In this Guide we will install Traefik v2 as a reverse proxy with free LetsEncrypt SSL certificates for our Docker container. With Traefik you will be able to run multiple containers with different domains. This guide offers a ready to use
docker-compose.yml for a quick start with Traefik.
Traefik v2 Install
If you don’t have docker installed yet, you can find instructions for Ubuntu or Debian. This Guide uses docker-compose to run Traefik, therefore its necessary to also install docker-compose. The two linked guides will help you to setup docker-compose on your own host.
Frist we create a few files and folders to work with. I like my docker setup to be clean and easy, therefore I create a folder for each docker-compose Stack I’m running on my host.
mkdir -p /opt/containers/traefik mkdir /opt/containers/traefik/data touch /opt/containers/traefik/data/traefik.yml touch /opt/containers/traefik/data/acme.json chmod 600 /opt/containers/traefik/data/acme.json
To create password protected sites, like our Traefik Dasboard, you will need to install apache2-utils which provides the handy
htpasswd tool we are using in this Guide.
apt-get install apache2-utils
Next we open our newly created traefik config file with an editor of your choice.
api: dashboard: true entryPoints: http: address: ":80" https: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false certificatesResolvers: http: acme: email: [email protected] # CHANGE HERE storage: acme.json httpChallenge: entryPoint: http
You need to replace the example email with your own email address. This email address is used to request our free LetsEncrypt SSL certificates.
In this Guide we are enabling the Traefik Dashboard. This Dashboard is helpful to check if a service is running correct or not. If you are not interested to run Trafik with the Dashboard enabled, you can set
dashboard: false. I would suggest to leave the Dashboard running, if you are new to Traefik.
version: '3' services: traefik: image: traefik:latest container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true networks: - proxy ports: - 80:80 - 443:443 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./data/traefik.yml:/traefik.yml:ro - ./data/acme.json:/acme.json labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" - "traefik.http.routers.traefik.rule=Host(`traefik.domain.tld`)" - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.tld`)" - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=http" - "traefik.http.routers.traefik-secure.service=api@internal" networks: proxy: external: true
With our docker-compose.yml we are defining the Traefik docker container with all the settings and config files. To get Traefik up and running you only need to adjust some settings:
- replace both
traefik.domain.tldwith your own domain name. This domain should be a subdomain like traefik.ae3.ch for example. Later you will be able access Traefik Dasboard with this (sub)domain.
USER:PASSWORDwith your own credentials.
You will not be able to write your password as it is, you first need to generate a hash of your password, like so:
echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
password with your own credentials you would like to use for Traefik Dashboard.
Output should look like this:
Now you can copy the whole line of your own output and replace the
USER:PASSWORD with your own credentials:
# before - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD" # after - "traefik.http.middlewares.traefik-auth.basicauth.users=user:$$apr1$$zUb/YuK2$$57psQ0U71DlfdHPr0yoHe/"
Create Docker Network for Traefik
It’s a good idea to setup a separate docker network that is used by Traefik and all other docker containers you would like to make available by Traefik.
To create this docker network, all you need to do is paste the following command into your CLI:
docker network create proxy
Now we are ready to run our traefik container. Make sure you are located inside the
/opt/containers/traefik directory and then simply run:
docker-compose up -d
After a few seconds you can check and access your Traefik Dashboard at your custom Domain you entered in your docker-compose.yml (example: traefik.ae3.ch). When you try to visit the Dasboard, you should be prompted by a login form, there you enter your username and password you defined earlier.
Traefik will automatically generate SSL certificates for all domains you are connecting to Traefik. All certificates are also renewed automatically, this means you don’t need to do any manual steps to secure your website with SSL, isn’t it fancy huh? :)
Use your container with Traefik
To access your own containers with your domain, you need to add some config labels to your existing docker-compose.yml file of your other containers. This is an example config, you could use with any docker container you are running.
service-name: labels: - "traefik.enable=true" ## replace `service-name` with the name of your docker container, you will need to replace this entry in all lines - "traefik.http.routers.service-name.entrypoints=http" ## replace `example.domain.tld` with your own domain name, for example `wordpress.domain.ch` - "traefik.http.routers.service-name.rule=Host(`example.domain.tld`)" - "traefik.http.middlewares.service-name-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.service-name.middlewares=service-name-https-redirect" - "traefik.http.routers.service-name-secure.entrypoints=https" ## replace `example.domain.tld` with your own domain name, for example `wordpress.domain.ch` - "traefik.http.routers.service-name-secure.rule=Host(`example.domain.tld`)" - "traefik.http.routers.service-name-secure.tls=true" - "traefik.http.routers.service-name-secure.tls.certresolver=http" ## replace `service-name` with the name of your docker container - "traefik.http.routers.service-name-secure.service=service-name" ## if your container is using a different port then `80`, just replace this port with your custom one, for example: `8888` - "traefik.http.services.service-name.loadbalancer.server.port=80" - "traefik.docker.network=proxy"
Make sure your container has the same docker network assignes as traefik has. You can do this by adding the following to your docker-compose.yml
service-name: networks: - proxy networks: proxy: external: true
WordPress docker-compose.yml for Traefik
docker-compose.yml for WordPress could look like this:
version: '3.1' services: wordpress: image: wordpress restart: always environment: WORDPRESS_DB_HOST: db WORDPRESS_DB_USER: exampleuser WORDPRESS_DB_PASSWORD: examplepass WORDPRESS_DB_NAME: exampledb volumes: - wordpress:/var/www/html labels: - "traefik.enable=true" - "traefik.http.routers.wordpress.entrypoints=http" - "traefik.http.routers.wordpress.rule=Host(`wordpress.domain.ch`)" - "traefik.http.middlewares.wordpress-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.wordpress.middlewares=wordpress-https-redirect" - "traefik.http.routers.wordpress-secure.entrypoints=https" - "traefik.http.routers.wordpress-secure.rule=Host(`wordpress.domain.ch`)" - "traefik.http.routers.wordpress-secure.tls=true" - "traefik.http.routers.wordpress-secure.tls.certresolver=http" - "traefik.http.routers.wordpress-secure.service=wordpress" - "traefik.http.services.wordpress.loadbalancer.server.port=80" - "traefik.docker.network=proxy" networks: - proxy db: image: mysql:5.7 restart: always environment: MYSQL_DATABASE: exampledb MYSQL_USER: exampleuser MYSQL_PASSWORD: examplepass MYSQL_RANDOM_ROOT_PASSWORD: '1' volumes: - db:/var/lib/mysql volumes: wordpress: db: networks: proxy: external: true