A list,

Traefik is an excellent open source edge router, or reverse proxy tool.

Compared to Nginx, it has the following advantages:

  1. Automatic service discovery: Traditional edge routers (or reverse proxies) require a configuration file that contains all possible routes to your service, whereas Traefik gets them from the service itself.

  2. Native is compatible with all major clustering technologies such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and can handle more than one at a time.

  3. No need to maintain and synchronize separate configuration files, automatic real-time updates, no need to restart, no interruption of connection

  4. Integrated dashboard interface

Simple use cases using Docker

Create a reverse-proxy service using the official Traefik image: docker-comemage. yml

version: '3'

    # The official v2 Traefik docker image
    image: Traefik: v2.4
    # Enable Dashboard and use Docker as provider
    command: --api.insecure=true --providers.docker
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
Copy the code


docker-compose up -d reverse-proxy
Copy the code

Open a browser and go to the localhost: 8080 / API/rawdata to see Traefik API raw data.

To create a new service, edit your docker-comemess.yml file and add the following at the end of the file

#... Whoami: # image shows the IP address of the container: traefik/whoami labels: - "traefik. HTTP. Routers. Whoami. Rule = Host (` whoami. The docker. Localhost `)"Copy the code

Start the service:

docker-compose up -d whoami
Copy the code

Return your browser (localhost: 8080 / API/rawdata), you can see Traefik has automatically detect the new container and renewed its own configuration.

When Traefik detects new services, it creates routes so that you can invoke them:

The curl -h Host: whoami. Docker. Localhost the code

The following output is displayed:

Hostname: a656c8ddca6c
Copy the code

Capacity expansion test Load balancing:

docker-compose up -d --scale whoami=2
Copy the code

Run the following command to see Traefik load balancing between two instances of the service:

The curl -h Host: whoami. Docker. Localhost the code

The output will display one of the following options:

Hostname: a656c8DDCA6c IP: #... S458f154e1f1 IP: #...Copy the code

Three, configuration,

The configuration in Traefik is divided into two parts:

  • Full dynamic routing configuration (dynamic configuration), which gets _ from the Provider, defines how requests are handled by the system. This configuration can be changed and hot-reloaded seamlessly without any broken requests or lost connections.
  • Start the configuration (static configuration), set up the connection to the Provider, and define the entry point that Traefik will listen to.

There are three different, mutually exclusive (that is, you can only use one at a time) ways to define static configuration options in Traefik:

  1. In the configuration file

  2. In command line arguments

  3. As an environment variable

The configuration file

On startup, Traefik searches for a file named Traefik.yml (or traefik.yaml or traefik.toml) in the following location:

  1. /etc/traefik/
  3. $HOME/.config/
  4. .(Working directory).

You can override it with the configFile parameter.

traefik --configFile=foo/bar/myconfigfile.yml
Copy the code


You can use the following command to get a list of all available parameters:

Traefik --help # or docker run traefik[:version] --help # ex: docker run traefik:2.1 --helpCopy the code

Some common parameters are:

--accesslog: accesslog Settings. (Default: false) -- API: enable API/dashboard. -- CertificatesResolvers.<name> : Certificate resolver configuration. (Default: false) --entrypoints.<name> : entrypoint definition. --log: Traefik log setting. (Default: false) -- Pilot.dashboard: Enable Traefik Pilot in the dashboard. (Default: true) --ping: enable ping. (Default: false) -- provider. docker: use the default Settings to enable the docker backend. (Default: false)Copy the code

The environment variable

Common environment variables are (like parameters, but in uppercase, prefixed with TRAEFIK_) :

TRAEFIK_ACCESSLOG: Access log setting. (Default: false) TRAEFIK_API: Enable API/dashboard. TRAEFIK_CERTIFICATESRESOLVERS_<NAME> : indicates the certificate resolver configuration. TRAEFIK_ENTRYPOINTS_<NAME> : entry point definition. (Default: false) TRAEFIK_LOG: Traefik log setting. (Default: false) TRAEFIK_PILOT_DASHBOARD: Enable Traefik Pilot in the dashboard. TRAEFIK_PING: enables the ping function. TRAEFIK_PROVIDERS_DOCKER: Enables the Docker backend using the default Settings. (Default: false)Copy the code

Traefik and Docker

The routing configuration

When using Docker as a provider, Traefik uses container labels to retrieve its routing configuration.

If the container expose a single port, Traefik uses that port for private communication, if a container expose multiple ports, or if no ports are exposed, So you must use a label manually specify Traefik which port should be used to communicate Traefik. HTTP. Services. < service_name >. The loadbalancer. Server port.

If a host network is configured for the container, the host IP address is resolved as follows:

  • Try to findhost.docker.internal
  • If the search is unsuccessful, rollback to127.0.0.1

Traefik requires access to a Docker socket to obtain API access, which can be set to the endpoint:

    endpoint: "unix:///var/run/docker.sock"
Copy the code

Docker Swarm model

To enable Docker Swarm (rather than standalone Docker) as a configuration provider, set the swarmMode directive to true.

In Swarm mode, Traefik uses tags on the service rather than tags on individual containers.

Therefore, if you use compose files in Swarm mode, you should define labels in the deploy service section.

Docker Swarm does not provide any port detection information to Traefik.

Therefore, you must use a label specified to be used for communication port traefik. HTTP. Services. < service_name >. Loadbalancer. Server port

Since Swarm APIS are only exposed on manager nodes, these nodes of Traefik should be arranged by restricting deployment of Traefik on node “roles” :

version: '3'

    # ...
          - node.role == manager
Copy the code

The Provider configuration

  • endpointNecessary _, _ the default = “Unix: / / / var/run/docker. The sock”
  • useBindPortIPOptional, default =false, Traefik matches the request route to the container’s IP/ port. Set up theuseBindPortIP=trueTraefik uses the IP/ port attached to the container binding rather than its internal network IP/ port. When andtraefik.http.services.<name>.loadbalancer.server.portWhen the tag is used in combination (telling Traefik to match the request route to a particular port), Traefik tries to find the binding on the porttraefik.http.services.<name>.loadbalancer.server.port. If no such binding is found, Traefik falls back to the container’s internal network IP, but still uses ittraefik.http.services.<name>.loadbalancer.server.portIP/ port set in the tag.
  • exposedByDefaultOptional _,The default = true. Traefik exposes containers by default. If set tofalse.traefik.enable=trueThe unlabeled container is ignored from the generated route configuration.
  • networkOptional, default = “defines the default Docker network used to connect to all containers. You can usetraefik.docker.networkTag overrides this option on a per-container basis.
  • defaultRule_ Optional. The default value isHost(`{{ normalize .Name }}`). _ If the tag does not define any rules, this option defines the routing rules to be applied to the container.
  • swarmMode_ Optional. The default value is false. _ Swarm mode enabled (instead of standalone Docker).
  • swarmModeRefreshSeconds_ Optional. The default value is 15. Defines the polling interval (in seconds) for the group pattern.
  • httpClientTimeout_ Optional. The default value is 0. _ Define client timeout (in seconds) for HTTP connections. If its value is zero0, the timeout is not set.
  • watch_ Optional. The default value is true. _ Listen for Docker Swarm events.
  • constraints_ Optional. The default value is “. _ theconstraintsThe option can be set to an expression that Traefik matches the container label to determine whether any routes are created for the container. If no container label matches the expression, no route is created for the container. If the expression is empty, all detected containers are included. Expression syntax is based onTag(`tag`), andTagRegex(`tag`)Function and the usual Boolean logic, as shown below.
# constraints = "Label(' a.label.name ', 'foo')" # exclude constraints from the key 'a.label.name' value 'foo'! Label(' a.label.name ', 'value')" # and constraints = "Label(' a.label.name ', 'valueA') &&label (' another. ` valueB `) "# or constraints =" Label (` a. Abel. Name `, ` valueA `) | | Label (`. Another Label. The name `, ` valueB `)"Copy the code
  • tls
  1. Tls.ca the certificate authority used to securely connect to Docker.

  2. Tls.caoptional defines which policy should be used with TLS clients to authenticate secure connections to Docker.

  3. Cert The public certificate used to securely connect to Docker

  4. Tls.key is the private certificate used to securely connect to Docker

  5. If insecureSkipVerify is true, a TLS connection to Docker accepts any certificate provided by the server, regardless of the host name it covers

5. Routing and load balancing

The complete Traefik architecture is divided into these parts:

  • EntryPoints listen for incoming traffic (ports,…) EntryPoints are Traefik’s network EntryPoints. They define the ports on which packets will be received and whether to listen for TCP or UDP.
  • Routers analyze requests (hosts, paths, headers, SSL, etc.). Routers connect incoming requests to services that can handle them
  • Services forwards requests to your service (load balancing,…)
  • Middlewares may update the request or make decisions based on the request (authentication, rate limits, labeling)
  • Providers discover services (their IP, health…) that exist on your infrastructure.

EntryPoints configuration example:

# # static configuration entryPoints: name: address: ":" 8888 # same as ": 8888 / TCP transport:" lifeCycle: requestAcceptGraceTimeout: 42 graceTimeOut: 42 respondingTimeouts: readTimeout: 42 writeTimeout: 42 idleTimeout: 42 proxyProtocol: insecure: TrustedIPs: - "" - "" - "" - ""Copy the code
  • Address defines the port and, optionally, the host name to listen for incoming connections and packets. It also defines the protocol to use (TCP or UDP). If no protocol is specified, TCP is used by default. Format for:
Copy the code
  • ForwardedHeaders You can configure Traefik to trust forward headers (X-Forwarded-*).
  • transport
  1. respondingTimeoutsTimeout of incoming requests to Traefik instances. Setting them has no effect on UDP entry points.
  2. lifeCycleControls Traefik’s behavior during the shutdown phase
  • ProxyProtocol this entry point can accept connections with or without a proxyProtocol header if proxyProtocol header resolution is enabled for the entry point.

  • HTTP Configure HTTP routes

Routers configuration examples:

Routers can be configured with HTTP routers, TCP routers, and UDP routers. This section describes HTTP routers only

Routers, routers, routers, routers, routers, routers, routers, routers "Host(`example.com`)" service: "service-1"Copy the code
  • Rule A rule is a set of matchers configured with values to determine whether a particular request matches a particular criterion. If the rule is validated, the router becomes active, invokes the middleware, and then forwards the request to the service. The following table lists all available matchers:
Headers(`key`, `value`) Check if a key is defined in the key header with a value value
HeadersRegexp(`key`, `regexp`) Check to see if there is a key defined in the key header whose value matches the regular expression regEXP
Host(`example.com\`,…). Check whether the request domain (host header value) is for the given domains.
HostHeader(`example.com\`,…). Check whether the request domain (host header value) is for the given domains.
HostRegexp(`example.com\`, `{subdomain:[a-z]+}.example.com\`,…). Checks whether the request field matches the given regEXP.
Method(`GET`, …) Check if the request method is one of the given methods(GET, POST, PUT, DELETE, PATCH, HEAD)
Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, …) Matches the exact request path. It accepts a series of literal and regular expression paths.
PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`) Matches the request prefix path. It accepts a series of literal and regular expression prefix paths.
Query(`foo=bar`, `bar=baz`) Matches the query string parameter. It accepts a series of key = value pairs.
  • Priority, to avoid path overlap, by default, routes are sorted in descending order using rule length. The priority is directly equal to the length of the rule, so the longest length has the highest priority.0Ignore the priority value:priority = 0The default rule length sort is used.
  • Middlewares, you can attach middleware to each HTTP router. The middleware takes effect only if the rule matches and before the request is forwarded to the service.
The following information is available on the scene: (1) the list of available parts (/foo) is anachroid. The list of available parts (/foo) is anachroid. service-fooCopy the code
  • Each request must ultimately be handled by a service, which is why each router definition should contain a service target
  • TLS When the TLS part is specified, it instructs Traefik that the current router is only dedicated to HTTPS requests (and that the router should ignore HTTP (non-TLS) requests). Traefik terminates the SSL connection (which means it will send decrypted data to the service).

Services configuration example:

Services You can configure HTTP, TCP, and UDP services. This document describes only HTTP

HTTP: services: my-service: loadBalancer: Servers: -url: "http://<private-ip-server-1>:<private-port-server-1>/" - url: "http://<private-ip-server-2>:<private-port-server-2>/"Copy the code
  • The loadBalancer can load balance requests across multiple instances of your program
  • Servers declares a single instance of the program. theurlOptions point to specific instances
  • Sticky After sticky sessions are enabled, cookies are set on the initial request and response to let the client know which server is handling the first response. On subsequent requests, the client should re-send the same cookie in order to keep the session active with the same server.
HTTP: services: my-service: loadBalancer: sticky: cookie: {}Copy the code
  • HealthCheck configures health checks to remove unhealthy servers from load balancing rotations. Traefik will consider your servers healthy as long as they are between 2XX and 3XX in health check requests. The following are the options available for the health check mechanism:

    • pathAttach to the server URL to set the health check endpoint.
    • scheme, if defined, will be replacedschemeServer URL for the health check endpoint
    • hostname, if already definedHostThe headerhostnameApply to health check requests.
    • port, if defined, will be replacedportServer URL for the health check endpoint.
    • intervalDefine the frequency of health check calls.
    • timeoutDefines the maximum amount of time Traefik waits for a health check request before considering a server failure (unhealthy).
    • headersDefines a custom header to send to the health check endpoint.
    • followRedirectsDefines whether redirects should be followed during health check calls (default: true).
  • PassHostHeader allows client host headers to be forwarded to the server

  • ServersTransport configures the transport between Traefik and your server

    • ServerNameThe name of the server used for SNI
    • CertificatesList of client certificates that are set to mTLS
    • insecureSkipVerifyThe SSL certificate verification function is disabled
    • rootCAsA list of certificates that are set to the root certificate authority (as file paths or data bytes) when using a self-signed TLS certificate.
    • maxIdleConnsPerHostIf non-zero, thenmaxIdleConnsPerHostControls maximum idle (hold active) connections to hold each host.
    • forwardingTimeoutsSome timeouts associated with forwarding requests to back-end servers
  • Weighted, WRR can load balance requests between multiple services based on weights. This policy only applies to load balancing between services, not between servers

Weighted: services: - name: appv1 weight: 3 - name: appv2 weight: 1 appv1: loadBalancer: servers: - url: "http://private-ip-server-1/" appv2: loadBalancer: servers: - url: "http://private-ip-server-2/"Copy the code
  • Mirroring enables requests sent to a service to be mirrored to other services. Note that by default, the entire request is cached in memory when mirrored.
HTTP: services: mirrored- API: mirroring: service: mirrored appv1 # maxBodySize is the maximum size allowed for the body of the request. # If the body is larger, the request is not mirrored. # Default value is -1, which means unlimited size. maxBodySize: 1024 mirrors: - name: appv2 percent: 10 appv1: loadBalancer: servers: - url: "http://private-ip-server-1/" appv2: loadBalancer: servers: - url: "http://private-ip-server-2/"Copy the code

Docker configuration example:

Forward the request from http://example.com to http:// :12345:

version: "3"
    # ...
      - traefik.http.routers.my-container.rule=Host(`example.com`)
      # Tell Traefik to use the port 12345 to connect to `my-container`
      - traefik.http.services.my-service.loadbalancer.server.port=12345
Copy the code

Forward http://example-a.com to http:// :8000, http://example-b.com Forward to http:// :9000:

version: "3" services: my-container: # ... labels: - traefik.http.routers.www-router.rule=Host(`example-a.com`) - traefik.http.routers.www-router.service=www-service - traefik.http.services.www-service.loadbalancer.server.port=8000 - traefik.http.routers.admin-router.rule=Host(`example-b.com`) - traefik.http.routers.admin-router.service=admin-service -  traefik.http.services.admin-service.loadbalancer.server.port=9000Copy the code
  • Traefik.http.services.

    Configure the service
  • Traefik. HTTP. Middlewares. < name – of – your choice – > configure middleware
  • traefik.enableYou can do this by settingtraefik.enableThe value true or false tells Traefik to consider (or not consider) the container. The value that this option overridesexposedByDefault.
  • traefik.docker.networkOverrides the default Docker network used to connect to the container. If a container is linked to multiple networks, be sure to set the correct network name (which you can usedocker inspect <container_id>Check), or it will randomly select one (depending on how the Docker returns them).
  • traefik.docker.lbswarmSwarm’s built-in load balancer (relevant only in Swarm mode) is enabled. If enabled, Traefik will use the virtual IP provided by Docker Swarm instead of the container IP. This means Traefik does not perform any type of load balancing and delegates this task to Swarm.

Vi. Middleware

The middleware attached to the router is a way to adjust requests before they are sent to your services (or before the service’s response is sent to the client).

List of available middleware:

  • AddPrefix Adds a prefix
# Prefixing with /foo
  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
Copy the code
  • BasicAuth adds basic authentication
# Declaring the user list # # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping. # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g # # Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module). labels: - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB $$4HxwgUir3HP4EsggP/QNo0"Copy the code
  • Buffering limits the size of requests that can be forwarded to the service. By buffering, Traefik reads the entire request into memory (possibly buffering large requests to disk) and rejects requests that exceed a specified size limit. This helps services avoid large amounts of data (multipart/form-dataFor example), and can minimize the time it takes to send data to the service.
# Sets the maximum request body to 2MB
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
Copy the code
  • Chain middleware enables you to define reusable combinations of other middleware. It makes it easier to reuse the same groups. Here is an example that contains chainsWhiteList.BasicAuthandRedirectScheme.
labels: - "traefik.http.routers.router1.service=service1" - "traefik.http.routers.router1.middlewares=secured" - "traefik.http.routers.router1.rule=Host(`mydomain`)" - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users" - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" - "traefik.http.middlewares.https-only.redirectscheme.scheme=https" - "Traefik. HTTP. Middlewares. Known - ips. Ipwhitelist. SourceRange =," - "traefik.http.services.service1.loadbalancer.server.port=80"Copy the code
  • CircuitBreaker Protects your system from stacking requests to unhealthy services that can lead to cascading failures.
# Latency Check labels: - "traefik. HTTP. Middlewares. Latency - check. Circuitbreaker, expression = LatencyAtQuantileMS (50.0) > 100"Copy the code
  • The Compress middleware uses gzip compression

  • ContentType specifies whether the Content-Type header (if the back end is not defined) is automatically set to a value derived from the response Content.

  • DigestAuth middleware limits access to your service to known users

  • The ErrorPage middleware returns a custom page based on the configuration range of the HTTP status code instead of the default page.

  • The ForwardAuth middleware delegates authentication to an external service. If the service responds with 2XX code, access is granted and the original request is executed. Otherwise, the response from the authentication server is returned.

  • Headers middleware manages Headers for requests and responses.

  • IPWhitelist accepts/rejects requests based on the client IP address.

  • Inflightreq Limits the number of simultaneous requests

  • PassTLSClientCert adds the selected data from the passed client TLS certificate to the header.

  • RateLimit controls the number of requests that enter the service

  • RedirectRegex uses regular expression matching and substitution to redirect requests.

  • RedirectScheme redirects requests from one scheme/port to another.

  • Replacepath Replaces the path of the requested URL.

  • ReplaceRegex uses regular expression matching and substitution to replace the path of a URL.

  • Retry If the back-end server does not respond, the middleware reissues requests to the back-end server a given number of times. As soon as the server responds, the middleware stops retrying, regardless of the status of the response. The Retry middleware has an optional configuration to enable exponential fallback.

  • Stripprefix removes the prefix from the path before forwarding the request

  • Stripprefixregex removes the prefix from the path before forwarding the request (using regular expressions)

Seven, Dashboard

The dashboard visually shows all of Traefik’s services in action.

There are two ways to configure and access dashboards:

1. Safe mode

Start by enabling the dashboard on a static configuration with the following options:

  dashboard: true
Copy the code

The routing configuration is then defined on Traefik itself, and api@internal connects the router to the service in dynamic configuration to allow the definition of one or more security features implemented by middleware such as general authentication (basicAuth, digestAuth, forwardAuth) or whitelist.

      - "traefik.http.routers.api.service=api@internal"
Copy the code

Then set the rules:

      - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
Copy the code

At this point can be access by traefik.example.com/dashboard/ dashboard

2. Unsafe mode

This pattern is not recommended because it does not allow the use of security features.

  dashboard: true
  insecure: true
Copy the code

You can now access the dashboard on the Traefik instance port at the 8080 URL below: (http://
:8080/dashboard/ Slashes are required).

Eight, logs,

By default, logs are written to standard output in text format.

  • filePathYou can usefilePathOption configuration file path
FilePath: "/path/to/traefik.log"Copy the code
  • formatBy default, logs are in text format (common), but you can also write in JSON format
Log: filePath: "/path/to/log-file.log" format: jsonCopy the code
  • levelBy default,levelSet toERROR. The alternative logging level isDEBUG.PANIC.FATAL.ERROR.WARN, andINFO.
  level: DEBUG
Copy the code

9. HTTPS configuration

You can configure Traefik to an ACME program (such as Let’s Encrypt) to automatically generate certificates.

Traefik requires that you define “certificate parsers” in your static configuration, which are responsible for retrieving certificates from the ACME server. The certificate needed to retrieve the domain name from the router’s dynamic configuration.

First configure the traefik configuration file:

    address: ":80"

    address: ":443"

      email: [email protected]
      storage: acme.json
        # used during the challenge
        entryPoint: web
Copy the code

It has the following configuration options:

  • TlsChallenge TLS-ALPN-01 Generates and updates the ACME certificate by providing TLS certificates.

  • HttpChallenge generates and updates ACME certificates by supplying HTTP resources under well-known URIs of HTTP-01.

  • DnsChallenge DNS-01 Generates and updates ACME certificates by providing DNS records.

  • Resolvers use a custom DNS server to resolve FQDN permissions

  • The CA server used by caServer. _ necessary. Default = acme-v02.api.letsencrypt.org/directory

  • Storage Sets the location to save your ACME certificate, required, default = “acme.json”

  • PreferredChain indicates the preferredChain to use, _ optional, default = “”. _ If a CA provides multiple certificate chains, the chain with an issuer matching the common name of this topic is preferred. If there is no match, the chain provided by default is used.

  • KeyType is used to generate the certificate private key. The allowed values are EC256, EC384, RSA2048, RSA4096, and RSA8192. Optional. Default = “RSA4096”

Then set it in docker:

## Configure labels dynamically - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`) - traefik.http.routers.blog.tls=true - traefik.http.routers.blog.tls.certresolver=myresolverCopy the code

Traefik automatically tracks the expiration date of the ACME certificates it generates. If it is less than 30 days before the certificate expires, Traefik will attempt to renew it automatically.