creekorful/blog
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Update traefik posts

Browse source
This commit is contained in:
Aloïs Micard 2020-12-07 13:50:02 +01:00
parent 55d6d269b3
commit 1829f23a06
2 changed files with 95 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

60
content/posts/how-to-expose-traefik-2-dashboard-securely-docker-swarm.md
View file

@ -2,23 +2,27 @@
title = "How to expose Traefik 2.x dashboard securely on Docker Swarm"
date = "2020-01-12"
author = "Aloïs Micard"
authorTwitter = "" #do not include @
authorTwitter = "" #do not include @
cover = ""
tags = ["Docker Swarm", "Dev Ops"]
keywords = ["", ""]
description = ""
showFullContent = false
showFullContent = false
+++
This article is part of a series about Docker Swarm. For the first article please check [here](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/).
This article is part of a series about Docker Swarm. For the first article please
check [here](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/).
On this short tutorial you'll learn how to deploy securely the Traefik built-in dashboard with HTTPS support and basic authentication system.
On this short tutorial you'll learn how to deploy securely the Traefik built-in dashboard with HTTPS support and basic
authentication system.
This article assume that you have a working Docker Swarm cluster with Traefik running with HTTPS support. If not you can following [this article](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/) to get started.
This article assume that you have a working Docker Swarm cluster with Traefik running with HTTPS support. If not you can
following [this article](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/) to get started.
------
Traefik 2.0 has introduced a brand new dashboard app that allows a quick view on the configuration. This is useful to view configured entrypoints, existing routers, services, ...
Traefik 2.0 has introduced a brand new dashboard app that allows a quick view on the configuration. This is useful to
view configured entrypoints, existing routers, services, ...
![Traefik dashboard](/img/traefik-dashboard.png)
@ -26,7 +30,8 @@ Traefik 2.0 has introduced a brand new dashboard app that allows a quick view on
## Enable the Dashboard and the API
Let's take the final docker compose file from the [first tutorial](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/) and add some instructions:
Let's take the final docker compose file from
the [first tutorial](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/) and add some instructions:
```yaml
version: '3'
@ -35,8 +40,6 @@ services:
reverse-proxy:
image: traefik:v2.0.2
command:
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.swarmMode=true"
- "--providers.docker.exposedbydefault=false"
@ -47,6 +50,7 @@ services:
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencryptresolver.acme.email=user@domaine.com"
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
- "--api.dashboard=true"
ports:
- 80:80
- 443:443
@ -60,6 +64,8 @@ services:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
@ -73,23 +79,19 @@ networks:
------
```yaml
- "--api=true"
```
Enable the Traefik API. The API will be used by the Dashboard to get the configuration of all routers, services, etc...
```yaml
- "--api.dashboard=true"
```
Enable the Dashboard web interface, that's the page we will connect to.
Enable the Dashboard web interface & the Traefik API.
## Expose the dashboard securely
Now that you have enabled the API and the Dashboard you'll need to expose it. It can be done in multiple way, here we'll choose to expose it via HTTPS using Traefik: a ***traefik-ception***.
Now that you have enabled the API and the Dashboard you'll need to expose it. It can be done in multiple way, here we'll
choose to expose it via HTTPS using Traefik: a ***traefik-ception***.
The Traefik dashboard is available using a service called api@internal so all you have to do is to expose this service. The following compose file will do it:
The Traefik dashboard is available using a service called api@internal so all you have to do is to expose this service.
The following compose file will do it:
```yaml
version: '3'
@ -108,6 +110,7 @@ services:
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencryptresolver.acme.email=user@domaine.com"
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
- "--api.dashboard=true"
ports:
- 80:80
- 443:443
@ -124,6 +127,7 @@ services:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
- "traefik.http.routers.traefik.rule=Host(`traefik-ui.local`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencryptresolver"
@ -143,7 +147,9 @@ networks:
- "traefik.http.routers.traefik.tls.certresolver=letsencryptresolver"
```
Configure the exposure of the Traefik dashboard on the **traefik-ui.local** domain name, using the websecure entrypoint with the letsencryptresolver. If you want more information about how to configure these, just check my [first blog post about Traefik](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/).
Configure the exposure of the Traefik dashboard on the **traefik-ui.local** domain name, using the websecure entrypoint
with the letsencryptresolver. If you want more information about how to configure these, just check
my [first blog post about Traefik](https://blog.creekorful.com/how-to-install-traefik-2-docker-swarm/).
```yaml
- "traefik.http.routers.traefik.service=api@internal"
@ -155,7 +161,8 @@ And that's it ! Now Traefik should be available on traefik-ui.local.
## Adding a basic authentication system
If you intend to expose Traefik to the outside world, it is essential to add an authentication system otherwise everyone can access your dashboard. Hopefully this can be done easily using Traefik built-in middleware system.
If you intend to expose Traefik to the outside world, it is essential to add an authentication system otherwise everyone
can access your dashboard. Hopefully this can be done easily using Traefik built-in middleware system.
```yaml
version: '3'
@ -174,6 +181,7 @@ services:
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencryptresolver.acme.email=user@domaine.com"
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
- "--api.dashboard=true"
ports:
- 80:80
- 443:443
@ -190,6 +198,7 @@ services:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
- "traefik.http.routers.traefik.rule=Host(`traefik-ui.local`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencryptresolver"
@ -209,9 +218,11 @@ networks:
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$8EVjn/nj$$GiLUZqcbueTFeD23SuB6x0"
```
Create a middleware named *traefik-auth*, and define the basic auth users. The users are a comma separated list of the follow format: username:password.
Create a middleware named *traefik-auth*, and define the basic auth users. The users are a comma separated list of the
follow format: username:password.
To generate a password you can use [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) (here with sed to escape the $ present in the hash):
To generate a password you can use [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) (here with sed
to escape the $ present in the hash):
```sh
creekorful@localhost ~$: echo $(htpasswd -nb admin admin) | sed -e s/\\$/\\$\\$/g
@ -226,6 +237,7 @@ admin:$$apr1$$8EVjn/nj$$GiLUZqcbueTFeD23SuB6x0
Finally tell Traefik to use the middleware named traefik-auth.
And that's it ! Re deploy your compose file and you should now have a running Traefik instance with the dashboard exposed securely.
And that's it ! Re deploy your compose file and you should now have a running Traefik instance with the dashboard
exposed securely.
Happy hacking !
Happy hacking !

92
content/posts/how-to-install-traefik-2-docker-swarm.md
View file

@ -2,25 +2,32 @@
title = "How to install Traefik 2.x on a Docker Swarm"
date = "2019-10-21"
author = "Aloïs Micard"
authorTwitter = "" #do not include @
authorTwitter = "" #do not include @
cover = ""
tags = ["Docker Swarm", "Dev Ops"]
keywords = ["", ""]
description = ""
showFullContent = false
showFullContent = false
+++
have recently migrated my production docker swarm from Traefik 1.7 to Traefik 2.0 and since I cannot found a good tutorial I have decided to write one. So in this tutorial you'll learn how to deploy Traefik with HTTPS support on a docker swarm.
I have recently migrated my production docker swarm from Traefik 1.7 to Traefik 2.0 and since I cannot found a good
tutorial I have decided to write one. So in this tutorial you'll learn how to deploy Traefik with HTTPS support on a
docker swarm.
Please note that I won't explain what Traefik is since it may needs his own article and I will focus on the deployment and configuration. This tutorial will also assume that you have a working docker swarm.
Please note that I won't explain what Traefik is since it may needs his own article and I will focus on the deployment
and configuration. This tutorial will also assume that you have a working docker swarm.
This tutorial will be part of a series regarding Docker Swarm, I'll write other articles to explain how to expose Traefik dashboard securely, deploy Portainer, etc...
This tutorial will be part of a series regarding Docker Swarm, I'll write other articles to explain how to expose
Traefik dashboard securely, deploy Portainer, etc...
