Update traefik posts
This commit is contained in:
parent
55d6d269b3
commit
1829f23a06
2 changed files with 95 additions and 57 deletions
|
|
@ -2,25 +2,32 @@
|
|||
title = "How to install Traefik 2.x on a Docker Swarm"
|
||||
date = "2019-10-21"
|
||||
author = "Aloïs Micard"
|
||||
authorTwitter = "" #do not include @
|
||||
authorTwitter = "" #do not include @
|
||||
cover = ""
|
||||
tags = ["Docker Swarm", "Dev Ops"]
|
||||
keywords = ["", ""]
|
||||
description = ""
|
||||
showFullContent = false
|
||||
showFullContent = false
|
||||
+++
|
||||
|
||||
have recently migrated my production docker swarm from Traefik 1.7 to Traefik 2.0 and since I cannot found a good tutorial I have decided to write one. So in this tutorial you'll learn how to deploy Traefik with HTTPS support on a docker swarm.
|
||||
I have recently migrated my production docker swarm from Traefik 1.7 to Traefik 2.0 and since I cannot found a good
|
||||
tutorial I have decided to write one. So in this tutorial you'll learn how to deploy Traefik with HTTPS support on a
|
||||
docker swarm.
|
||||
|
||||
Please note that I won't explain what Traefik is since it may needs his own article and I will focus on the deployment and configuration. This tutorial will also assume that you have a working docker swarm.
|
||||
Please note that I won't explain what Traefik is since it may needs his own article and I will focus on the deployment
|
||||
and configuration. This tutorial will also assume that you have a working docker swarm.
|
||||
|
||||
This tutorial will be part of a series regarding Docker Swarm, I'll write other articles to explain how to expose Traefik dashboard securely, deploy Portainer, etc...
|
||||
This tutorial will be part of a series regarding Docker Swarm, I'll write other articles to explain how to expose
|
||||
Traefik dashboard securely, deploy Portainer, etc...
|
||||
|
||||
# Install Traefik
|
||||
|
||||
Please note that Traefik will need to be deployed on a manager node on your swarm. You'll also need to make sure that your firewall on this node is correctly setup to allow both port 80 and 443 (http / https) from outside. This is important because Traefik will listen on these ports for incoming traffic.
|
||||
Please note that Traefik will need to be deployed on a manager node on your swarm. You'll also need to make sure that
|
||||
your firewall on this node is correctly setup to allow both port 80 and 443 (http / https) from outside. This is
|
||||
important because Traefik will listen on these ports for incoming traffic.
|
||||
|
||||
The first thing before creating the config file is to create a docker swarm network that will be used by Traefik to watch for services to expose. This can be done in one command:
|
||||
The first thing before creating the config file is to create a docker swarm network that will be used by Traefik to
|
||||
watch for services to expose. This can be done in one command:
|
||||
|
||||
```
|
||||
docker network create --driver=overlay traefik-public
|
||||
|
|
@ -59,7 +66,7 @@ networks:
|
|||
external: true
|
||||
```
|
||||
|
||||
This is the minimal amount of config needed to deploy a working Traefik instance.
|
||||
This is the minimal amount of config needed to deploy a working Traefik instance.
|
||||
|
||||
----
|
||||
|
||||
|
|
@ -81,7 +88,8 @@ Enable swarm mode support by setting swarmMode to true.
|
|||
- "--providers.docker.exposedbydefault=false"
|
||||
```
|
||||
|
||||
Little security: tell Traefik to not expose container by default: only expose container that are explicitly enabled (using label traefik.enabled).
|
||||
Little security: tell Traefik to not expose container by default: only expose container that are explicitly enabled (
|
||||
using label traefik.enabled).
|
||||
|
||||
```yaml
|
||||
- "--providers.docker.network=traefik-public"
|
||||
|
|
@ -93,11 +101,11 @@ Tell Traefik to dial with exposed containers using traefik-public network. (the
|
|||
- "--entrypoints.web.address=:80"
|
||||
```
|
||||
|
||||
Create an entrypoint named **web** exposed on port 80. This entrypoint will be used to indicate on which port your application should be exposed.
|
||||
Create an entrypoint named **web** exposed on port 80. This entrypoint will be used to indicate on which port your
|
||||
application should be exposed.
