Traefik Support

[calmcacil]

Feature Request

Feature Information:

Please add support for traefik + docker setups. It would be very easy to support both in terms of existing setups where people are already using traefik as it'd only require adding labels to the docker containers and it'd auto configure.

Can be performed on "new" installs by creating traefik container and maintaining it with AMP, or adding support for just integrating to an existing container by simply adding required labels to docker instances when creating/starting the containers..

I confirm:

Yep confirm i searched for info on this.

[PhonicUK]

Can you please be more specific in terms of what's actually involved in doing this, and what the use case is?

[calmcacil]

Traefik does reverse proxy, and its becoming more and more common when dealing with docker containers, and needing them to be accessible trough the internet. IT has built in ssl certificate renewal and works well in doing that job, i already use it on my server for the other docker services I'm using and it'd overall be alot easier to implement than it would be to implement a nginx proxy, especially in cases where traefik is already being used.

    networks:
      - internal
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:containername.domain.tld"
      - "traefik.backend=containername"
      - "traefik.port=8080"
      - "traefik.docker.network=internal"

[PhonicUK]

I'm assuming that just handles the web interface side - what about the application specific ports, do they need anything doing? I'm assuming for the host it should do something like {instancename}.mydomain.com where mydomain.com is something the user provides and assuming the existence of a wildcard cert?

[calmcacil]

correct on the host. It handles the web interface only, you wouldn't need to expose webui ports since adding the internal network for the traefik <-> instance communication, app specific ports would still need to be exposed as normal with docker.

[PhonicUK]

Cool, this is a simple thing to add then. I'll add 3 settings to ADS. One to enable support, another to specify the network (defaults to internal) and another to specify the domain in wildcard format, and it'll apply the appropriate labels when starting/configuring the instance.

[calmcacil]

Nice, looking forward to it.

[TheFehr]

@PhonicUK That would be amazing. I was just checking if I could get a custom solution up and running that checks for any cubecoders container and then set's the appropriate settings in a dynamic config file of traefik. But this would be way easier and cleaner. @miguemely I belive the game ports could theoretically be routed through traefik as well, since v2.0 added support for TCP proxying (not 100% sure if with dockers or still only with the file provider). No UDP yet but there are rumors that it might be added in a future release as well.
And @PhonicUK the label example from @miguemely is from traefik v1.7. V2.0 had some big changes in it's docker labels.

[PhonicUK]

Support for this has been added (but not yet tested!) in the latest CI build.

[TheFehr]

I just pulled the nightly and saw the 3 new config options, sadly the added labels are traefik version < 2.0, becaue 2.0 introduced a new clearer label schema

[TheFehr]

@PhonicUK Those would be the needed ones for version >= 2.0

• traefik.http.services..loadbalancer.server.port=
• traefik.http.routers..rule=Host(`\<URL>`)

this would be for a simple http setup for https you'd need another config option where the user specifies his cert resolver and his to https redirect middleware and then following labels:

• traefik.http.routers.-https.rule=Host(`\<URL>`)
• traefik.http.routers.-https.tls.certResolver=\<theUsersTraefikCertResolver>
• traefik.http.routers..middlewares=\<theUsersTraefikToHttpsMiddleware>

[PhonicUK]

I'm going to need more examples because that is less clear than before xD

[TheFehr]

1. "traefik.enable=true" Just to make sure that trafik actually applies the label on this docker. This might not be necessary depending upon the user's setup but it won't hurt.
2. "traefik.docker.network=traefik" The docker network that traefik uses to do the internal communication
3. "traefik.http.routers.game.rule=Host(game.thedomain.com)" The host rule for the https endpoint
4. "traefik.http.routers.game.tls.certResolver=acmify" The user defined certResolver
5. "traefik.http.routers.game.entrypoints=web-secure" The user defined traefik endpoint representing 443 in this example
6. "traefik.http.routers.game-http.rule=Host(game.thedomain.com)" The host rule for the http endpoint
7. "traefik.http.routers.game-http.middlewares=httpsify@file" The user defined middleware that redirects http -> https
8. "traefik.http.routers.game-http.entrypoints=web" The user defined traefik endpoint representing 80 in this example
9. "traefik.http.services.game.loadbalancer.server.port=3000" The port on the docker which the webserver response to

@PhonicUK I hope this makes it clearer.

The endpoints (5 and 8) are not 100% needed then it just listens to all the endpoints defined by the user. And for only http you can remove 3, 4, 5 and 7

[jLemmings]

Would love to have traefik v2 support. Users should have the option for v1 or v2 support as the two versions are not compatible.

[deadlysnek]

I'll reopen this issue for v2 support

[TheFehr]

@jLemmings do you think my example was clear enough? Or would you add anything?

[jLemmings]

This is how I would set the traefik flags for an instance:

      - traefik.enable=true
      - traefik.http.services.AMP_INSTANCE.loadbalancer.server.port=3000
      - traefik.docker.network=traefik
      - traefik.http.routers.AMP_INSTANCE.rule=Host(`AMP_INSTANCE.DOMAIN.COM`)
      - traefik.http.routers.AMP_INSTANCE.entrypoints=https
      - traefik.http.routers.AMP_INSTANCE.tls.certresolver=letsencrypt
      - traefik.http.routers.AMP_INSTANCE.tls.domains[0].main=*.DOMAIN.COM
      - traefik.http.routers.AMP_INSTANCE.tls.domains[0].sans=DOMAIN.COM
      - traefik.http.middlewares.AMP_INSTANCE.headers.SSLRedirect=true
      - traefik.http.middlewares.AMP_INSTANCE.headers.STSSeconds=315360000
      - traefik.http.middlewares.AMP_INSTANCE.headers.browserXSSFilter=true
      - traefik.http.middlewares.AMP_INSTANCE.headers.contentTypeNosniff=true
      - traefik.http.middlewares.AMP_INSTANCE.headers.forceSTSHeader=true
      - traefik.http.middlewares.AMP_INSTANCE.headers.SSLHost=
      - traefik.http.middlewares.AMP_INSTANCE.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.AMP_INSTANCE.headers.STSPreload=true
      - traefik.http.middlewares.AMP_INSTANCE.headers.frameDeny=true

[PhonicUK]

traefik.http.services.AMP_INSTANCE.loadbalancer.server.port=3000

Where is that port number coming from @jLemmings ?

[deadlysnek]

One thing I noticed. I would be hesitant about automatically adding STS and preload headers without making them optional and including a large warning that users should understand the implications of what they are about to turn on.

[TheFehr]

traefik.http.services.AMP_INSTANCE.loadbalancer.server.port=3000

Where is that port number coming from @jLemmings ?

The port number is the published web port on the docker.

[TheFehr]

One thing I noticed. I would be hesitant about automatically adding STS and preload headers without making them optional and including a large warning that users should understand the implications of what they are about to turn on.

I definitly agree here. This is why my example did not include those labels.

[PhonicUK]

Closed due to inactivity. V1 support was implemented, no apparent demand for V2.

[ralphschuler]

Hey,

any chance this could be picked up again? im running traefik:2.6 and the required labels changed in this version.

[PhonicUK]

If it's as simple as dropping some labels on then yes, just need someone to spell out what the labels are.

[TheFehr]

I can provide some examples that I use. Will try to do so tonight or tomorrow

[ralphschuler]

If it's as simple as dropping some labels on then yes, just need someone to spell out what the labels are.

