Traefik and Docker Services

Ivan Bütler
Jun 12, 2018 · 3 min read

June 12th, 2018

I run all my docker services ‘behind’ traefik (https://traefik.io/). I do not want to have my (hundreds of) docker services directly accessible from the Internet (security). I do not want to create and handle SSL/TLS certificates for all the docker services. Therefore I am using an SSL wildcard certificate and point it to my traefik ip address. Traefik terminates TLS/SSL and happily routes all my HTTP or HTTPS packages, based on HOST or URL pattern rules, to the designated back-end service. Furthermore, traefik is docker-aware and allows registering or unregistering docker services without restarting traefik.

Traefik Configuration

Traefik is configured with a file called “traefik.toml”. The example below is being used in my test environment.

Traefik Status Page

In the default configuration, traefik is providing a nice status page on port 8080. In the picture below; the link “docker” discloses the on-demand mappings where the link “file” defines the static mappings. You will find [docker] and [file] sections in my sample traefik.toml above. Access to the status page can be disabled or ip whitelisted (but not in my test env).

docker tab (on-demand rules)

How to start a Traefik aware Docker?

If you want to start a docker ‘behind’ traefik, the docker command must register the newly created docker using so-called “traefik labels”

Example 1: Launch Docker with “docker run” and traefik labels

docker run example

This will launch the docker hackinglab/alpine-gotty-root ‘behind’ traefik with the FQDN = gotty-root.idocker.hacking-lab.com. The DNS will respond to anything ending with .idocker.hacking-lab.com with the IP address of the traefik service. Once the docker is launched, one can access it from the internet: https://gotty-root.idocker.hacking-lab.com/

the resulting docker launched with docker run

Example 2: Launch Docker with “docker -compose” and traefik labels

docker-compose example

First I want to stop my previous docker instance using “docker stop”. Second, I will launch the same docker using docker-compose.

stop first docker and start docker with docker-compose

As I am spinning up the same docker as with docker run, the service looks identical.

the resulting docker launched with docker-compose

Conclusion

I like traefik because it will let you add or remove services without restarting the traefik daemon. Furthermore, I like the docker integration and how I can start dockers using docker run or docker-compose. Traefik can handle much more than just docker run and docker compose (see Appendix below). This is awesome!

I have written this tutorial as I am planning to release more docker articles in the future. I do not want to explain traefik and docker in every upcoming article and therefore, this article shall be considered as the foundation.

Thank you for Reading

Cheers, Ivan
ivan.buetler@compass-security.com

Appendix

List of traefik providers at the time of writing (June 12th, 2018)

Docker Hacks

Use Docker for Fun & Profit

Ivan Bütler

Written by

ivan.buetler@compass-security.com

Docker Hacks

Use Docker for Fun & Profit

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade