Deploy Traefik Reverse Proxy
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. It integrates deeply with Docker Swarm to automatically discover services and configure routing dynamically.
Prerequisites
- A Project configured in Octos Cloud.
- A Virtual Network and Subnet.
- A Virtual Router with a Floating IP attached.
- An Instance running Docker Swarm.
Traefik Configuration
Create a docker-compose.yml file to deploy Traefik. This configuration uses Traefik's Docker Swarm provider and automates SSL certificate generation via Let's Encrypt.
version: '3.8'
services:
traefik:
image: traefik:latest
environment:
- DOCKER_API_VERSION=1.44
command:
- "--accesslog=true"
- "--metrics.prometheus=true"
# Enable Swarm provider
- "--providers.swarm=true"
- "--providers.swarm.exposedbydefault=false"
- "--providers.swarm.network=traefik-public"
# Entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Automatic HTTP to HTTPS redirect
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
# Let's Encrypt configuration
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=user@yourdomain.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
# Enable dashboard
- "--api.dashboard=true"
- "--api.insecure=true"
- "--log.level=INFO"
ports:
# Publish ports using 'host' mode for better performance
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-certificates:/letsencrypt
networks:
- traefik-public
deploy:
placement:
constraints:
- node.role == manager
replicas: 1
labels:
- "traefik.enable=true"
# Dashboard routing
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
# Force HTTPS
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
# Dashboard authentication setup
- "traefik.http.routers.traefik-dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$..."
networks:
traefik-public:
driver: overlay
name: traefik-public
attachable: true
volumes:
traefik-certificates:
name: traefik-certificates
Best Practices
- Host Mode Ports: We publish ports
80and443inhostmode to bypass the Docker swarm routing mesh, ensuring Traefik sees the real client IP addresses. - Dashboard Security: The dashboard API (
api@internal) is exposed via a router rule but secured using abasicauthmiddleware. Always generate a strong basic auth hash and place it in thelabels. - Persistent Certificates: The
traefik-certificatesvolume ensures your Let's Encryptacme.jsonfile is persisted across container restarts, preventing rate limiting from Let's Encrypt. - Overlay Network: Using an overlay network (
traefik-public) allows backend services running on different worker Instances to connect securely to Traefik.