Skip to main content

Traefik Install and configuration - Part 1

Introduction

In this tutorial we are going to install and configure Traefik Proxy. As quoted on their website "Traefik is a leading modern reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components and configures itself automatically and dynamically." All our applications will be front-ended by traefik.

Objective

The core objective for this tutorial is to:
  1. Configure an A record in our DNS server (pfsesne firewall) to point to our traefik proxy
  2. Configure and install Traefik in docker
  3. Configure and install two http based applications (homer and heimdall) in docker that will be accessed via traefik

Topology



The above image represents our topology. Our pfsense firewall is connected directly to the Internet and is NAT'ing all traffic from the internal network to the outside world. We have a single LAN segment (192.168.11.0/24) defined on pfsense and we have the following two PC's connected directly to the firewall:
  • Windows PC - This PC is used to install and configure traefik and for testing
  • Ubuntu server - This PC runs docker and will host traefik and our applications
Following is what we are trying to achieve:
  • From the windows PC we will open a browser and navigate to http://homer.home.local and http://heimdall.home.local
  • Since pfsense is our DNS server, the URL's will resolve to the ubuntu server's IP address and traefik will pick up the request as we will expose port 80 on the container
  • Traefik will then route the request to the appropriate container 
  • If all goes well we should see the homer and heimdall pages load on our Windows PC browser

Assumptions

  1. A DNS server that can be configured with an A record to point to a traefik proxy. We will be using the pfsense firewall
  2. An installation of docker and docker-compose. We will be running docker on Ubuntu 20.04.3

DNS Configuration

The goal is to access our application using freindly URL names as opposed to IP's and port numbers. In order to do so we need to identify a domain name. We are going to choose home.local as our domain name. This domain is used internally within our network and will not exist on the Internet. We need our DNS server to resolve *.home.local to our Ubuntu server. So homer.home.local and heimdall.home.local will both resolve to our Ubuntu server IP address 192.168.11.2.

In pfsense navigate to:
  1. Services --> DNS Resolver --> General Settings
  2. Enable DNS Resolver
  3. Scroll down and Display Customer Options and past the following config
 server:
 local-zone: "home.local" redirect
 local-data: "home.local 3600 IN A 192.168.11.2"
The windows PC and ubuntu server are configured to use pfsense (192.168.11.1) as the DNS server. If we ping home.local it should resolve to our Ubuntu server and ping successfully 
 ping home.local
 PING home.local (192.168.11.2) 56(84) bytes of data.
 64 bytes from pserver (192.168.11.2): icmp_seq=1 ttl=64 time=0.032 ms
 64 bytes from pserver (192.168.11.2): icmp_seq=2 ttl=64 time=0.089 ms
 64 bytes from pserver (192.168.11.2): icmp_seq=3 ttl=64 time=0.109 ms

Configure and Install Traefik

Create a directory to store the docker files and traefik config files 

 mkdir traefik
 cd traefik

Create a docker-compose.yml file using an editor of your choice

 vim docker-compose.yml
Paste the following config in docker-compose.yml
version: "3.3"
services:
  traefik:
    container_name: traefik
    image: traefik:2.3 # Download traefik v2.3
    restart: always # Restart the container if stops
    ports:
      - 80:80 # Expose port 80 on the host machine
    volumes:
      - ./static_config.yml:/etc/traefik/traefik.yml # Traefik's static config file 
      - /var/run/docker.sock:/var/run/docker.sock # Allow Traefik access to docker API's to dynamically learn applications
    labels:
      # Traefil uses lables to learn about containers and dynamically configures itself. Expose the traefik dashboard on port 80
      - traefik.http.routers.traefik-http.rule=Host(`dashboard.home.local`)
      - traefik.http.routers.traefik-http.entrypoints=web
      - traefik.http.routers.traefik-http.service=api@internal
    # Use the customer network web that is defined below
    networks:
      - web      
networks:
  web:

Create a traefik static file using an editor of your choice

 vim static_config.yml
Paste the following config in static_config.yml
 log:
  level: DEBUG # Enable logging
api:
  dashboard: true # Enable the traefik dashboard 
entryPoints:
  web:
    address: ":80" # Define the name called web and expose port 80
providers:
  docker: {} # Tells traefik to monitor docker for changes and autoconfigure

Start Traefik

docker-compose up -d
The aforementioned command will pull the traefik image and start the container. The traefik dashboard should be reachable via http://dashboard.home.local as seen below

Configure and Install Homer

Create a folder called homer your home path
 mkdir homer
 cd homer

Create a docker-compose.yml file using an editor of your choice

 vim docker-compose.yml
Paste the following config in docker-compose.yml
version: "3.5"

services:
  homer:
    image: b4bz/homer
    container_name: homer
    volumes:
      - ./assets/:/www/assets
    ports:
      - 8080:8080
    restart: unless-stopped
    labels: # auto-detects port 80 in next line
      traefik.http.routers.homer.rule: Host(`homer.home.local`)
    networks:
      - traefik_web
networks:
  traefik_web:
    external: true

Start Homer

docker-compose up -d
The aforementioned command will pull the homer image and start the container. Since traefik is monitoring docker labels, it will process the label defined in line 13 and automatically configure itself and route to homer. The traefik container does not need to be restarted and that is the power of Traefik. The homer dashboard should be reachable via http://homer.home.local as seen below

Configure and Install Heimdall

Create a folder called homer your home path
 mkdir heimdall
 cd heimdall

Create a docker-compose.yml file using an editor of your choice

 vim docker-compose.yml
Paste the following config in docker-compose.yml
version: "2.1"
services:
  heimdall:
    image: lscr.io/linuxserver/heimdall
    container_name: heimdall
    volumes:
      - ./config:/config
    ports:
      - 8081:80
    restart: unless-stopped
    labels: # auto-detects port 80 in next line
      traefik.http.routers.heimdall.rule: Host(`heimdall.home.local`)
    networks:
      - traefik_web
networks:
  traefik_web:
    external: true

Start Heimdall

docker-compose up -d
The aforementioned command will pull the heimdall image and start the container. The heimdall dashboard should be reachable via http://heimdall.home.local as seen below

Conclusion

We installed the traefik reverse proxy and setup a DNS server to direct all requests to a domain (home.local) to the reverse proxy. We also installed two applications (homer and heimdall) that are accessible via the reverse proxy. Everything was installed in docker and traefik can automatically learn about the application to self-configure itself to route traffic to the appropriate application. In the next part we will configure traefik to route traffic to an external application (non-docker application), enable HTTPS and secure HTTP applications with HTTPS

References

Labels:

Comments

Post a Comment

Popular posts from this blog

Run your Meteor App on a Production Ubuntu 16.04 Server with Nginx

Introduction Meteor enables developers to create apps and quickly test them on a development webserver. Once you have created your app the big question is how to run it on a production server. In this tutorial we will demostrate how to run your Meteor app on Ubuntu 16.04 using Nginx Credits and Acknowledgements This entire post is based off this Digital Ocean article. The article was modified for issues we encountered and adapted for Ubuntu 16.04. The entire credit goes to Daniel Speichert Objective In this tutorial we will: Install and Configure Nginx with HTTPS enabled Install MongoDB Install NodeJS Bundle your Meteor App Create a startup script to automatically start your app on reboot Assumptions We assumue the following: You already have a fresh install of Ubuntu 16.04 Server SSH enabled on your fresh install You have root privelages on your server You have a different server where you can insall meteor and budle your app...
3 comments
Read more

Authenticating Traefik Apps with Authentik

 Introduction In our previous post , we secured the Homer app with trusted Let's Encrypt certificates using Traefik as a reverse proxy. But what if only authorized users should access Homer? In this blog, we'll address this by adding multi-factor authentication to Homer using Authentik as an Identity Provider (IdP). Objective The core objectives of this tutorial are to: Set Up Secure Access with Authentik:  Install Authentik using Docker Compose and create your first user to manage access control. Secure Homer with Authentik:  Configure Authentik to act as a gatekeeper, ensuring only authorized users can access your Homer application. Simplify Logins with Traefik:  Integrate Traefik with Authentik to enable Single Sign-On (SSO) for a seamless login experience across your applications. Connect Homer to Authentik:  Configure Homer to leverage Authentik's authentication system for secure logins. Topology For the topology details please see the previous post ....
Post a Comment
Read more