
Welcome to Traefik Training. Let's start your Traefik Training journey. By completing this course you will learn the ins and outs of Traefik deployment, configuration, and day 2 operations using Traefik with Docker.
Join me as we go from zero to Production with Traefik during the course. Are you ready?
Let's start the Traefik Training.
About myself, Brian Christner, Founder theByte, Co-Founder 56K.Cloud, Traefik Ambassador, Docker Captain, and background in engineering, cloud, containers, and Open Source.
Please feel free to connect with my on Social Media
theByte Coaching & Training: https://www.thebyte.io
Twitter: @idomyowntricks
LinkedIn: https://www.linkedin.com/in/brianchristner/
GitHub: https://github.com/vegasbrianc
By completing the Traefik Training you will have a solid understanding of Traefik, deployment, configuration, and operating Traefik after deployment.
Course Objectives
Background: Have a solid understanding of the Traefik, Architecture, and components
Deploy: You will be able to deploy and configure Traefik for Production
Maintain: You will understand how to maintain and operate Traefik
Course Outline
Traefik Introduction: Background, Docker Swarm & Traefik, General Concepts
Traefik Configuration Concepts: Traefik Dynamic & Static Configuration
Routing & Load balancing: How to configure Routing & Load balancing
HTTPS / TLS / Let’s Encrypt: Enable and configure HTTPS / TLS / Let’s Encrypt
Middlewares: Inbound request configuration
Observability: Monitoring and logging of Traefik
Operations: How to operate Traefik after deployment
Advanced Tips: Dive into tips for best practice
Let's take a look at some of the various Traefik use cases, reference customers, and the www.Containo.us product offerings.
Traefik use cases
Routing & Load balancing
API Gateway
Certificate Management
Kubernetes Ingress
Traefik Stats
2 Billion Docker Hub downloads
30k+ Stars on GitHub
500+ Contributors
Top 10 most popular image from Docker
Let's get started with Traefik and understand a bit more about the history of the Traefik product, the team and why Traefik was built.
What is Traefik
What is an Edge Router?
How does Traefik Autodiscovery Work?
The Conainous / Traefik Founder Emile Vague GopherCon appearance in 2017
Traefik Providers
In this section, we will cover Traefik Providers.
What is a Provider? A Provider is an infrastructure component such as an Orchestrator (Docker, Kubernetes, Nomad, etc), Container Engine (like Docker Standalone), Key-Value store (Consul, etcd, Redis, or Zookeeper), or a configuration file.
We then configure Traefik to connect to a specific provider. Once connected to the Provider Traefik queries the API of the provider for events such as new container starting, configuration changes, or routing updates.
Docker Provider - https://docs.traefik.io/providers/docker/
Supported Providers
Below is the list of the currently supported providers in Traefik.
AWS
Docker
Kubernetes
Consul
Marathon
Rancher
File
etcd
Redis
ZooKeeper
LAB Prerequisites
1. Install Docker for Desktop Windows or Mac.
Linux - Install your flavor of Docker for Linux https://docs.docker.com/engine/install/
Mac - https://docs.docker.com/docker-for-mac/install/
Windows - https://docs.docker.com/docker-for-windows/install/
** For Windows users, ensure you switch to Linux containers** - https://docs.docker.com/docker-for-windows/#switch-between-windows-and-linux-containers
2. Once Docker is installed, let's verify the docker installation. Open a terminal window (Windows users open Powershell with Admin rights). Next, run the following command
docker run hello-world
3. If the command completes successfully you should see a hello message from Docker. If the command failed, be sure to revisit the step 1 instructions on installing Docker for Desktop for your Operating System.
4. Install Git, so we can check out the Labs - https://git-scm.com/downloads or GitHub Desktop https://desktop.github.com/
What if Docker Desktop doesn't work?
In some cases, Docker Desktop will not work due to the version of your operating system of IT policies in your company. Don't worry, we have a solution for this as well.
You can use the online Docker console provided by Docker. This works entirely in your browser - https://labs.play-with-docker.com/
Check out the Labs
Now, let's check out the Labs which contain all the resources for each lab. From your terminal window, Git client, GitHub Desktop, or Visual Studio code clone the Traefik Training Repo.
git clone https://github.com/56kcloud/traefik-training.git
You can find the Traefik Training GitHub Repo here - https://github.com/56kcloud/traefik-training
Questions
If you have a question or need help, be sure to ask a question in the comments or reach out to our support team.
