Traefik is a reverse proxy and load balancer implemented in Golang. Its biggest difference from Nginx is that it supports automatic updates of reverse proxy and load balancing configurations.

Official site: https://traefik.io/

Official documentation: https://doc.traefik.io/traefik/

Basic Usage#

Reverse Proxy Use Case#

Key Features#

Automatic Docker service discovery
Automatic HTTPS configuration
Prometheus metrics endpoint
Web UI dashboard
Forced HTTP 80 → HTTPS 443 redirection
Simple configuration
- Just add the appropriate label tags to your containers to automatically complete reverse proxy routing and load balancing configuration

Create Directories#

1
mkdir -p data/configurations
2
touch docker-compose.yml
3
touch data/traefik.yml
4
touch data/acme.json
5
touch data/configurations/dynamic.yml
6
chmod 600 data/acme.json

Docker Compose#

File path: ~/docker-compose.yml

1
version: '3.7'
2

3
services:
4
  traefik:
5
    image: traefik:latest
6
    container_name: traefik
7
    restart: always
8
    security_opt:
9
      - no-new-privileges:true
10
    ports:
11
      - 80:80
12
      - 443:443
13
    volumes:
14
      - /etc/localtime:/etc/localtime:ro
15
      - /var/run/docker.sock:/var/run/docker.sock:ro
16
      - ./data/traefik.yml:/traefik.yml:ro
17
      - ./data/acme.json:/acme.json
18
      # Add folder with dynamic configuration yml
19
      - ./data/configurations:/configurations
20
    networks:
21
      - proxy
22
    labels:
23
      - "traefik.enable=true"
24
      - "traefik.docker.network=proxy"
25
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
26
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
27
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
28
      - "traefik.http.routers.traefik-secure.service=api@internal"
29

30
networks:
31
  proxy:
32
    external: true

Static Configuration File#

File path: ~/data/traefik.yml

1
api:
2
  dashboard: true
3

4
entryPoints:
5
  web:
6
    address: :80
7
    http:
8
      redirections:
9
        entryPoint:
10
          to: websecure
11

12
  websecure:
13
    address: :443
14
    http:
15
      middlewares:
16
        - secureHeaders@file
17
        - nofloc@file
18
      tls:
19
        certResolver: letsencrypt
20

21
pilot:
22
  dashboard: false
23

24
providers:
25
  docker:
26
    endpoint: "unix:///var/run/docker.sock"
27
    exposedByDefault: false
28
  file:
29
    filename: /configurations/dynamic.yml
30

31
certificatesResolvers:
32
  letsencrypt:
33
    acme:
34
      email: admin@yourdomain
35
      storage: acme.json
36
      keyType: EC384
37
      httpChallenge:
38
        entryPoint: web
39

40
  buypass:
41
    acme:
42
      email: admin@yourdomain
43
      storage: acme.json
44
      caServer: https://api.buypass.com/acme/directory
45
      keyType: EC256
46
      httpChallenge:
47
        entryPoint: web

Dynamic Configuration File#

File path: ~/data/configurations/dynamic.yml

1
# Dynamic configuration
2
http:
3
  middlewares:
4
    nofloc:
5
      headers:
6
        customResponseHeaders:
7
          Permissions-Policy: "interest-cohort=()"
8
    secureHeaders:
9
      headers:
10
        sslRedirect: true
11
        forceSTSHeader: true
12
        stsIncludeSubdomains: true
13
        stsPreload: true
14
        stsSeconds: 31536000
15

16
    # UserName : admin
17
    # Password : qwer1234
18
    user-auth:
19
      basicAuth:
20
        users:
21
          - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
22

23
tls:
24
  options:
25
    default:
26
      cipherSuites:
27
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
28
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
29
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
30
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
31
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
32
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
33
      minVersion: VersionTLS12

Create Network#

1
docker network create proxy

Start#

1
docker compose up -d

Traefik Smart Reverse Proxy: Hands-Free Automation