Traefik

Used more in the Docker concept, where configuration can be passed through labels. For containers without the overhead of Docker, one can run the binary directly. Idea is that Traefik is likely much more straightforward to configure with very sane defaults (nginx is my preferred reverse proxy, but is a tad overkill to configure and run).

Official binary releases here.

Absolute barebones setup

# Download file
root:~# FILE="traefik_v3.2.3_linux_amd64.tar.gz"
root:~# URL="https://github.com/traefik/traefik/releases/download/v3.2.3/${FILE}"
root:~# curl -OL ${URL}
 
# Move binary to sbin
root:~# tar xvf ${FILE}
root:~# mv traefik /usr/sbin/
 
# Create configuration
root:~# mkdir -p /etc/traefik/providers.d
root:~# ln -s /etc/traefik/traefik.service /etc/systemd/system/traefik.service
root:~# systemctl start traefik

Configuration changes

# Create traefik service account and lock down files
root:~# useradd -rMs /bin/false traefik
root:~# chown -R traefik /etc/traefik
root:~# find /etc/traefik \( -type f -exec chmod 600 {} \; \) , \( -type d -exec chmod 755 {} \; \)

Simple package for deploying TLS certificates, for use in LXC containers running as root: deploy_traefik_tls.tgz. Unpack, modify setup script to create proxy pass and point to certs and key, then run the script. Destroys any previous Traefik configuration, so watch out!

Configuration changes

[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"

Sometimes one just wants to add a TLS layer to mitigate promiscuous sniffing of HTTP packets, for services that are being spun on the go. Strategy is the same as that of file based provider (TLS is loaded via dynamic config), with the proxy information shifted to Docker labels instead.

See extremely minimal example below, with the following notes:

• Since the service name (under Traefik) can be assigned anything as usual, the example below goes with just service.
• The URI matching rule can be set to the catch-all PathPrefix(`/`), if a specific virtual host setup is not needed.
  • This uses Traefik's self-signed certificate if no other certificate was provided (including when the provided certs do not have the IP SAN).
• Traefik relies on the Docker API to retrieve configuration, and this connects to the Docker socket by default (at /var/run/docker.sock).
  • This is a security risk, using the default configuration, e.g. [1]. Mounting it as read-only does not increase security.
  • For production and Internet-exposed systems, please secure this vector. Some suggestions from Docker and Traefik, which include exposing Docker API as HTTP(S) TCP sockets and/or limiting API access with docker-socket-proxy.

docker-compose.yml

services:
  MY_SERVICE:
    ...
    labels:
      - "traefik.http.routers.service.rule=PathPrefix(`/`)"
      - "traefik.http.routers.service.tls=true"
      - "traefik.port=80"
 
  traefik:
    image: traefik:v3.3
    container_name: traefik
    ports:
      - "8443:443"
    volumes:
      - "./traefik.toml:/etc/traefik/traefik.toml"
      - "/var/run/docker.sock:/var/run/docker.sock"

traefik.toml

[entryPoints.websecure]
address = ":443"
 
[entryPoints.websecure.http2]
maxConcurrentStreams = 250
 
[providers.docker]

Additional changes if bootstrapping TLS cert

./
+-- docker-compose.yml
+-- traefik.conf.d/
    +-- traefik.toml
    +-- traefik_dynamic.toml
    +-- fullchain.pem
    +-- privkey.pem