This is a docker-compose I use to set up service with the required labels for traefik.

it is important to have the proxy network-attached too.

version: '3'

services:
  app:
    image: app:latest
    volumes:
      - data:/data
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.entrypoints=https"
      - "traefik.http.routers.app.tls.certresolver=http"
      - "traefik.http.routers.app.rule=Host(`portainer.example.org`)"
      - "traefik.http.services.app.loadbalancer.server.port=9000"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

volumes:
  data:

[TheFehr]

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.app.entrypoints=https"
  - "traefik.http.routers.app.tls.certresolver=http"
  - "traefik.http.routers.app.rule=Host(`portainer.example.org`)"
  - "traefik.http.services.app.loadbalancer.server.port=9000"
  - "traefik.docker.network=proxy"

Important maybe to add app in all rows is dynamic and needs to be unique over all services for the same traefik instance. So a Minecraft server might use minecraft instead of app or a Valheim server might use valheim. If a second Minecraft server is added it is not allowed to use minecraft this would interfere with the other router and lead to unpredictable and unwanted behaviour (It would assume that it is supposed to load balance those two containers, which is not what we want).

proxy in traefik.docker.network=proxy should be dynamic as well as this name is defined by the user when setting up traefik. https in traefik.http.routers.app.entrypoints=https should be dynamic too. This is also user defined and not fixed by traefik. http in `traefik.http.routers.app.tls.certresolver=http should be dynamic too. This is also user defined and not fixed by traefik.

traefik.http.services.app.loadbalancer.server.port=9000 is only necessary if the docker container forwards more than one port. Or the image does not define any port at all. As then traefik can't figure the correct port out by itself.

Also this setup does not auto redirect http to https. That would need more lines. traefik.http.routers.app.middlewares=httpsRedirectMiddleware with httpsRedirectMiddleware being dynamic would enable the user to define a redirect middleware in traefik config and add it to this router.

[ralphschuler]

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.app.entrypoints=https"
  - "traefik.http.routers.app.tls.certresolver=http"
  - "traefik.http.routers.app.rule=Host(`portainer.example.org`)"
  - "traefik.http.services.app.loadbalancer.server.port=9000"
  - "traefik.docker.network=proxy"

Important maybe to add app in all rows is dynamic and needs to be unique over all services for the same traefik instance. So a Minecraft server might use minecraft instead of app or a Valheim server might use valheim. If a second Minecraft server is added it is not allowed to use minecraft this would interfere with the other router and lead to unpredictable and unwanted behaviour (It would assume that it is supposed to load balance those two containers, which is not what we want).

proxy in traefik.docker.network=proxy should be dynamic as well as this name is defined by the user when setting up traefik. https in traefik.http.routers.app.entrypoints=https should be dynamic too. This is also user defined and not fixed by traefik. http in `traefik.http.routers.app.tls.certresolver=http should be dynamic too. This is also user defined and not fixed by traefik.

traefik.http.services.app.loadbalancer.server.port=9000 is only necessary if the docker container forwards more than one port. Or the image does not define any port at all. As then traefik can't figure the correct port out by itself.

Also this setup does not auto redirect http to https. That would need more lines. traefik.http.routers.app.middlewares=httpsRedirectMiddleware with httpsRedirectMiddleware being dynamic would enable the user to define a redirect middleware in traefik config and add it to this router.

thanks for clarifying this.

in regards to redirecting http to https. i would not include this as labels as this can and should be set in the trafik.yml.

[TheFehr]

I guess, but adding a optional "Middleware Name" option, would make it a bit more flexible for people with weird / unconventional setups.

[TheFehr]

And those labels assume the use of subdomains for the different servers. If one would rather use subdirectories the "traefik.http.routers.app.rule=Host(`portainer.example.org`)" label would need to be quite different.

[Kvrnn]

I see this issue is still open and I'd love support for traefik v2. Any updates or roadmap to look at?

[Posha4]

Hey There ! I was wondering if anyone wot a fix ? I see that the experimental traefik configuration fields are still there, but I can't seem to find any update on this ! Thanks

[calmcacil]

I think there would need to be significant changes made for traefik v2 support, though v3 being in pre-release supporting that would probably be the better option.

[IceOfWraith]

I'm not saying this is a for sure thing, but if support were updated. Would v3 be the way to go now and drop support for v1? Would that leave anyone in the dust or should everyone realistically be upgrading by now?

[DunklerPhoenix]

I don't think that this will be a big problem. The developers of Traefik said that v3 is completly backwards compatible with v2