Traefik provides a proxy that is container aware. This is a level 7 proxy, that is it operates in the application layer in the OSI model, that can only do connection termination. One needs a level 4 proxy, that is it operate in the transport layer in the OSI model, to do connection routing as required by SSL-SNI for example.
Traefik will configure a virtual host for each container in ones container cluster (Mesos/docker/kubernetes and other supported), allowing it to serve from each container. It will even go one further and issue SSL certificates for each service.
It may be run from within a container or upon the host. This article is concerned with the latter.
Ebuilds for traefik are presently supplied from overlay.
eselect repository enable r7l
emerge --sync r7l
layman -a r7l
Traefik is a go based project and does not seem to need any specific use flags.
Traefik is readily emerged via the usual means once the overlay has been configured.
emerge --ask net-proxy/traefik
Traefik is run as a compliment to ones container manager (Docker/Mesos). One may configure it to be run as the web facing proxy if there are no host services or behind another proxy (Haproxy/NginX/Apache) should one be serving content from another web server(Nginx/Apache). Additionally Traefik supports analytics/monitoring which can be connected to packages like Prometheus.
As traefik is quite modular it is easiest to copy the relevant pre-configured sections out of their documentation, stitching the parts together as necessary for ones own system.
Traefik does not have any environment variables that it looks out for, there is supposedly certain configurations that may make it use environment variables (Although the author can not recall the packages name at this time).
Traefik has one main configuration file which controls its operation. It can either be written in TOML or YAML language.
- /etc/traefik/traefik.toml - Global configuration file for traefik using TOML.
- /etc/traefik/traefik.yml - Global configuration file for traefik using YAML.
One may configure Traefik to use a further folder/file for different frontend/backend configurations.
- /etc/traefik/conf.d/ - Path for additional routing configurations.
The following paths should be used for logging purposes.
- /var/log/traefik/traefik.log - Traefik log for recording program, container and certification events .
- /var/log/traefik/access.log - Access log for recording web traffic through Traefik.
htpasswd may be used to generate the password(s),
htpasswd -nB -C 17 USERNAME
Typically the service needs access to the docker socket, /var/run/docker.sock, to generate configurations for the containers it proxies. Traefik should be really be started as root so that it can connect to the socket and then restrict it's own permissions to that of the Traefik user. The present init script starts the service as the traefik user which prevents it from seeing the socket. One may add Traefik to the docker group to enable this permission again.
gpasswd -a traefik docker
One one has configured Traefik to their satisfaction they may enable and start the service.
rc-update add traefik default
Subsequently start the service or restart the machine:
rc-service traefik start
Use the following command to disable it:
rc-update del traefik
systemctl enable --now traefik
Use the following command to disable it:
systemctl disable traefik
While one is configuring Traefik it is convenient to run it directly.
Traefik may be run in debug mode, allowing one verify their configuration and to watch it's responses to various requests.
traefik -d --configFile=/etc/traefik/traefik.toml
One may use ctrl+c to terminate this process.
Ignoring Frontend/backend configuration
Traefik is not told to explicitly watch it's own configuration file for frontend/backend configuration(s). This is resolved by simply adding the file heading into the configuration.
If traefik is hosted behind a proxy and the proxy is not forwarding the Host header then traefik cannot know which container to serve and returns a 404. To fix this ensure that one has correctly configured the proxy protocol in both the frontend proxy and the Traefik service itself.
Removal of Traefik is as simple as unmerging the package, one may also wish to remove the overlay thereafter.
emerge --ask --depclean --verbose net-proxy/traefik