At last I managed to learn Traefik

Posted on
reverse-proxy traefik

For years I have been running Swag an most awesome reverse-proxy based on Nginx. It has been behaving just great!

For some reason I have alwys had en keen eye towards Traefik but the documentation and me never saw eye to eye. I have watched countless videos of how to set it up, never did I get hang of it.

So while hanging in Linuxservers discord group a link was posted, Practical Configuration of Traefik As A Reverse Proxy For Docker a bit hestitant I clicked it.

This caugth eye: “Traefik is great, but its documentation is not.”
Say what? It wasn’t me being stupid, the documentation is not that great!
I read the post, all of it, twice.

Suddenly I felt I had undesrstood how to set Traefik up, and I did.
Added a couple of containers and it just worked!

I jumped to the Discord and sent my heartfull thanks to the author that was there. Of course I had some issues but not like before.

  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./appdata/traefik/traefik.yml:/traefik.yml:ro
      - ./appdata/traefik/configs:/configs:ro
      - ./appdata/traefik/acme.json:/acme.json:rw
      - ./appdata/traefik/logs:/logs:rw
    environment:
      - CF_DNS_API_TOKEN=${CF_APITOKEN}
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-https.entrypoints=https
      - traefik.http.routers.traefik-https.rule=Host(`dashboard.${MAINDOMAIN}`)
      - traefik.http.middlewares.traefik-auth.basicauth.users=user:password
      - traefik.http.routers.traefik-https.middlewares=traefik-auth
      - traefik.http.routers.traefik-https.service=api@internal
      - traefik.http.routers.traefik-https.tls=true
      - traefik.http.routers.traefik-https.tls.certresolver=dns
      - traefik.http.routers.traefik-https.tls.domains[0].main=${MAINDOMAIN}
      - traefik.http.routers.traefik-https.tls.domains[0].sans=*.${MAINDOMAIN}
    read_only: true


api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs:
        - 127.0.0.1/32
        - 192.168.0.0/16
        - 172.16.0.0/12
  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs:
        - 127.0.0.1/32
        - 192.168.0.0/16
        - 172.16.0.0/12

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.${MAINDOMAIN}`)"
    network: proxy
  file:
    directory: "/configs"
    watch: true

certificatesResolvers:
  http:
    acme:
      email: my@mail.com
      storage: acme.json
      httpChallenge:
        entryPoint: http
  dns:
    acme:
      email: my@mail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

serversTransport:
    insecureSkipVerify: true

accessLog:
  filePath: "/logs/access.log"
  fields:
    headers:
      names:
        User-Agent: keep

#log:
#  level: DEBUG

So what was the issues? The absolute moste strange one was how to set up the password for the dashboard user. I tried to make a user and add it to my .env file. Could not login. Tried to escape the special chars. Didn’t help.

Not until I added the password to the docker-file itself and only escaped the $ it started to function.

The second part was to add service that not was in the same docker-compose file or on other hosts, like my Unifi controller reciding in an lxc container.
Now I had to add seperate config files. Added them to the config directory and that was it.

http:
  routers:
    unifi:
      service: unifi
      rule: "Host(`unifi.${MAINDOMAIN}`)"
      entryPoints:
        - https
      tls:
        certResolver: dns

  services:
    unifi:
      loadBalancer:
        servers:
          - url: "https://10.1.1.20:8443/"

After this I was done! All worked as before. ;)
All I did was to replace a functioning reverse-proxy with another.

And I will not miss a chance to thank to author! Spad!