1. Install Docker for Desktop Windows or Mac.
Linux - Install your flavor of Docker for Linux https://docs.docker.com/engine/install/
Mac - https://docs.docker.com/docker-for-mac/install/
Windows - https://docs.docker.com/docker-for-windows/install/
** For Windows users, ensure you switch to Linux containers** - https://docs.docker.com/docker-for-windows/#switch-between-windows-and-linux-containers
2. Once Docker is installed, let's verify the docker installation. Open a terminal window (Windows users open Powershell with Admin rights). Next, run the following command
docker run hello-world
3. If the command completes successfully you should see a hello message from Docker. If the command failed, be sure to revisit the step 1 instructions on installing Docker for Desktop for your Operating System.
4. Install Git, so we can check out the Labs - https://git-scm.com/downloads or GitHub Desktop https://desktop.github.com/
What if Docker Desktop doesn't work?
In some cases, Docker Desktop will not work due to the version of your operating system of IT policies in your company. Don't worry, we have a solution for this as well.
You can use the online Docker console provided by Docker. This works entirely in your browser - https://labs.play-with-docker.com/
Check out the Labs
Now, let's check out the Labs which contain all the resources for each lab. From your terminal window, Git client, GitHub Desktop, or Visual Studio code clone the Traefik Training Repo.
git clone https://github.com/56kcloud/traefik-training.git
You can find the Traefik Training GitHub Repo here - https://github.com/56kcloud/traefik-training
Questions
If you have a question or need help, be sure to ask a question in the comments or reach out to our support team.
In this section, we will launch Traefik for the first time. Great stuff! We will walk through the Traefik configuration, do a tour of the Dashboard and Logs, and finally start a new service that will be automatically discovered and routed by Traefik.
The lab resources for this section are located on Section 01-Traefik-Overview folder - https://github.com/56kcloud/traefik-training/blob/master/01-Traefik-Overview/traefik_overview.md
Please complete the lab starting your own Traefik instance and whoami service.
Refer to the Setup your Lab section if you haven't done so already.
Now that we understand how a proxy and router work we will now look at Loadbalancers. Load balancers are an important service within modern architecture. Load balancers allow us to control the number of requests are routed to each backend service. Load Balancers have multiple balancing methods such as Round Robin, Weighted Round Robin (WRR), or based on the session.
If the backend service becomes unresponsive, the Load Balancer will stop serving traffic to this particular backend until it is again healthy
Lab documentation: https://github.com/56kcloud/traefik-training/blob/master/01-Traefik-Overview/traefik_overview.md#3-scale-the-whoami-service-to-3x
The Traefik dashboard is a valuable tool to visualize deployed services, configurations, and the general health of Traefik. In this section, we will learn how to open the Dashboard and navigate the user interface (UI)
Lab Documentation: https://github.com/56kcloud/traefik-training/blob/master/01-Traefik-Overview/traefik_overview.md#4-get-to-know-the-traefik-dashboard
Traefik Getting Started Recap
Traefik Use Cases
Traefik Background
Traefik Providers
Launched Traefik for the first time
Deployed whoami service to Traefik
Load balanced the whoami service
Introduction to the Traefik Dashboard
Now we start getting into the technical side of how Traefik is configured. The configuration is broken into two main categories Static and Dynamic configurations.
Static configuration is referred to the startup configuration. These configurations are responsible for setting the base configuration for Traefik
Dynamic configuration is just as the name suggests" Dynamic". The Dynamic defines how all the requests are handled and hot-reloaded anytime there are changes.
Configuring Traefik Static Configurations
There are three different, mutually exclusive (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
In a configuration file - https://docs.traefik.io/v2.3/reference/static-configuration/file/
In the command-line arguments - https://docs.traefik.io/v2.3/reference/static-configuration/cli/
As environment variables - https://docs.traefik.io/v2.3/reference/static-configuration/env/
These ways are evaluated in the order listed above.
Section documentation - https://github.com/56kcloud/traefik-training/blob/master/02-Configure-Traefik/traefik-configuration.md
The Static Configuration lab will walk you through deploying Traefik with the 3 different static configuration options.
Deploy Traefik using a configuration file
Deploy Traefik using Command Line (CLI) arguments
Deploy Traefik using Environment variables
Lab Documentation and code samples - https://github.com/56kcloud/traefik-training/blob/master/02-Configure-Traefik/traefik-configuration.md#static-configuration-using-file-configuration
In this section, we will focus on configuring the Provider and how to adjust the configurations for our use case. Additionally, we discuss Traefik and Provider security best practices.
