Skip to content

Traefik (Load Balancer and Reverse Proxy) Deployment

Overview

This guide provides detailed instructions on deploying Traefik as a reverse proxy and load balancer. The provided docker-compose.yml file includes services for Traefik, network tools, and monitoring.

Docker Compose File Breakdown

version: "3.9"

services:
  traefik:
    image: traefik:v2.11
    command:
      - --log.level=DEBUG
      - --entrypoints.httpa.address=:80
      - --providers.docker=true
      - --providers.docker.exposedByDefault=true
      - --providers.docker.swarmMode=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --api=true
      - --api.dashboard=true
      - --api.insecure=true
      - --accesslog=true
      - --providers.docker.watch=true
      - --experimental.plugins.cloudflarewarp.modulename=github.com/jramsgz/traefik-real-ip
      - --experimental.plugins.cloudflarewarp.version=v1.0.6

      # Letsencrypt setup
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=httpa
      - --certificatesresolvers.letsencrypt.acme.email=admin@domain.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme2.json

      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.websecure.address=:443
      - --entrypoints.httpa.http.redirections.entrypoint.to=websecure
      - --entrypoints.httpa.http.redirections.entrypoint.scheme=https

      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt

      # Monitoring
      - --metrics.prometheus=true
      - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
      - --metrics.prometheus.addEntryPointsLabels=true
      - --metrics.prometheus.addrouterslabels=true
      - --metrics.prometheus.addServicesLabels=true
      - --metrics.prometheus.entryPoint=websecure

    networks:
      - ovencrypt

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certs:/letsencrypt

    ports:
      - mode: host
        protocol: tcp
        published: 80
        target: 80
      - mode: host
        protocol: tcp
        published: 443
        target: 443
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefikae.rule=Host(`traefik.domain.com`)"
        - "traefik.http.services.traefikae.loadbalancer.server.port=8080"
        - "traefik.docker.network=ovencrypt"
        - "traefik.http.middlewares.my-traefik-real-ip.plugin.cloudflarewarp.excludednets=1.1.1.1/24"
        - "traefik.http.middlewares.traefikae-auth.basicauth.users=user:$$2y$$05$$NrR4hl3V7uCFT8nOdc5ZC.1AHuTjx4ysafhpBe2s0xX12eCG81VUO"
        - "traefik.http.routers.traefikae.middlewares=traefikae-auth"
        - "traefik.http.routers.traefikae.tls=true"
        - "traefik.http.routers.traefikae.tls.certresolver=letsencrypt"
        - "traefik.http.routers.traefikae.service=traefikae"

        # Metrics
        - "traefik.http.routers.traefikmetrics.rule=Host(`traefikmetrics.domain.com`)"
        - "traefik.http.services.traefikmetrics.loadbalancer.server.port=8082"
        - "traefik.http.routers.traefikmetrics.service=traefikmetrics"

        - "traefik.http.routers.traefikmetrics.tls=true"
        - "traefik.http.routers.traefikmetrics.tls.certresolver=letsencrypt"


  net:
    image: praqma/network-multitool
    networks:
      - ovencrypt

    deploy:
      mode: global

  visualizer:
    image: dockersamples/visualizer

    networks:
      - ovencrypt

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager

      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.visualizer.rule=Host(`swarm.domain.com`)"
        - "traefik.http.services.visualizer.loadbalancer.server.port=8080"
        - "traefik.docker.network=ovencrypt"
        - "traefik.http.routers.visualizer.middlewares=traefikae-auth"
        - "traefik.http.routers.visualizer.tls=true"
        - "traefik.http.routers.visualizer.tls.certresolver=letsencrypt"

volumes:
  agent-volume:
  certs:
  portainer-data:

networks:
  ovencrypt:
    external: true
    attachable: true

  agent-network:

Deployment Instructions

  1. Prerequisites

    • Ensure Docker and Docker Compose are installed.
    • Configure Domains
    • Initialize Docker Swarm: sh docker swarm init
    • Ensure the ovencrypt network is created and attachable: sh docker network create --driver=overlay --attachable ovencrypt

  2. Setup Environment Variables

    • Replace sensitive information such as email addresses with your own.
    • Ensure the domain names in the Traefik labels match your actual domain names.

  3. DNS Configuration

    • Ensure the domains (domain.com, whoami.domain.com, whoaminot.domain.com, swarm.domain.com) have A records pointing to the IP address of the server where the services will be deployed. This can be configured in the DNS settings of your domain registrar.

  4. Deploy the Stack

    • Navigate to the directory containing the docker-compose.yml file.
    • Run the following command to deploy the stack: sh docker stack deploy -c docker-compose.yml traefik_stack

  5. Verify Deployment

    • Check the status of the services using: sh docker stack services traefik_stack
    • Verify that all services are running and properly configured.

  6. Access the Services

    • The Traefik dashboard should be accessible at http://traefik.domain.com.
    • The Docker Visualizer should be accessible at http://swarm.domain.com.

  7. Logs and Debugging

    • To view logs for the Traefik service, use: sh docker service logs traefik_stack_traefik
    • Replace traefik_stack_traefik with the actual service name if different.