June 12th, 2018
I run all my docker services ‘behind’ traefik (https://traefik.io/). I do not want to have my (hundreds of) docker services directly accessible from the Internet (security). I do not want to create and handle SSL/TLS certificates for all the docker services. Therefore I am using an SSL wildcard certificate and point it to my traefik ip address. Traefik terminates TLS/SSL and happily routes all my HTTP or HTTPS packages, based on HOST or URL pattern rules, to the designated back-end service. Furthermore, traefik is docker-aware and allows registering or unregistering docker services without restarting traefik.
Traefik is configured with a file called “traefik.toml”. The example below is being used in my test environment.
Traefik Status Page
In the default configuration, traefik is providing a nice status page on port 8080. In the picture below; the link “docker” discloses the on-demand mappings where the link “file” defines the static mappings. You will find [docker] and [file] sections in my sample traefik.toml above. Access to the status page can be disabled or ip whitelisted (but not in my test env).
How to start a Traefik aware Docker?
If you want to start a docker ‘behind’ traefik, the docker command must register the newly created docker using so-called “traefik labels”
Example 1: Launch Docker with “docker run” and traefik labels
This will launch the docker hackinglab/alpine-gotty-root ‘behind’ traefik with the FQDN = gotty-root.idocker.hacking-lab.com. The DNS will respond to anything ending with .idocker.hacking-lab.com with the IP address of the traefik service. Once the docker is launched, one can access it from the internet: https://gotty-root.idocker.hacking-lab.com/
Example 2: Launch Docker with “docker -compose” and traefik labels
First I want to stop my previous docker instance using “docker stop”. Second, I will launch the same docker using docker-compose.
As I am spinning up the same docker as with docker run, the service looks identical.
I like traefik because it will let you add or remove services without restarting the traefik daemon. Furthermore, I like the docker integration and how I can start dockers using docker run or docker-compose. Traefik can handle much more than just docker run and docker compose (see Appendix below). This is awesome!
I have written this tutorial as I am planning to release more docker articles in the future. I do not want to explain traefik and docker in every upcoming article and therefore, this article shall be considered as the foundation.
Thank you for Reading
List of traefik providers at the time of writing (June 12th, 2018)