Networking Container Port Detection
If a container exposes a port, then Traefik uses it for internal communication
If a container exposes multiple ports or no ports then a label should define which port to use
Provider example - https://github.com/56kcloud/traefik-training/blob/master/02-Configure-Traefik/traefik.yml
Docker Security Best practice
Use TLS between Traefik and Docker
Limit Docker API access
Review the Docker API section - https://docs.traefik.io/providers/docker/#docker-api-access_1
Run Docker Bench Security to check your security - https://github.com/docker/docker-bench-security
The Entrypoint is the first network entry point for an incoming request into Traefik. The Entrypoints can be configured to listen on specific ports and specific protocols like TCP or UDP.
In this section, we will learn about how Entrypoints are configured. We will enable Port 80 & 443, and finally, learn how to redirect HTTP traffic to HTTPS using the Entrypoint.
Think of Entrypoints as port numbers that Traefik exposes. Port 80, 443, etc
In the Static Configuration - Provider & Entrypoint Lab, we will launch Traefik with the Docker provider, configure Entrypoints for HTTP and HTTPS, and connect a test service to the Entrypoint.
Test our new Cat Application service which use the new Entrypoint http://catapp.localhost
Finally, we will review the deployment using the Traefik Dashboard: http://0.0.0.0:8080
Lab Documentation - https://github.com/56kcloud/traefik-training/blob/master/02-Configure-Traefik/traefik-configuration.md#4-static-configuration-entrypoint-lab
Now that we have completed Static Configurations, lets take a look at Dynamic Configurations. Dynamic Configurations are typically set by adding labels to our service/container. By attaching labels to our service we can:
Define Router
Define Middlewares
Update configurations of a Service
Congratulations on completing the Configure Traefik section. The Traefik Static and Dynamic configuration concept is the basis for using and maintaining Traefik. We went into depth on configuring Static Configurations for Providers and Entrypoints.
This section briefly discusses Dynamic Configurations but will be expanded in future sections as each section now builds on top of the Dynamic Configuration.
Configure Traefik Recap
Configure Static Configurations
Static Configuration – Providers
Static Configuration - Entrypoints
Dynamic Configuration – Routers, Middlewares & Services
Now that we understand Static and Dynamic configuration we can start diving into how Dynamic configuration is used with Providers, Routers, Middlewares, and Services. Using labels, we can enable Traefik functionality for all of these features directly on the container level.
How the incoming requests flow through Traefik is determined by the below components.
Providers discover the services that live on your infrastructure (their IP, health, ...)
Entrypoints listen for incoming traffic (ports, ...)
Routers analyze the requests (host, path, headers, SSL, ...)
Services forward the request to your services (load balancing, ...)
Middlewares may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)
Tip: Entrypoints are like ports attached to Traefik.
In the Router & Services lab, we will deploy Traefik standalone. Next, we will slowly apply labels to our catapp reviewing each change.
Router & Services Lab material is found here: https://github.com/56kcloud/traefik-training/blob/master/03-Routers-and-Services/traefik-routers-and-services.md
Routing & Services Recap
The Routing & Services section was packed full of configuration tips, architecture designs, and Labs. We were able to deploy Traefik, experiment with adding Labels and had our first troubleshooting session.
Router & Service Overview
Routers
Services
Router & Services Lab
Router & Service Troubleshooting Lab
In this section, we will cover the different ways we can enable HTTPS & TLS.
• Default Certificate – If not the certificate is provideTraefik generates and uses a self-signed certificate
• User Defined– Provide Certificates directly to Traefik which will then be applied to the matching Entrypoints
• Automated – Traefik uses Let’s Encrypt to generate certificates automatically on a per request basis
The TLS Lab will guide you through how the TLS Challenge is configured with Traefik.
Lab Prerequisites
It is required you have a domain which you can use for the Lab and a DNS provider from this list -> https://docs.traefik.io/https/acme/#providers
Lab Overview
• TLS Challenge - Performs a handshake between Rafik and Let’s Encrypt on port 443.
DNS Provider List - https://docs.traefik.io/https/acme/#providers
TLS Lab Resources: https://github.com/56kcloud/traefik-training/blob/master/04-HTTPS-TLS/traefik-https-tls.md#2-deploy-traefik-with-lets-encrypt-tls-challenge
The Let's Encrypt Lab will guide us through using the DNS Challenge for Let's Encrypt certificates. The DNS Challenge is the most automated of the 3 Let's Encrypt Challenges. Included in the DNS Challenge lab is the use of Wild Card certificates with Let's Encrypt.
