us to create virtual networks inside of the server to allow multiple different docker containers to talk with each other without being heard by everyone.
Finally there are a couple of interesting labels. Basically these will tell Traefik how to transfer the messages. This is why we can ask ourselves why we make him talk to himself.
Traefik has a Backend !
There is a web page that will show you what Traefik is doing and if there are any errors or warnings preventing him from doing his job. By default this runs inside the container on the 8080 port. This means that when you run it locally you will be able to reach it through
localhost:8080 in your browser. However as it is his job to set and point towards addresses let's make him do that for himself.
So let's take a closer look at the labels we just saw :
- traefik.enable=true - traefik.backend=traefik - traefik.frontend.rule=Host:traefik.mywebsite.org - traefik.frontend.protocol=https - traefik.frontend.redirect.entryPoint=https - traefik.frontend.headers.SSLRedirect=true - email@example.com:$$apr1$$efgdfegdf$$fbfdggdfgdfgdfz. - traefik.port=8080
The first one is to tell Traefik to start taking a look at this Docker container. The next line is to define the name of the backend we will want to show.
The next three will set the url that will allow us to access this and define the protocol we want to use. Nowadays ofcourse we want to use
HTTPS to add some security. That is also why we will automatically redirect any of the HTTP traffic to HTTPS.
traefik.frontend.auth.basic is an important label. The dashboard will contain quite a bit of sensitive information so we do not want it to be visible to everyone. This label will make you enter a username and password before you can access the dashboard. If you have used the Apache
.htpasswd files in the past this is kind of the same. The one thing you have to keep in mind is the password in the label needs double
$ signs (which I think is because of how the Go language interprets these but I haven't really looked into it, sorry). On Linux to create a user and password you can use the
htpasswd CLI tool :
htpasswd -nb user password
If you want to set it to the correct format for Traefik labels you can use
htpasswd -nb user password | sed -s "s/[$]/&&/g"
And finally is the important part about the port. If the thing you want to show are not running on the port 80 inside your container you can define the port it is using here so that Traefik will redirect port 80 or 443 traffic towards it.
The (already among us) futur
It took me forever to finish writing this and Traefik has moved forward with its second version. However migrating from V1 to V2 can be quite annoying and bring your sites down for a bit will change the labels on every single one of the Docker containers that serve them.
Soon I'll write a bit more about the second version and more about why it was really annoying to migrate back in the day and how V2.2 helped that out a lot.
I will also write a bit about how and why I use Traefik locally for all my different projects to avoid having to run everything on
localhost with a lot of different ports which makes me forget how to get to a specific project.
Thanks for reading !
Dennis de Best