Some days ago traefik released it's brand new Version 2 (RC1) including http and TCP routing (including SSH) - YAY! So i've rebuilt our docker development stack to consolidate all needed services from different machines on a new all-in-one docker server.
First of all: The documentation of traefik V2 is huge and detailed, but it's impossible to find any good tutorials or copy-and-paste examples to get things fast up and running. However, after many hours of reading the forums, searching github issues and drinking wine, i had all containers in production.
If you have any questions - just open an issue :-)
My configuration includes the following files:
- docker-compose.yml for the docker container
- traefik.toml for general traefik configuration
- provider_file.toml to define a global accessible http to https redirect middleware
- acme.json for letsencrypt
It's important to
sudo touch /var/acme.json
sudo chmod 600 /var/acme.json
for security purposes. The file can be left empty and will be automatically filled with the letsencrypt responses.
I use two entry points for each webservice. One for (unencrypted) http traffic and one for https. So we need to define a middleware in the docker labels for unencrypted port 80 access.
# Entry point for http
- traefik.http.routers.traefik.entrypoints=web
# Listen domain
- traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)
# Use a middleware named "redirect" to forward the request to https (defined in provider_file.toml)
- traefik.http.routers.traefik.middlewares=redirect@file
Due to the fact that i want to reuse the middleware i've created a separate provider file which contains the configuration for the new scheme.
The docker-compose.yml includes necessary rules to access the traefik dashboard via traefic via https,
# secure entry point (port 443)
- traefik.http.routers.traefik_secure.entrypoints=web-secure
# Listen domain
- traefik.http.routers.traefik_secure.rule=Host(`traefik.domain.com`)
# Letsentrypt
- traefik.http.routers.traefik_secure.tls.certresolver=letsencrypt
# Port for traefik dashboard
- traefik.http.services.traefik.loadbalancer.server.port=8080
Naming convention: I usually use the name of the app for the routers definition eg. traefik and add _secure for the secure entry point. Router names can only used once for all running docker services.
The main reason for switching to traefik v2 was that it supports hostname based tcp routing. All versions below only worked for web (http + https). Out old (dedicated and undockerized) gitlab server used port 22 for ssh access. With the new possibilities of traefic v2 we are able to run gitlab in a docker environment which is easier to maintain.
First of all, define the ssh port in the gitlab environment variables so that all links in the "clone repository" section work:
# This refers to the ssh port Traaefik has for the ssh entry point
gitlab_rails['gitlab_shell_ssh_port'] = 2222
And the traefik labels:
# define hostname for the gitlab-ssh router
- traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`gitlab.domain.com`)
# define the ssh entry point
- traefik.tcp.routers.gitlab-ssh.entrypoints=ssh
# define service to use
- traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh-svc
# define backend port to use, this is the port Gitlab ssh listens on
- traefik.tcp.services.gitlab-ssh-svc.loadbalancer.server.port=22
If you want to access ssh on port 2222 you also need to add this as a new entry point in the traefik.toml:
[entryPoints.ssh]
address = ":2222"
If your servers ssh daemon listens on another port than 22 it's possible to use 22 for gitlab. Just change the port number to a port of your choice.
Configs are self-explaining if you take a look at the traefik and gitlab config.
Configs are self-explaining if you take a look at the traefik and gitlab config.
Configs are self-explaining if you take a look at the traefik and gitlab config.
Configs are self-explaining if you take a look at the traefik and gitlab config.
- Intel Haswell i5-4590 (quad-core, up to 4x 3,7 GHz)
- 32 GB DDR3 RAM
- 2x 500GB SSD
- 1 Gbit/s Uplink
- Ubuntu 18.04 LTS
- Docker 18.09.7
- docker-compose version 1.25.0-rc2