Skip to content

Instantly share code, notes, and snippets.

@dduportal
Last active February 27, 2019 16:12
Show Gist options
  • Save dduportal/bbf087a0a6fde31cfe4f4da21f5bd4f5 to your computer and use it in GitHub Desktop.
Save dduportal/bbf087a0a6fde31cfe4f4da21f5bd4f5 to your computer and use it in GitHub Desktop.
Q&A of Traefik Online Meetup #1: Keep the Routing Simple

Q&A of Traefik Online Meetup #1: Keep the Routing Simple

Question: Doesn’t the web container need to use dynamic ports, and not port 80?

Answer: A container doesn’t need to publish/forward to any port on the outside. It listens on a port, for example, port 80, from its own private IP address, inside the Docker private network. The value of Traefik is to route requests from the outside on a chosen port, for example, port 80 or 443, of the public address, to the private IP address of the web server. Traefik watches for Docker’s API to get this private IP, and for any change of this private IP (e.g. on a container reboot). Also, you can have as many containers as you want, listening on their own port 80 without any conflict: useful for blue/green deployments, for example. You can find more information here: https://docs.Traefik.io/v1.7/basics/#concepts.


Question: Could you create the Jenkins link also with a Host:jenkins.demo.containous.cloud, and no other option (i.e. no tweak on Jenkins, no PathPrefix etc.) — only add another entry in your DNS?

Answer: Yes, totally. This demo chose to use a single domain name, and to segregate the application using Path based routing (e.g. /Jenkins, /Git Server, etc.). Traefik also supports out of the box, sub-domain based routing. It would even be simpler for the label’s configuration: no need to provide any frontend rule: Traefik uses the compose service name to guess the subdomain. If you have a service jenkins and Traefik set with --docker.domain=company.co, then Traefik expects a request on jenkins.containous.cloudto be routed to the service jenkins. Of course, any combination of both can be done. You can see the subdomain based routing in action with the official Traefik quickstart: https://docs.Traefik.io/v1.7/#the-Traefik-quickstart-using-docker .


Question: Does Traefik have any integration with a geolocation provider like MaxMind, to add geolocation headers, like Google or NGINX can?

Answer: No, it does not support it.


Question: Would it be the same process to connect Traefik and Kubernetes, with Kubernetes instead of Docker?

Answer: Yes and No:


Question: Can Traefik perform checks on a certificate SubjectName? For example: I would like to reject any client certificate DOES NOT have an OU value of CareQuality in the SubjectName. Aka — if a cert comes in with this SN CN=.zengemini.net,OU=CareQuality — accept the SSL and pass it on. If a certificate comes in with this SN CN=.zengemini.net,OU=SomethingElse — kill the handshake.

Answer: No, it does not support it. Traefik only uses SNI information to find the certificate that applies to a requested domain, but it doesn’t perform some other filtering operations.


Question: What is the best mechanism for using Traefik as a reverse proxy for services running on separate servers that are unconnected from Docker, e.g., a Neo4j server running within a firewall, leveraging the Traefik routed subdomain pattern?

Answer: If you only have a static list of services without any dynamic orchestrator as Docker, Swarm, Kubernetes, Mesos, etc., then Traefik can still be configured statically with the file provider (https://docs.Traefik.io/v1.7/configuration/backends/file/ ). In this case, you lose the benefit of automatic discovery for backends and frontends, but you can still use other Traefik features, as automatic HTTPS with Let’s Encrypt.


Question: Can DNS challenge be automated in the same way you did the TLS challenge?

Answer: Yes, of course! The only difference is that you need to configure Traefik one time, to give it the credentials to your DNS provider, so it can create the records for the challenge, and clean it after. It works with a lot of different providers including AWS Route53, Azure, CloudFlare, DNSSimple, Google Cloud DNS, etc. You can learn more on the documentation about this: https://docs.Traefik.io/v1.7/configuration/acme/#dnschallenge.


Question: Do the options like the path strip work when using Marathon/Mesos providers?

Answer: Yes of course. The providers in Traefik only provide backend. The PathPrefix (etc.) is a frontend rule, which is guessed from the labels. As Mesos (https://docs.Traefik.io/v1.7/configuration/backends/mesos/) and Marathon (https://docs.Traefik.io/v1.7/configuration/backends/marathon/) both support the labels, you can provide the PathPrefix* with traefik.frontend.ruleas we did for Docker.


Question: I am coming from a HAProxy setup. How can i get the time taken for each request spent in frontend and backend?

Answer: Traefik Metrics can be exported to a Metric collector, as Prometheus or Datadog, so you can get these metrics: https://docs.Traefik.io/v1.7/configuration/metrics/ . You can also use tracing (https://docs.Traefik.io/v1.7/configuration/tracing/) with Jaeger, Zipkin or Datadog.


Question: Are you required to use the config file with DNS challenge for certificates?

Answer: The ACME main configuration for all challenge types must be defined by using a TOML file or by using CLI flags. Don’t forget to also provide the environment variables with your DNS provider’s credentials. (see https://docs.Traefik.io/v1.7/configuration/acme/#dnschallenge)

If you don’t need wildcard certificates, the DNS challenge can use the onHostRule system based on labels (see https://docs.Traefik.io/v1.7/configuration/acme/#onhostrule).

The DNS challenge has the particularity to be able to create wildcard certificates, in this case Traefik can’t use the onHostRule system based on labels. So to get wildcard certificates, you have to define your domains in the static configuration (TOML or CLI flags).


Question: Do you have an example configuration to compare/contrast how much more complicated this setup is without Traefik?

Answer: An example of docker-compose.yml:

version: '3'
services:
  # The reverse proxy service (Traefik)
  reverse-proxy:
    # The official Traefik Docker image
    image: traefik:v1.7
    # Enables the web UI, Let's Encrypt and tells Traefik to listen to Docker
    command:
      - "--docker"
      - "--api"
      - "--defaultentrypoints=http,https"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--acme.onhostrule=true"
      - "--acme.storage=acme.json"
      - "--acme.entrypoint=https"
      - "--acme.tlschallenge"
    ports:
      # The HTTP port
      - "8081:80"
      # The HTTPS port
      - "8043:443"
      # The Web UI (enabled by--api)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      # A container that exposes a simple API
  whoami:
    # A container that exposes an API to show its IP address
    image: containous/whoami
    labels:
    - "traefik.frontend.rule=Host:my.domain.com"

And some links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment