Intro
When I created my first droplet at DigitalOcean, I needed a service discovery. At that time I had no idea how to deal with it. Eventually I went for nginx. But not knowing the concept, syntax, workaround I was having difficult time. Then I discovered nginx-proxy which made the process a bit easier as there was few app/services on my droplet running in docker. nginx-proxy adjusts the configuration automatically based on environment variable.
But, when I discovered traefik, everything changed. As it has yaml supported configuration, easy to start-with behavior and fully docker support: it became my favorite service discovery tool.
Dashboard
Traefik provides a nice looking dashboard to manage and observe configuration to routers and services. It's relatively easy to setup TLS with Let's Encrypt to a router by configuring traefik. However, it was a bit tricky for me to setup TLS for the dashboard itself.
Add TLS
Here is the configuration for docker-compose labels:
labels:
traefik.enable: true
traefik.http.routers.traefik_https.rule: Host(`traefik.example.com`)
traefik.http.routers.traefik_https.entrypoints: websecure
traefik.http.routers.traefik_https.tls: true
traefik.http.routers.traefik_https.tls.certResolver: myresolver
traefik.http.routers.traefik_https.service: api@internal
After putting the above labels in your docker-compose for traefik container, just execute docker-compose up
. As there are changes in the compose file, it will restart the container. As soon as you do this, you will see a new route protected with TLS in your dashboard like below:
For me the tricky part was naming the service:
api@internal
Add basic auth
Of course you don't want to keep this dashboard open. In my case I just added basic auth to keep it protected. So add these labels additionally to your docker-compose file for traefik container.
traefik.http.routers.traefik_https.middlewares: basic-auth-global
traefik.http.middlewares.basic-auth-global.basicauth.users: <username>:<encoded-password>
I thought it would read the middleware from traefik configuration which is:
traefik.yml
. But that was not the case. I had to create the middleware on docker-compose file with label.
Disable insecure mode
Finally, you want to disable insecure mode to prevent access with http. To do so make your trafik api configuration in traefik.yml
like below:
api:
insecure: false
dashboard: true
Conclusion
After doing these works, you will see that your traefik dashboard can't be accessed through http anymore, rather https. And you need to enter username and password for the first time in a browser.
Top comments (2)
Thanks for the article, something wasn't mentioned is how to generate the encoded password, so here you go:
can you please post your full docker-compose file? will be a lot better to see how things connect together in your guide