# Install Traefik
Please note that Traefik will need to be deployed on a manager node on your swarm. You'll also need to make sure that your firewall on this node is correctly setup to allow both port 80 and 443 (http / https) from outside. This is important because Traefik will listen on these ports for incoming traffic.
Please note that Traefik will need to be deployed on a manager node on your swarm. You'll also need to make sure that
your firewall on this node is correctly setup to allow both port 80 and 443 (http / https) from outside. This is
important because Traefik will listen on these ports for incoming traffic.
The first thing before creating the config file is to create a docker swarm network that will be used by Traefik to watch for services to expose. This can be done in one command:
The first thing before creating the config file is to create a docker swarm network that will be used by Traefik to
watch for services to expose. This can be done in one command:
```
docker network create --driver=overlay traefik-public
@ -59,7 +66,7 @@ networks:
external: true
```
This is the minimal amount of config needed to deploy a working Traefik instance.
This is the minimal amount of config needed to deploy a working Traefik instance.
----
@ -81,7 +88,8 @@ Enable swarm mode support by setting swarmMode to true.
- "--providers.docker.exposedbydefault=false"
```
Little security: tell Traefik to not expose container by default: only expose container that are explicitly enabled (using label traefik.enabled).
Little security: tell Traefik to not expose container by default: only expose container that are explicitly enabled (
using label traefik.enabled).
```yaml
- "--providers.docker.network=traefik-public"
@ -93,11 +101,11 @@ Tell Traefik to dial with exposed containers using traefik-public network. (the
- "--entrypoints.web.address=:80"
```
Create an entrypoint named **web** exposed on port 80. This entrypoint will be used to indicate on which port your application should be exposed.
Create an entrypoint named **web** exposed on port 80. This entrypoint will be used to indicate on which port your
application should be exposed.
This configuration is enough to get started. You can deploy Traefik using the following command:
```sh
docker stack deploy traefik -c traefik.yaml
```
@ -106,7 +114,8 @@ Great. Now we will deploy something.
# Deploy and expose a hello-world container
Now it's time to deploy something on your swarm to test the configuration. For this example we are going to deploy tutum/hello-world a little container with an apache service that display an "Hello World" page.
Now it's time to deploy something on your swarm to test the configuration. For this example we are going to deploy
tutum/hello-world a little container with an apache service that display an "Hello World" page.
```yaml
version: '3'
@ -114,7 +123,7 @@ services:
helloworld:
image: tutum/hello-world:latest
networks:
- traefik-public
- traefik-public
deploy:
labels:
- "traefik.enable=true"
@ -126,7 +135,8 @@ networks:
external: true
```
The labels sections is read by Traefik to get the configuration of the container and to create the needed components to expose it.
The labels sections is read by Traefik to get the configuration of the container and to create the needed components to
expose it.
---
@ -134,7 +144,8 @@ The labels sections is read by Traefik to get the configuration of the container
- "traefik.enable=true"
```
This flag tells Traefik to expose the container, needed because we explicitly disable container auto exposition with providers.docker.exposedbydefault.
This flag tells Traefik to expose the container, needed because we explicitly disable container auto exposition with
providers.docker.exposedbydefault.
```yaml
- "traefik.http.routers.helloworld.rule=Host(`localhost`)"
@ -146,7 +157,8 @@ Create a Host Matching rule. Here we tell Traefik to redirect all traffic coming
- "traefik.http.routers.helloworld.entrypoints=web"
```
Tells Traefik that this container will be exposed using the web entrypoint. (the name correspond with the entrypoint previously created in Traefik).
Tells Traefik that this container will be exposed using the web entrypoint. (the name correspond with the entrypoint
previously created in Traefik).
```yaml
- "traefik.http.services.helloworld.loadbalancer.server.port=80"
@ -156,15 +168,20 @@ Indicate to Traefik that the container expose the port 80 internally. This is ne
---
Now if you access the page at http://localhost you'll be redirect to Traefik that will proxify the content of the helloworld container.
Now if you access the page at http://localhost you'll be redirect to Traefik that will proxify the content of the
helloworld container.
