Skip to content
@magnushammar
GitHubTwitter

Hello World - Traefik & Nginx

Time to set up Traefik before the private Docker Registry so that I get a nice route to it with a SSL-cert as a bonus. Running a default Nginx-container to verify config.

I have configured the dns to send all *.hammar.org requests to this machine/node/swarm

move to the tiny-swarm/traefik-folder. It should contain two four files.

  • acme.json Empty (chmod 600) for future storage of Let’s Encrypt certificates.
  • traefik.toml with Traefik configuration
  • traefik-deploy.yml Docker Stack/Service-definition
  • deploy.sh Yeah exactly
  • nginx-deploy.yml Spin up an Nginx for verification

Deploy

./deploy.sh will create an Ingress Network and a Traefik Service

Test configuration if you want. The included configuration is configured to get “invalid” staging certificates.

  • Issued by: Traefik = wrong
  • Issued by: Fake LE Intermediate = correct staging cert

Test

# deploy a default Nginx site that registers a frontend rule with Traefik
docker stack deploy -c nginx-deploy.yml nginx
# remove it with
docker stack rm nginx

Quirks

Hot reloading configuration in Docker

Hot reloading of traefik.toml [docker] watch = true have issues related to the use of fsnotify (go) in docker volumes. In my case with “naive” volumes on the host it does not work.

Changing SSL-certs from Staging to Production

Remember to empty out Acme.json first. If it doesn’t work.. check your browser before debugging. They sometime hang on to the staging cert quite some time, or check with

# replace -servername and -connect :-)
echo | openssl s_client -showcerts -servername hub.hammar.org -connect hub.hammar.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

File reference

Deployment

docker network create -d overlay traefik-ingress
docker stack deploy -c compose-traefik.yml traefik

Compose file

# traefik-compose.yml
# docker network create -d overlay traefik-ingress
# docker stack deploy -c compose-traefik.yml traefik
version: '3.5'

services:
  proxy:
    image: traefik:1.6 #Alpine is larger
    ports:
      - "80:80"
      - "443:443"
      - "8888:8888"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ~/volume/traefik_data/traefik.toml:/traefik.toml
      - ~/volume/traefik_data/acme.json:/acme.json
    labels:
      - "traefik.enable=false"
    networks:
      - traefik-ingress
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role==manager
      restart_policy:
        condition: any
        delay: 10s
        max_attempts: 5

  
networks:
  traefik-ingress:
    external: true

Traefik configuration

# traefik.toml

debug = true

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[web]
address = ":8888"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    compress = true
    [entryPoints.https.tls]

[docker]
domain = "hammar.org"
watch = true
swarmmode = true
exposedbydefault = false

[acme]
email = "[email protected]"
storage = "acme.json"
acmeLogging = true
entryPoint = "https"
OnHostRule = true
# Uncomment next line for staging and tests. They only give 5 proper certs per week
caServer = "https://acme-staging.api.letsencrypt.org/directory"
[acme.httpChallenge]
entryPoint = "http"