Lab Prerequisites
It is required you have a domain which you can use for the Lab and a DNS provider from this list -> https://docs.traefik.io/https/acme/#providers
Lab Overview
• DNS Challenge – Traefik uses your DNS providers API to place DNS TXT records in your Domain records to verify ownership
DNS Provider List - https://docs.traefik.io/https/acme/#providers
HTTPS & TLS Lab: https://github.com/56kcloud/traefik-training/blob/master/04-HTTPS-TLS/traefik-https-tls.md
Docker Secrets: https://docs.docker.com/engine/swarm/secrets/
Let's Encrypt Rate Limits: https://letsencrypt.org/docs/rate-limits/
We successfully completed the HTTPS, TLS, Let's Encrypt section, and Lab. In this section, we covered how to enable HTTPS on our service using either user-defined certificates or automated certificates using Let' Encrypt.
In the lab, we configured the three challenge types; DNS, HTTP, and TLS. At the end of the lab, we enabled the DNS challenge and experimented with how sub-domains are using wild-card certificates and how Traefik us updating the DNS Server for us through the API.
Recap of what we covered:
User-Defined Certificates
Automated Certificates
Let’s Encrypt Challenges
DNS
HTTP
TLS
Lab
Welcome the Traefik Middlewares section. The Middleware allows us to start transforming requests which Traefik receives. This section will cover how the Middleware transforms the requests, what type of Middlewares are available, and how to deploy Middlewares
The function of the Middleware
Middlewares connect to Routers – One or more Middlewares can connect to one or more Routers.
Intercepts Requests – The Middleware transforms requests before they are sent to a service
Middleware Types
Authentication – Handles user/service authentication
Content Modifier – Manages the served content
Middleware Tool – Middleware Management
Path Modifier – Configures the handling of the URL structure
Request Lifecycle – Applies rules to service requests
Security – Secures access to the service
Available Middlewares - https://docs.traefik.io/v2.3/middlewares/overview/#available-middlewares
How to deploy a Middleware
Create Middleware – Define your middleware
Router <-> Middleware – Connect the Router to the Middleware
Gotchya – Most examples show only creating the middleware and not connecting to a router.
In this section, we cover the BasicAuth Middleware. The middleware is responsible for adding a user authentication to web applications deployed with Traefik. This is a perfect solution for adding a user authentication to services that don't have authentication built-in as default.
ErrorPage Middleware Traefik documentation link -https://docs.traefik.io/middlewares/errorpages/
In the lab, we will enable BasicAuth or Basic Authentication on our catapp. We will assign users and passwords to Traefik. We will generate the passwords with a bcrypt hash using htpasswd or the online tool below if using Windows.
If you are using Windows then try using this online tool to create your bcrypt password - https://www.browserling.com/tools/bcrypt
Note about "$" in the hash: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
To create user:password pair, it's possible to use this command:
echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
Basic Authentication lab - https://github.com/56kcloud/traefik-training/blob/master/05-Middlewares/traefik-middlewares.md#1-add-basic-authentication-to-our-catapp
In this section, we cover the Compression Middleware. The middleware is responsible for gziping (compressing) data like images and code before it is served to the end-user. By adding compression, we can serve our content faster which also ranks better with Google search results.
Compress Middleware Traefik documentation link -https://docs.traefik.io/middlewares/compress/
In the lab, we will enable the Compress Middleware or better known as gzip compression on our catapp. In combination with the BasicAuth middleware we will now have 2 Middlewares connected to our router.
Middleware Compress Lab - https://github.com/56kcloud/traefik-training/blob/master/05-Middlewares/traefik-middlewares.md#1-add-basic-authentication-to-our-catapp
In this section, we cover the ErrorPages Middleware. The middleware is responsible for serving Error pages when application returns a 4xx or 5xx error. The ErrorPage middleware can be configured as a catch-all for all services connected to Traefik.
The Error Page middleware can actually query for which error that your application is producing and match it to the correct error page automatically.
BasicAuth Middleware Traefik documentation link - https://docs.traefik.io/middlewares/basicauth/
In this section, we cover the RateLimit Middleware. The middleware is responsible for controlling how many requests/second is allowed. The Rate Limit is configurable and allows for granular tuning including per Header, IP, or Host.