|
||||
|
||||
This configuration is enough to get started. You can deploy Traefik using the following command:
|
||||
|
||||
|
||||
```sh
|
||||
docker stack deploy traefik -c traefik.yaml
|
||||
```
|
||||
|
|
@ -106,7 +114,8 @@ Great. Now we will deploy something.
|
|||
|
||||
# Deploy and expose a hello-world container
|
||||
|
||||
Now it's time to deploy something on your swarm to test the configuration. For this example we are going to deploy tutum/hello-world a little container with an apache service that display an "Hello World" page.
|
||||
Now it's time to deploy something on your swarm to test the configuration. For this example we are going to deploy
|
||||
tutum/hello-world a little container with an apache service that display an "Hello World" page.
|
||||
|
||||
```yaml
|
||||
version: '3'
|
||||
|
|
@ -114,7 +123,7 @@ services:
|
|||
helloworld:
|
||||
image: tutum/hello-world:latest
|
||||
networks:
|
||||
- traefik-public
|
||||
- traefik-public
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
|
|
@ -126,7 +135,8 @@ networks:
|
|||
external: true
|
||||
```
|
||||
|
||||
The labels sections is read by Traefik to get the configuration of the container and to create the needed components to expose it.
|
||||
The labels sections is read by Traefik to get the configuration of the container and to create the needed components to
|
||||
expose it.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -134,7 +144,8 @@ The labels sections is read by Traefik to get the configuration of the container
|
|||
- "traefik.enable=true"
|
||||
```
|
||||
|
||||
This flag tells Traefik to expose the container, needed because we explicitly disable container auto exposition with providers.docker.exposedbydefault.
|
||||
This flag tells Traefik to expose the container, needed because we explicitly disable container auto exposition with
|
||||
providers.docker.exposedbydefault.
|
||||
|
||||
```yaml
|
||||
- "traefik.http.routers.helloworld.rule=Host(`localhost`)"
|
||||
|
|
@ -146,7 +157,8 @@ Create a Host Matching rule. Here we tell Traefik to redirect all traffic coming
|
|||
- "traefik.http.routers.helloworld.entrypoints=web"
|
||||
```
|
||||
|
||||
Tells Traefik that this container will be exposed using the web entrypoint. (the name correspond with the entrypoint previously created in Traefik).
|
||||
Tells Traefik that this container will be exposed using the web entrypoint. (the name correspond with the entrypoint
|
||||
previously created in Traefik).
|
||||
|
||||
```yaml
|
||||
- "traefik.http.services.helloworld.loadbalancer.server.port=80"
|
||||
|
|
@ -156,15 +168,20 @@ Indicate to Traefik that the container expose the port 80 internally. This is ne
|
|||
|
||||
---
|
||||
|
||||
Now if you access the page at http://localhost you'll be redirect to Traefik that will proxify the content of the helloworld container.
|
||||
Now if you access the page at http://localhost you'll be redirect to Traefik that will proxify the content of the
|
||||
helloworld container.
|
||||
|
||||
# Add HTTPS support
|
||||
|
||||
If you have followed this tutorial carefully you should now have a working Traefik instance and a helloworld service running and accessible on http://localhost. This is working but not secure: you should always use HTTPS when possible. Thankfully this can be done easily in Traefik.
|
||||
If you have followed this tutorial carefully you should now have a working Traefik instance and a helloworld service
|
||||
running and accessible on http://localhost. This is working but not secure: you should always use HTTPS when possible.
|
||||
Thankfully this can be done easily in Traefik.
|
||||
|
||||
In this tutorial we are going to use the [HTTP challenge](https://letsencrypt.org/docs/challenge-types/) to automatically generate a Letsencrypt certificate.
|
||||
In this tutorial we are going to use the [HTTP challenge](https://letsencrypt.org/docs/challenge-types/) to
|
||||
automatically generate a Letsencrypt certificate.
|
||||
|
||||
I won't go in the details to explain how the HTTP-01 challenge work, but basically all you have to do is to add/update the A record of your DNS zone to point to your docker swarm manager IP address. (where Traefik is exposed).
|
||||
I won't go in the details to explain how the HTTP-01 challenge work, but basically all you have to do is to add/update
|
||||
the A record of your DNS zone to point to your docker swarm manager IP address. (where Traefik is exposed).
|
||||
|
||||
```yaml
|
||||
version: '3'
|
||||
|
|
@ -212,7 +229,8 @@ I will explain the new parts:
|
|||
- "--entrypoints.websecure.address=:443"
|
||||
```
|
||||
|
||||
Create an entrypoint named **websecure** exposed on port **443** (https). This entrypoint will be used to indicate on which port your application should be exposed.
|
||||
Create an entrypoint named **websecure** exposed on port **443** (https). This entrypoint will be used to indicate on
|
||||
which port your application should be exposed.
|
||||
|
||||
```yaml
|
||||
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
|
||||
|
|
@ -236,7 +254,9 @@ The email used to create a letsencrypt account
|
|||
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
|
||||
```
|
||||
|
||||
Where do Traefik will persist the certificate. This location should be bound to a [volume](https://docs.docker.com/storage/volumes/) to be persisted between container restart. Here we are saving to /letsencrypt/ directory, who is mounted as volume traefik-certificates (see traefik.yaml for details)
|
||||
Where do Traefik will persist the certificate. This location should be bound to
|
||||
a [volume](https://docs.docker.com/storage/volumes/) to be persisted between container restart. Here we are saving to
|
||||
/letsencrypt/ directory, who is mounted as volume traefik-certificates (see traefik.yaml for details)
|
||||
|
||||
## Update hello-world to use HTTPS config
|
||||
|
||||
|
|
@ -248,7 +268,7 @@ services:
|
|||
helloworld:
|
||||
image: tutum/hello-world:latest
|
||||
networks:
|
||||
- traefik-public
|
||||
- traefik-public
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
|
|
@ -279,24 +299,29 @@ To specify which certificate resolver we wanna use. Here we are using the letsen
|
|||
|
||||
---
|
||||
|
||||
Easy right? Once the stack is redeployed Traefik will then ask Letsencrypt to generate a SSL certificate for the domain helloworld.local and Traefik will use it when exposing your application.
|
||||
Easy right? Once the stack is redeployed Traefik will then ask Letsencrypt to generate a SSL certificate for the domain
|
||||
helloworld.local and Traefik will use it when exposing your application.
|
||||
|
||||
N.B: Of course this example won't work since you cannot proove that you own the helloworld.local domain. (.local is a reserved TLD used for local area network)
|
||||
N.B: Of course this example won't work since you cannot proove that you own the helloworld.local domain. (.local is a
|
||||
reserved TLD used for local area network)
|
||||
|
||||
## Bonus: Create an automatic HTTPS redirect
|
||||
|
||||
If you want to redirect all HTTP traffic to HTTPS it can be done by easily by using a Middleware. Just add the following labels to to the Traefik configuration file.
|
||||
If you want to redirect all HTTP traffic to HTTPS it can be done by easily by using a Middleware. Just add the following
|
||||
labels to to the Traefik configuration file.
|
||||
|
||||
```yaml
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
|
||||
- "traefik.http.routers.http-catchall.entrypoints=web"
|
||||
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
|
||||
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
|
||||
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
|
||||
- "traefik.http.routers.http-catchall.entrypoints=web"
|
||||
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
|
||||
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
||||
```
|
||||
|
||||
It will create a router named *http-catchall* that will intercept all HTTP request (using the hostregexp) and will forward it to the router named redirect-to-https. This router will perform a redirection to the HTTPS scheme.
|
||||
It will create a router named *http-catchall* that will intercept all HTTP request (using the hostregexp) and will
|
||||
forward it to the router named redirect-to-https. This router will perform a redirection to the HTTPS scheme.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -333,6 +358,7 @@ services:
|
|||
- node.role == manager
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
|
||||
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
|
||||
- "traefik.http.routers.http-catchall.entrypoints=web"
|
||||
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
|
||||
|
|
@ -344,4 +370,4 @@ networks:
|
|||
external: true
|
||||
```
|
||||
|
||||
Long live Docker Swarm and Happy hacking !
|
||||
Long live Docker Swarm and Happy hacking !
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue