When I created my first droplet at DigitalOcean, I needed a service discovery. At that time I had no idea how to deal with it. Eventually I went for nginx. But not knowing the concept, syntax, workaround I was having difficult time. Then I discovered nginx-proxy which made the process a bit easier as there was few app/services on my droplet running in docker. nginx-proxy adjusts the configuration automatically based on environment variable.
But, when I discovered traefik, everything changed. As it has yaml supported configuration, easy to start-with behavior and fully docker support: it became my favorite service discovery tool.
Traefik provides a nice looking dashboard to manage and observe configuration to routers and services. It's relatively easy to setup TLS with Let's Encrypt to a router by configuring traefik. However, it was a bit tricky for me to setup TLS for the dashboard itself.
Here is the configuration for docker-compose labels:
labels: traefik.enable: true traefik.http.routers.traefik_https.rule: Host(`traefik.example.com`) traefik.http.routers.traefik_https.entrypoints: websecure traefik.http.routers.traefik_https.tls: true traefik.http.routers.traefik_https.tls.certResolver: myresolver traefik.http.routers.traefik_https.service: api@internal
After putting the above labels in your docker-compose for traefik container, just execute
docker-compose up. As there are changes in the compose file, it will restart the container. As soon as you do this, you will see a new route protected with TLS in your dashboard like below:
For me the tricky part was naming the service:
Of course you don't want to keep this dashboard open. In my case I just added basic auth to keep it protected. So add these labels additionally to your docker-compose file for traefik container.
traefik.http.routers.traefik_https.middlewares: basic-auth-global traefik.http.middlewares.basic-auth-global.basicauth.users: <username>:<encoded-password>
I thought it would read the middleware from traefik configuration which is:
traefik.yml. But that was not the case. I had to create the middleware on docker-compose file with label.
Finally, you want to disable insecure mode to prevent access with http. To do so make your trafik api configuration in
traefik.yml like below:
api: insecure: false dashboard: true
After doing these works, you will see that your traefik dashboard can't be accessed through http anymore, rather https. And you need to enter username and password for the first time in a browser.