The RateLimit middleware is ideal for controlling access to API's or services that need to be throttled in order to maintain performance.
RateLimit Middleware Traefik documentation link - https://docs.traefik.io/middlewares/ratelimit/
In the lab, we will enable the RateLimit Middleware. The RateLimit Middleware is a great tool to protect our services and infrastructure. By enabling the RateLimit we can define exactly how many requests per user, IP, or Host is allowed per second.
Rate Limit is calculated by average / period = rate limit
RateLimit Middleware Traefik documentation link - https://docs.traefik.io/middlewares/ratelimit/
RateLimit Middleware Lab - https://github.com/56kcloud/traefik-training/blob/master/05-Middlewares/traefik-middlewares.md#4-add-rate-limit-middleware
In this section, we cover the RedirectScheme Middleware. The middleware is responsible for rewriting HTTP to HTTPS. When we enable HTTPS on a service we want to ensure we default all requests to HTTPS. This ensures that no-one can circumvent our HTTPS and standardizes on a single entry point.
RedirectScheme Middleware Traefik documentation link - https://docs.traefik.io/middlewares/redirectscheme/
In this section, we cover the RedirectScheme Middleware. The middleware redirects HTTP requests to HTTPS. In order to configure the redirect, we will need to rewrite our existing labels to separate HTTP requests from HTTPS.
HTTP Labels
The HTTP labels will be as follows. The HTTP labels are responsible only for answering HTTP requests and redirecting the request to the HTTPS labels and middleware. The HTTP section of the service only handles HTTP requests and will not serve content. The HTTP router only contains one middleware which is the RedirectScheme middleware.
- "traefik.http.routers.catapp.rule=Host(`<your-domain-here>`)"
- "traefik.http.routers.catapp.entrypoints=web"
- "traefik.http.routers.catapp.middlewares=redirect"
HTTPS Labels
In the HTTPS section, we need to rename out catapp service to catapp-secure. By renaming the router allows us to control the two entrypoints web (HTTP) and websecure (HTTPS) separately. We can now add our Let's Encrypt configurations here which is not needed for HTTP. Additionally, we attach all the middlewares BasicAuth, Compress, Errors, and RateLimit only to the HTTPS router since this is the only router which serves content.
- "traefik.http.routers.catapp-secure.rule=Host(`<your-domain-here>`)"
- "traefik.http.routers.catapp-secure.entrypoints=websecure"
- "traefik.http.routers.catapp-secure.tls.certresolver=myresolver"
- "traefik.http.routers.catapp-secure.middlewares=test-auth,test-compress,test-errorpages,test-ratelimit"
Global Redirect HTTP -> HTTPS If you want to redirect all requests from HTTP to HTTPS it is bet to set this at the Traefik static configuration entrypoint level -https://docs.traefik.io/routing/entrypoints/#redirection
RedirectScheme Middleware Traefik documentation link -https://docs.traefik.io/middlewares/redirectscheme/
RedirectScheme Middleware Lab - https://github.com/56kcloud/traefik-training/blob/master/05-Middlewares/traefik-middlewares.md#5-add-redirect-middleware
We accomplished a lot in the Middleware section. The dashboard is also starting to fill up with more information as we deploy more Middlewares and services. In the labs, we walked through how to deploy BasicAuth, Compress, RateLimit, Error Pages, and RedirectScheme all attached to our catapp.
Middleware Recap
Middlewares connect to Routers – One or more Middlewares can connect to one or more Routers.
Intercepts Requests – The Middleware transforms requests before they are sent to a service
Middleware Deployment
Create Middleware – Define your middleware
Router <-> Middleware – Connect the Router to the Middleware
Gotchya – Most examples show only creating the middleware and not connecting to a router.
Middleware Labs
BasicAuth – Add Basic authentication to services
Compress– Enables gzip compression on severed content
ErrorPage– Display custom error pages for 400/500 Errors
RateLimit– Configure the number of allowed requests to the service
RedirectScheme– Rewrite HTTP requests to HTTPS
Observability Overview
The Observability section is one of the most important areas of DevOps. Observability provides insights into our infrastructure using monitoring, alerting, tracing, and logging.
This section we will cover the follow Observability topics with Treaefik:
Traefik Logs – Configure log level and storage path
Access Logs– Who is accessing the services connected to Traefik and which service
Metrics/Monitoring – Enable metrics for monitoring and demo
Tracing – Enable Tracing to visualize communication flow
Google SRE Book (Free) - https://landing.google.com/sre/book.html
Valid Monitoring Outputs
Alerts – Tell a Human to take action on something happening or about to happen
Tickets– Tell a Human that action is required but not right away
Logging– Stored for Diagnostics or Forensics
What Users Care About
Availability – Is MY system online yes/no
Latency– Does it take a long time to access application x, y, z
Reliability– Can the user rely on the application
Traefik logs
What is logged – Traefik logs everything concerning Traefik itself (start-up, configuration, events, shutdowns, service info, etc)
Where can I store the logs – With the filePath configuration we determine the location of logs
Log Format– Change the format of logs. The Standard configuration is common and optional is json
Log Level – Determine the verbosity of logging using Level
DEBUG, PANIC, FATAL, ERROR, WARN, and INFO (DEFAULT is ERROR)
WARNING!! If you enable DEBUG be sure to switch back to a normal Log level otherwise you risk filling up your disk space quite quickly.
Traefik Logs documentation: https://docs.traefik.io/observability/logs/
The Traefik Logs Lab will guide us through how to configure the Log levels for Traefik itself. In the lab, we will switch from the default Log Level to Debug. Once debugging is enabled view the debugs logs to understand the verbosity at this level.
When we are done viewing the Debug logs, we will switch the Log Level to Info.
Traefik Logs Lab: https://github.com/56kcloud/traefik-training/blob/master/06-Observability/traefik-observability.md#1-enable-debug-logging-for-traefik
One of the first steps to gain further insights into your applications managed by Traefik is to enable Access Logs. Access Logs enable you to see "Who asks Whom" or in other words what end user is requesting what service.
The details provided in the Access Logs contain detailed information about the requester and destination of the request including IP addresses as well as the destination path. The Access Log is the first step to gain analytical information about the deployed services managed by Traefik.
Available Access Log configurations:
Configuration – Configure the handling of the Access Logs
filePath
Format
bufferingSize
Filtering – Log only certain status codes, retry attempts, or minDuration
Limiting the Fields/Include Header – Manage what headers to keep, drop or redact
Log Rotation – Rotate logs based on USR1 signal
Time Zone – By default Traefik uses UTC, but this can be overridden
Traefik Access Log documentation: https://docs.traefik.io/v2.3/observability/access-logs/
The Access Logs lab will focus on enabling Access Logs for the service catapp connected to Traefik. Once the Access Logs are enabled we can review the logs for HTTP responses (good and bad) to our catapp service. Next, we enable filtering to filter out specific HTTP status codes like 404 to view only 404 errors.
Access Log Lab: https://github.com/56kcloud/traefik-training/blob/master/06-Observability/traefik-observability.md#2-enable-access-logs
Traefik supports 4x metrics backends:
Datadog
InfluxDB
Prometheus
StatsD
In this section, we will use Prometheus as our metrics backend as Prometheus is the standard in metrics collection and the concept is similar when using the other backends.
Together with Traefik, we will deploy a monitoring stack. The monitoring stack will use Prometheus to collect the metrics, Grafana to visualize the information with dashboards, and Traefik will handle the routing and serve the services the proper URL's
Traefik Metrics documentation: https://docs.traefik.io/v2.3/observability/metrics/overview/
What is Tracing: Tracing allows developers to visualize how requests flow from Traefik through the target service
Why is Tracing Helpful? Tracing can help developers identity distributed transaction flows, root cause analysis, or help troubleshoot performance issues.
Tracing is integrated into the service To correctly use Tracing the target application needs to be instrumented with Tracing Libraries
Available Traefik Tracing Backends
Jaeger
Zipkin
Datadog
Instana
Haystack
Elastic
Traefik Tracing documentation: https://docs.traefik.io/v2.3/observability/tracing/overview/
What we covered in the Observability Section
Traefik Logs – Configure log level and storage path
Access Logs– Who is accessing the services connected to Traefik and which service
Metrics/Monitoring – Enable metrics for monitoring and demo
Tracing – Enable Tracing to visualize communication flow
Observability Tips
Observability Best Practices – Focus on monitoring/alerting signals important for your organization and infrastructure
Know the difference in roles – Alerts vs Tickets vs Logging
Operational Models – We want to aim to be Proactive in system repairs
How do we make Users Happy? – Availability, Latency, & Reliability
Observability Labs
Log – Enabled Traefik Logging for Traefik itself
Access Log – Access Logs for our services who is requesting whom
Metrics – Deployed a monitoring stack with Grafana, Prometheus, & Traefik
SRE Book recommendations (Free): https://landing.google.com/sre/books/
Overview of Traefik Operations
Traefik API – Enable Traefik API for programmatic access
Traefik CLI– A utility to check that the Traefik Healthcheck is functioning. This can be automated with Docker HEALTHCHECK
Traefik Ping – Enables the Healthcheck point
Traefik Dashboard – Learn how we can secure the Dashboard with Let’s Encrypt & User & passwords
Securing Traefik Dashboard & API – Enable Secure entrypoints for Traefik Operations
The Operations Lab
In the Operations Lab, we combined a lot of the previous sections HTTPS/TLS, Middleware, and Basic Auth. The lab we enable Traefik Healthchecks using the traefik CLI & Ping endpoint. Additionally, we enable Docker HEALTHCHECK to monitor the health of Traefik itself.
