Open in app

Sign in

Write

Sign in

Traefik and Docker Services

Ivan Bütler
Docker Hacks
Published in
3 min readJun 12, 2018

June 12th, 2018

I run all my docker services ‘behind’ traefik (https://traefik.io/). I do not want to have my (hundreds of) docker services directly accessible from the Internet (security). I do not want to create and handle SSL/TLS certificates for all the docker services. Therefore I am using an SSL wildcard certificate and point it to my traefik ip address. Traefik terminates TLS/SSL and happily routes all my HTTP or HTTPS packages, based on HOST or URL pattern rules, to the designated back-end service. Furthermore, traefik is docker-aware and allows registering or unregistering docker services without restarting traefik.

Traefik Configuration

Traefik is configured with a file called “traefik.toml”. The example below is being used in my test environment.

Traefik Status Page

In the default configuration, traefik is providing a nice status page on port 8080. In the picture below; the link “docker” discloses the on-demand mappings where the link “file” defines the static mappings. You will find [docker] and [file] sections in my sample traefik.toml above. Access to the status page can be disabled or ip whitelisted (but not in my test env).

docker tab (on-demand rules)

How to start a Traefik aware Docker?

If you want to start a docker ‘behind’ traefik, the docker command must register the newly created docker using so-called “traefik labels”

Example 1: Launch Docker with “docker run” and traefik labels

docker run example

This will launch the docker hackinglab/alpine-gotty-root ‘behind’ traefik with the FQDN = gotty-root.idocker.hacking-lab.com. The DNS will respond to anything ending with .idocker.hacking-lab.com with the IP address of the traefik service. Once the docker is launched, one can access it from the internet: https://gotty-root.idocker.hacking-lab.com/

the resulting docker launched with docker run

Example 2: Launch Docker with “docker -compose” and traefik labels

docker-compose example

First I want to stop my previous docker instance using “docker stop”. Second, I will launch the same docker using docker-compose.

stop first docker and start docker with docker-compose

As I am spinning up the same docker as with docker run, the service looks identical.

the resulting docker launched with docker-compose

Conclusion

I like traefik because it will let you add or remove services without restarting the traefik daemon. Furthermore, I like the docker integration and how I can start dockers using docker run or docker-compose. Traefik can handle much more than just docker run and docker compose (see Appendix below). This is awesome!

I have written this tutorial as I am planning to release more docker articles in the future. I do not want to explain traefik and docker in every upcoming article and therefore, this article shall be considered as the foundation.

Thank you for Reading

Cheers, Ivan
ivan.buetler@compass-security.com

Appendix

List of traefik providers at the time of writing (June 12th, 2018)

Docker
Traefik
Microservice

--

--

Ivan Bütler
Docker Hacks

Written by Ivan Bütler

134 Followers
Editor for

ivan.buetler@compass-security.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams