This site is licensed under the “CC BY 4.0 international” license, welcome to reprint, or modify the use, but need to indicate the source. Signature 4.0 International (CC BY 4.0)

Author: Su Yang

Creation time, September 7, 2018 statistical word count: 7212 words reading time: 15 minutes of reading this article links: soulteary.com/2018/09/07/…


Some additional details about using Traefik

In the past, I have written a number of examples of service registration and automatic load balancing with Traefik and posted its configuration, but it seems that I have not explained the configuration and use of Traefik in detail. On reflection, I should write an article about it.

What is a Traefik and what does it do

If you read my previous articles, Traefik should have some simple understanding and provide nginx-like load capability, except that you can automatically configure “upstream”, or open and eat Consul without configuration. The official definition is as follows:

A reverse proxy / load balancer that’s easy, dynamic, automatic, fast, full-featured, open source, production proven, provides metrics, and integrates with every major cluster technologies… No wonder it’s so popular!

To put it simply, whether you use it for load balancing or reverse proxy, it is consistent with its design concept, and provides a large number of functions to support you, so that you can achieve a certain scale of high performance applications in different business scenarios with simple configuration.

In practice, it is ok to cooperate with K8S, compose, Etcd, Rancher and Tradition Docker.

For my personal use in the compose scenario, the following configurations are taken as an example. The configurations of other environments are generally the same, with slightly different details. I will buy a few microtower servers later and then deal with my personal K8S (after all, single node is not interesting).

Suitable scene

  • If you have limited machine or IP resources, but you need to deploy multiple sites, you want to keep your site applications highly isolated.
  • You’re tired of using traditional solutionshaproxyornginxBack-and-forth modifications for multiple applications.
  • You don’t want to mount it on the server sideSSLTo configure the encryption algorithm and addgzipShould have such asGatewayProvide capabilities that hopefully keep the functionality of each layer simple and pure.
  • Have a lightweight and efficient local development environment within 1 minute.

How to configure

Docker-composemess. yml: docker-composemess. yml: docker-composemess. yml: docker-composemess. yml

version: '3'Services: reverse-proxy: image: traefik:1.6.6-alpine restart: always container_name: Traefik ports: -80:80-443:443-127.0.0.1:4339:43399-127.0.0.1:4398:4398 Networks: -traefikcommand: traefik -c /etc/traefik.toml
    volumes:
# Standard Linux environment only
# - /etc/localtime:/etc/localtime
# - /etc/timezone:/etc/timezone- /var/run/docker.sock:/var/run/docker.sock - ./traefik.toml:/etc/traefik.toml - ./ssl/lab.com.key:/data/ssl/lab.com.key  - ./ssl/lab.com.crt:/data/ssl/lab.com.crt - ./logs:/data/logs networks: traefik: external:true
Copy the code

Looking at the configuration, you can see that I mapped some external files and configurations inside the container and exposed ports 80, 443. The default two ports were mapped to 127.0.0.1 and the application logs were saved.

If you are using a standard Linux distribution, you can consider mapping the time zone and host time to the container to ensure consistent time, but you can ignore this on OSX systems.

You may ask how you can do regular administrative viewing and health checking if the administrative ports and health checking ports are not publicly exposed. The answer is simply to define the rules for the reverse proxy with the File function in the Traefik.toml configuration file, as described later.

Traefik supports many configurations. Note that if you configure HTTP to automatically jump to HTTPS at entry points, all entry points will jump to HTTPS and you will not be able to provide HTTP services.

    [entryPoints.http]
        address = ": 80"
        compress = true
# Select whether to automatically jump based on your situation
# [entryPoints.http.redirect]
# entryPoint = "https"
Copy the code

If you use it as a front end to load multiple certificates for different domain names and implement SNI functionality, then you only need to add one more field to support both lab.com and lab2.com encrypted access:

    [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
            certFile = "/data/ssl/lab.com.crt"
            keyFile = "/data/ssl/lab.com.key"
        [[entryPoints.https.tls.certificates]]
            certFile = "/data/ssl/lab2.com.crt"
            keyFile = "/data/ssl/lab2.com.key"
Copy the code

For the health check and admin interface, the default path is ugly and must be accessed using the specified port, but using the [file] field, first define the default port as your “back-end” service address, and then add two different front-end routes to use the browser’s default port for access.

[file]
    [backends]
        [backends.dashboard]
            [backends.dashboard.servers.server1]
                url = "http://127.0.0.1:4399"
        [backends.ping]
            [backends.ping.servers.server1]
                url = "http://127.0.0.1:4398"

    [frontends]
        [frontends.dashboard]
            entrypoints = ["https"]
            backend = "dashboard"
            [frontends.dashboard.routes.route01]
                rule = "Host:dashboard.lab.com"
        [frontends.ping]
            entrypoints = ["https"]
            backend = "ping"
            [frontends.ping.routes.route01]
                rule = "Host:ping.lab.com"
            [frontends.ping.routes.route02]
                rule = "ReplacePathRegex: ^/ /ping"
Copy the code

Using the example above, when you go directly to dashboard.lab.com, you will first jump to the HTTPS protocol and then display the admin interface.

And the need to access the XXX. XXX. XXX. XXX: 4398 / ping to achieve health monitoring, you just need to visit ping.lab.com (here involves routing rewrite).

Here is the complete configuration of Traefik. Toml.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# global Settings
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Enable debug mode (default off)
debug = false

# Log level (default ERROR)
logLevel = "INFO"

# Global entry point type (default HTTP)
defaultEntryPoints = ["http"."https"]

Do not report statistics
sendAnonymousUsage = false

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Entry point setup
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

[entryPoints]

    # default front-end
    [entryPoints.http]
        address = ": 80"
        compress = true
# Select whether to automatically jump based on your situation
# [entryPoints.http.redirect]
# entryPoint = "https"
    [entryPoints.https]
        address = ": 443"
        compress = true
    [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
            certFile = "/data/ssl/lab.com.crt"
            keyFile = "/data/ssl/lab.com.key"

    Console port
    [entryPoints.traefik-api]
        address = ": 4399"
If you do not want to expose the console, you can use the following configuration to generate your own BA account password
# [entryPoints.traefik-api.auth]
# [entryPoints.traefik-api.auth.basic]
                #htpasswd -nb soulteary soulteary
                users = ["soulteary:$apr1$hVv8KPU8$IiTLEE5QYKgd4mZuCXpOD."]
        [entryPoints.traefik-api.redirect]
            entryPoint = "https"

    # Ping port
    [entryPoints.traefik-ping]
        address = ": 4398"
        [entryPoints.traefik-ping.redirect]
            entryPoint = "https"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Traefik File configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

[file]
    [backends]
        [backends.dashboard]
            [backends.dashboard.servers.server1]
                url = "http://127.0.0.1:4399"
        [backends.ping]
            [backends.ping.servers.server1]
                url = "http://127.0.0.1:4398"

    [frontends]
        [frontends.dashboard]
            entrypoints = ["https"]
            backend = "dashboard"
            [frontends.dashboard.routes.route01]
                rule = "Host:dashboard.lab.com"
        [frontends.ping]
            entrypoints = ["https"]
            backend = "ping"
            [frontends.ping.routes.route01]
                rule = "Host:ping.lab.com"
            [frontends.ping.routes.route02]
                rule = "ReplacePathRegex: ^/ /ping"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Traefik logs configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
# Default: os.Stdout
[traefikLog]
  filePath = "/data/logs/traefik.log"

[accessLog]
  filePath = "/data/logs/access.log"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
Access log configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
# [accessLog]

# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "/path/to/log/log.txt"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# API and console configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Enable API and console
[api]
    # entry point name
    entryPoint = "traefik-api"

    # Enable console (default)
    dashboard = true

    # Default protocol
    defaultEntryPoints = ["http"]

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Ping configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# enable ping
[ping]
    # entry point name
    entryPoint = "traefik-ping"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Docker backend configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Enable the Docker backend
[docker]

# Docker service backend
endpoint = "unix:///var/run/docker.sock"
# default domain name
domain = "traefix.lab.com"
# Monitor docker changes
watch = true

Use custom templates (optional)
# filename = "docker.tmpl"

Expose the container by default (on by default)
# If the option is disabled, the container does not contain the 'traefik.enable=true' tag and will not be exposed
exposedbydefault = false

# use the IP address of the bound port instead of the internal private network (default off)
usebindportip = false

Swarm Mode (disabled by default)
swarmmode = false

# Enable docker TLS connection.
#
# Optional
#
# [docker.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/docker.crt"
# key = "/etc/ssl/docker.key"
# insecureskipverify = true
Copy the code

The related resources

If you have more Header customization requirements, or forwarding requirements, check out the documentation below.

  • Usage documents in Docker scenarios

Of course, if you want to use UFW (IPtable), then you can refer to this article, directly naked Traefik.

other

That’s the end of Traefik for now, maybe I’ll update additional content when 1.7 is released.

–EOF


I now have a small toss group, which gathered some like to toss small partners.

In the case of no advertisement, we will talk about software, HomeLab and some programming problems together, and also share some technical salon information in the group from time to time.

Like to toss small partners welcome to scan code to add friends. (Please indicate source and purpose, otherwise it will not be approved.

All this stuff about getting into groups