The API enables configuration through the API interface such as the configuration of all routers, services, middlewares, and Traefik configurations.
api is enabled in traefik.yml static config
A Dynamic Configuration can be created to define Host rules
If the api is enabled ensure it is secured and has authorization middleware enabled.
Restrict allowed IP access
Traefik API Documentation: https://docs.traefik.io/operations/api/
Treafik comes with the CLI tool called traefik. When running the traefik CLI tool it checks the status of the ping endpoint. The Ping endpoint reports the general health of Traefik with a OK HTTP 200 message. This OK message can then be consumed by monitoring tools.
CLI Healthcheck
The CLI tests that the Healthcheck is working
The traefik command is installed by default inside the container
In order to use the traefik health check command, Ping must be enabled
Ping Endpoint
ping is enabled in traefik.yml static config
ping can be configured to use dedicated entrypoint
A simple endpoint to check for Traefik process liveness. Return a code 200 with the content: OK
Docker Healthcheck
Enable Traefik Healthcheck in docker-compose.cli.yml
Use Docker HEALTHCHECK configurations to tune
The Traefik container now has a Healthy status when running
Docker maintains restarts / testing of Traefik
If a failure occurs Docker will restart Traefik automatically
Automation == Awesome
We've been using the Traefik dashboard since the beginning of the training. Now, we will understand all the available Dashboard configurations and how to secure the Dashboard.
Dashboard Configurations
Enable the Dashboard in traefik.yml static configuration
Create a Dynamic Configuration to match host domains
RECOMMENDED: Enable secure mode (disables direct IP access). The secure mode also is used for the API
In the Operations Lab, we will enable the API, Ping Endpoint, use then use the traefik CLI to provide a status of Traefik.
When opening the Dashboard URL in Secure mode ensure you have a trailing "/" in the URL otherwise you will get a 404 error.
Dashboard credentials
Username: traefik
Password: training
Ping Entrypoint
When accessing the Ping entrypoint be sure to use HTTP and port 8080. This can be changed if desired.
Traefik Operations Lab - https://github.com/56kcloud/traefik-training/blob/master/07-Operations/traefik-operations.md
When we consider security and Traefik/Proxies they should be hardened as much as possible as this is the Entrypoint to our infrastructure. Be sure to enable Encryption/TLS everywhere you can.
These additional Security Considerations will help you secure Traefik.
Restrict access to the Dashboard & API to only your IP addresses
Use Secure mode for the Dashboard & API
Don’t enable the API in production unless you have a use case
Enable Auth middleware for both the Dashboard & API
Use TLS for the Traefik domain so we don’t transfer credentials plain text
Traefik API – Enable Traefik API for programmatic access
Traefik CLI– A utility to check that the Traefik Healthcheck is functioning. This can be automated with Docker HEALTHCHECK
Traefik Ping – Enables the Healthcheck point
Traefik Dashboard – Learn how we can secure the Dashboard with Let’s Encrypt & User & passwords
Securing Traefik Dashboard & API – Enable Secure entrypoints for Traefik Operations
The Operations Lab
In the Operations Lab, we combined a lot of the previous sections HTTPS/TLS, Middleware, and Basic Auth. The lab we enable Traefik Healthchecks using the traefik CLI & Ping endpoint. Additionally, we enable Docker HEALTHCHECK to monitor the health of Traefik itself.
Advanced Tips Overview
Advance Tips is aimed at covering use cases that are outside the normal operations. Here is where we get a bit creative and add tips we have come across during customer projects.
Migrating from 1.7 to 2.x – Still running 1.7? No problem, I’ve created a migration plan for you.
