Traefik

components

• Providers discover the services that live on your infrastructure (their IP, health, ...)
• Entrypoints listen for incoming traffic (ports, ...)
• Routers analyse the requests (host, path, headers, SSL, ...)
• Services forward the request to your services (load balancing, ...)
• Middlewares may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)

static vs. dynamic config

Configuration in Traefik can refer to two different things:

• The fully dynamic routing configuration (referred to as the dynamic configuration)
• The startup configuration (referred to as the static configuration)

activate dashboard

• insecure
• with auth

TLS

• HTTPs is configured at the router level (so in dynamic config) (routers..tls=true)
• TLS certs can be provided in a seperate dynmic config file
• Traefik searches though certificates (tls.certificates) for the right cert
• When no cert is found it serves a default certificate
• You can override the default certificate by creating a certificate store named default

Traefik Proxy 2.x and TLS 101

Example for dynamic tls config file:

# Dynamic Configuration
## https://doc.traefik.io/traefik/https/tls/#default-certificate
tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/mycerts/fullchain.pem
        keyFile: /etc/mycerts/privkey.pem

trust certificates of backend services (import CA certificates)

configure on global level:

https://doc.traefik.io/traefik/routing/overview/#rootcas
## Static configuration
serversTransport:
  rootCAs:
    - foo.crt
    - bar.crt

configure for service only: Source

simple reverse proxy example

static conf

entryPoints:
  web:
    address: ':80'
providers:
  file:
    filename: /path/to/dynamic/conf.yaml

dynamic conf (reverse-proxy)

# /path/to/dynamic/conf.yaml
http:
  routers:
    my-router:
      rule: PathPrefix(`/`)
      service: my-service
      middlewares:
        - stripPath
      ## If not specified, HTTP routers will accept requests from all defined entry points
      # entrypoints:
      #  - web
  # examples for path resultin blue box "Behavior examples": https://doc.traefik.io/traefik/middlewares/http/stripprefix/#forceslash
  middlewares:
    stripPath:
      stripPrefix:
        prefixes:
          - "test"
        forceSlash: false
  services:
    my-service:
      loadBalancer:
        servers:
          - url: 'http://localhost:8080'

Source

systemd service file

Can be found here.

rewrite location header (after redirect)

If a server behind traefik send an redirect (302) you may need to intercept it otherwise the domain or the protocol can be switched (like with proxy_redirect in nginx or ProxyPassReverse in apache)

Possible solutions:

1. Use RedirectRegex Middleware (caveats browser sees second redirect and might create a loop)
2. use traefik-plugin-rewrite-headers traefik plugin (supposedly breaks websockets)
3. There is an open issue in traefik to support it out of the box

Source

chain of proxies

You might want to forward existing X-Forwarded-* Headers or create some of you own, when they are not there.

1. Traefik creates The X-Forwarded-* Headers by default. The list of created X-Forwarded headers can be found here.
2. To keep existing X-Forwarded Headers you need to configure trusted IPs on the endpoint (forwardedHeaders.trustedIPs)
3. you need to be aware of HostRules. It might be that the first traefik has another domain as the second. In this case you HostRule will not work properly
4. To debug requests and mapping logic of rules activate accessLogs with json format

# /path/to/dynamic/conf.yaml
accessLog:
# without file path logs to stdout
#  filePath: "/path/to/access.log"
  format: json