Docker has been proven to be an efficient way to run web applications in production. In case we want to run multiple applications on the same Docker host, we need to use a reverse proxy. This is because we only want to expose ports 80 and 443. Traefik is a popular solution for that, it’s easy to use and provides a nice dashboard. In the following we will go through the setup process step by step and have a ready to use reverse proxy that encrypts our applications automatically and even includes a dashbaord!
Some prerequisites are necessary to setup Treafik, the most obvious one Docker. In addition we will also install Docker-Compose to be able to create Docker containers with .yml files.
Docker Installation for Ubuntu Linux
In case we are facing any errors on the installation process or we are on a different OS environment it’s also possible to follow along the official Docker installation
Let’s start by updating all existing packages:
sudo apt update
Now we install a few prerequisite packages which let apt use packages over HTTPS:
sudo apt install apt-transport-https ca-certificates curl software-properties-common
Then we add the GPG key of the official Docker repository to your system:
curl -fsSl https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
And add the Docker repository to APT sources:
sudo add-apt-repository “deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable”
For making sure to install Docker from the repository instead of the default Ubuntu apt repo:
apt-cache policy docker-ce
And finally the actual installation of Docker
sudo apt install docker-ce
Docker should be installed now and running as a deamon process. We can check it’s status by:
sudo systemctl status docker
Output should be similar to this with a status of active (running):
● docker.service - Docker Application Container Engine ● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; e> Active: active (running) since Sat 2021-10-23 20:34:1> TriggeredBy: ● docker.socket Docs: https://docs.docker.com Main PID: 592 (dockerd) Tasks: 47 Memory: 387.8M CGroup: /system.slice/docker.service ├─ 632 /usr/bin/dockerd -H fd:// --
Docker-Compose Installation for Ubuntu Linux
The official installation documentation of Docker-Compose can also be used here. We basically starting by downloading the current stable release of Docker Compose, which is in that case version 1.29.2:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
Next, the correct permissions will be set so that the docker-compose command is executable:
sudo chmod +x /usr/local/bin/docker-compose
To verify that the installation was successful we can check the version:
Output should be similar to:
docker-compose version 1.29.2, build unknown
Reverse Proxy Server Traefik Setup
Traefik is a reverse proxy server which handles all the routing logic of your applications and also makes sure they are SSL encrypted. That is handy if we are running for example multiple application on the same port number. Traefik comes also along with a nice interface. We will deploy it as our first Docker container and later on we will also reference our applications on it.
To login to a monitoring dashboard, provided by Traefik, we will have to login with some credentials. To ensure some additional security layer we are using an encrypted password for that. The package apache2-utils provides a utility called htpasswd for that, so let’s install it:
sudo apt-get install apache2-utils
To generate the encrypted password we just run the following command including a self defined password:
htpasswd -nb admin self-defined-password
The output provides our encrypted password, lets write it down somewhere for later use:
To configure Traefik we will create two configuration files called traefik.tomls and traefik_dynamic.toml. These files let us configure the Traefik server and various integrations, or providers. Here we will use three Traefik providers: api, docker and acme. Acme is for supporting TLS certificates using Let’s Encrypt. We beginn with creating traefik.toml:
We insert all our configuration variables inside the file, the only part we need to modify here is our email.
[entryPoints] [entryPoints.web] address = “:80” [entryPoints.web.http.redirections.entryPoint] to = “websecure” scheme = “https” [entryPoints.websecure] address = “:443” [api] dashboard = true [certificatesResolvers.lets-encrypt.acme] email = “your_email@your_domain” storage = “acme.json” [certificatesResolvers.lets-encrypt.acme.tls.Challange] [providers.docker] watch = true network = “web” [providers.file] filename = “traefik_dynamic.toml
Now let’s configure our second file traefik_dynamic.toml. That one keeps all our dynamic configuration values.
Let’s copy the content below and insert it into traefik_dynamic.toml. In addition we have to change the password behind admin: with our encrypted password created few steps above as well as the URL part after monitor. at the rule variable with our target domain.
[http.middlewares.simpleAuth.basicAuth] users = [ “admin:$apr1$BJaedHbq$Ur.tndPT2nM/dCC0.ZB6v.” ] [http.routers.api] rule = “Host(`monitor.your_domain`)” entrypoints = [“websecure”] middlewares = [“simpleAuth”] service = “api@internal” [http.routers.api.tls] certResolver = “lets-encrypt”
Next we need a Docker network for our proxy that will be shared with our containers. The Docker network is necessary to be able to use applications that are run using Docker-Compose.
docker network create web
As a last file we need a place where our Let’s Encrypt information can be stored. We use a json file called acme.json for that and for security reasons we change it’s permissions:
touch acme.json chmod 600 acme.json
Finally, we can create our Traefik container with this command:
sudo docker run -d -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/traefik.toml:/traefik.toml -v $PWD/traefik_dynamic.toml:/traefik_dynamic.toml -v $PWD/acme.json:/acme.json -p 80:80 -p 443:443 --network web --name traefik traefik:v2.2
If everything went succesfull we can open a browser and navigate to https://monitor.your_domain/dashboard/ and enter our username and password to login into our Traefik overview.