Skip to main content

Deploy Traefik Reverse Proxy

Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. It integrates deeply with Docker Swarm to automatically discover services and configure routing dynamically.

Prerequisites

  1. A Project configured in Octos Cloud.
  2. A Virtual Network and Subnet.
  3. A Virtual Router with a Floating IP attached.
  4. An Instance running Docker Swarm.

Traefik Configuration

Create a docker-compose.yml file to deploy Traefik. This configuration uses Traefik's Docker Swarm provider and automates SSL certificate generation via Let's Encrypt.

version: '3.8'

services:
traefik:
image: traefik:latest
environment:
- DOCKER_API_VERSION=1.44
command:
- "--accesslog=true"
- "--metrics.prometheus=true"
# Enable Swarm provider
- "--providers.swarm=true"
- "--providers.swarm.exposedbydefault=false"
- "--providers.swarm.network=traefik-public"

# Entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"

# Automatic HTTP to HTTPS redirect
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"

# Let's Encrypt configuration
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=user@yourdomain.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"

# Enable dashboard
- "--api.dashboard=true"
- "--api.insecure=true"
- "--log.level=INFO"

ports:
# Publish ports using 'host' mode for better performance
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host

volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-certificates:/letsencrypt

networks:
- traefik-public

deploy:
placement:
constraints:
- node.role == manager
replicas: 1
labels:
- "traefik.enable=true"
# Dashboard routing
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
# Force HTTPS
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
# Dashboard authentication setup
- "traefik.http.routers.traefik-dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$..."

networks:
traefik-public:
driver: overlay
name: traefik-public
attachable: true

volumes:
traefik-certificates:
name: traefik-certificates

Best Practices

  1. Host Mode Ports: We publish ports 80 and 443 in host mode to bypass the Docker swarm routing mesh, ensuring Traefik sees the real client IP addresses.
  2. Dashboard Security: The dashboard API (api@internal) is exposed via a router rule but secured using a basicauth middleware. Always generate a strong basic auth hash and place it in the labels.
  3. Persistent Certificates: The traefik-certificates volume ensures your Let's Encrypt acme.json file is persisted across container restarts, preventing rate limiting from Let's Encrypt.
  4. Overlay Network: Using an overlay network (traefik-public) allows backend services running on different worker Instances to connect securely to Traefik.