# Add HTTPS support
If you have followed this tutorial carefully you should now have a working Traefik instance and a helloworld service running and accessible on http://localhost. This is working but not secure: you should always use HTTPS when possible. Thankfully this can be done easily in Traefik.
If you have followed this tutorial carefully you should now have a working Traefik instance and a helloworld service
running and accessible on http://localhost. This is working but not secure: you should always use HTTPS when possible.
Thankfully this can be done easily in Traefik.
In this tutorial we are going to use the [HTTP challenge](https://letsencrypt.org/docs/challenge-types/) to automatically generate a Letsencrypt certificate.
In this tutorial we are going to use the [HTTP challenge](https://letsencrypt.org/docs/challenge-types/) to
automatically generate a Letsencrypt certificate.
I won't go in the details to explain how the HTTP-01 challenge work, but basically all you have to do is to add/update the A record of your DNS zone to point to your docker swarm manager IP address. (where Traefik is exposed).
I won't go in the details to explain how the HTTP-01 challenge work, but basically all you have to do is to add/update
the A record of your DNS zone to point to your docker swarm manager IP address. (where Traefik is exposed).
```yaml
version: '3'
@ -212,7 +229,8 @@ I will explain the new parts:
- "--entrypoints.websecure.address=:443"
```
Create an entrypoint named **websecure** exposed on port **443** (https). This entrypoint will be used to indicate on which port your application should be exposed.
Create an entrypoint named **websecure** exposed on port **443** (https). This entrypoint will be used to indicate on
which port your application should be exposed.
```yaml
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
@ -236,7 +254,9 @@ The email used to create a letsencrypt account
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
```
Where do Traefik will persist the certificate. This location should be bound to a [volume](https://docs.docker.com/storage/volumes/) to be persisted between container restart. Here we are saving to /letsencrypt/ directory, who is mounted as volume traefik-certificates (see traefik.yaml for details)
Where do Traefik will persist the certificate. This location should be bound to
a [volume](https://docs.docker.com/storage/volumes/) to be persisted between container restart. Here we are saving to
/letsencrypt/ directory, who is mounted as volume traefik-certificates (see traefik.yaml for details)
## Update hello-world to use HTTPS config
@ -248,7 +268,7 @@ services:
helloworld:
image: tutum/hello-world:latest
networks:
- traefik-public
- traefik-public
deploy:
labels:
- "traefik.enable=true"
@ -279,24 +299,29 @@ To specify which certificate resolver we wanna use. Here we are using the letsen
---
Easy right? Once the stack is redeployed Traefik will then ask Letsencrypt to generate a SSL certificate for the domain helloworld.local and Traefik will use it when exposing your application.
Easy right? Once the stack is redeployed Traefik will then ask Letsencrypt to generate a SSL certificate for the domain
helloworld.local and Traefik will use it when exposing your application.
N.B: Of course this example won't work since you cannot proove that you own the helloworld.local domain. (.local is a reserved TLD used for local area network)
N.B: Of course this example won't work since you cannot proove that you own the helloworld.local domain. (.local is a
reserved TLD used for local area network)
## Bonus: Create an automatic HTTPS redirect
If you want to redirect all HTTP traffic to HTTPS it can be done by easily by using a Middleware. Just add the following labels to to the Traefik configuration file.
If you want to redirect all HTTP traffic to HTTPS it can be done by easily by using a Middleware. Just add the following
labels to to the Traefik configuration file.
```yaml
labels:
- "traefik.enable=true"
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
```
It will create a router named *http-catchall* that will intercept all HTTP request (using the hostregexp) and will forward it to the router named redirect-to-https. This router will perform a redirection to the HTTPS scheme.
It will create a router named *http-catchall* that will intercept all HTTP request (using the hostregexp) and will
forward it to the router named redirect-to-https. This router will perform a redirection to the HTTPS scheme.
---
@ -333,6 +358,7 @@ services:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
@ -344,4 +370,4 @@ networks:
external: true
```
Long live Docker Swarm and Happy hacking !
Long live Docker Swarm and Happy hacking !