High Availability – If you need true 100% uptime you need a cluster of Traefik’s running.
Authentication – Is Basic Auth not cutting it? How about integrating Auth0 directly with Traefik with the ForwardAuth Plugin
Traefik Pilot (BETA) – SaaS solution connecting your Traefik instance to extend capabilities
Have other questions or want to see other tips? Leave your comments below
If you are running Traefik 2.x then you can skip this section.
For those still running Traefik 1.7, this is the perfect guide for you to help plan your migration. We explore the different migration plans available and the tools to help you migrate.
Migration Plans
Parallel migration: Both 1.7 and 2.x running and slowly move workloads to 2.x (recommended)
Big bang: Upgrade Traefik to 2.x and move everything across
Migration Tool
https://github.com/containous/traefik-migration-tool
Migrate 'Ingress' to Traefik 'IngressRoute' resources (Kubernetes related)
Migrate acme.json file from Traefik v1 to Traefik v2
Migrate the static configuration contained in the file traefik.toml to a Traefik v2 file
Traefik Migration documentation: https://docs.traefik.io/migration/v1-to-v2/
High Availability
Traefik alone is amazing. However, you should always plan for something bad to happen in your infrastructure or human errors. By running a High Available configuration we reduce the blast area for any downtime that could occur. By running a cluster of Traefik containers also providers us fault tolerance and room to perform online upgrades.
If you need true 100% uptime you need a cluster of Traefik’s running
Each Traefik instance deployed on separate hosts
Assign a Virtual IP/Elastic IP in front of Traefik Cluster
Common storage is needed to share configurations/certificates
Traefik EE offers HA out of the box
If you are looking for a managed solution to maintain HA and Fault tolerance then you should take a look at Traefik Enterprise Edition known as Traefik EE -https://containo.us/traefikee/
Traefik comes with the BasicAuth plugin. This is a great plugin to add a user/password to for internal applications. It is not really secure but better than nothing.
If you want to take your Authentication to the next level then definitely look into ForwardAuth. This allows you to instrument your applications with Auth0 which enables Single Sign-on direct with Traefik.
ForwardAuth Plugin – Authorization proxy built specifically for Traefik and Auth0
Enables SSO for all your applications behind Traefik
ForwardAuth application will act as the gatekeeper and authorize requests to your applications.
Management of users, roles, and permissions are handled in Auth0
ForwardAuth Docs: https://traefik-forward-auth0.readthedocs.io/en/latest/start/configuration.html
Traefik Pilot
Traefik Pilot is now available from version 2.3 onwards (currently in Beta). By connecting Traeifk Pilot you are provided a new dashboard providing a general overview of your Traefik deployments, their health, and security status. Additionally, Traefik Pilot allows for installing 3rd party plug-ins via Traefik Pilot.
You can access and enable Traefik pilot by opening the Traefik dashboard and click `Register Traefik instance`
SaaS solution
Connects to your Traefik instances
Offers Custom Middlewares
Centralized view of your Traefik Instances
Availability & Security notifications
Traefik Pilot Lab: https://github.com/56kcloud/traefik-training/blob/master/08-Advanced-Tips/traefik-advanced-tips.md
Traefik Pilot: https://pilot.traefik.io/
Now is time for you to reflect on the lessons in this course and share your experiences in the comment section below and join our Slack Community.
theByte Slack Community - https://join.slack.com/t/thebyteio/shared_invite/zt-i87fvohg-tyR~MJxW7jNfht1Iw7dCtg
Traefik Deployment Plan
We put a Traefik deployment Project plan in place to help you get started. The plan is intended to be a template that should challenge you to ask questions about the Traefik deployment & the workloads which it will serve.
Included is both an Excel file as a download or Google Sheet -
https://docs.google.com/spreadsheets/d/1oOxY5KmtHdztLgV6cIWx-x-WhzYts_T9xcbEb0Jci9I/edit?usp=sharing
Really important resources to continue going beyond the course. I mention Awesome Projects, have a look at the full list of Awesome projects - https://github.com/sindresorhus/awesome
Additionally, if you find resources that are missing or you built something yourself. Please be sure to add to the Forums and Awesome projects to help the community.
Resources to help you go even further
Awesome Traefik - https://github.com/containous/traefik/wiki/Awesome-Traefik
Awesome Docker - https://awesome-docker.netlify.app/
Monitor Traefik with Prometheus - https://github.com/vegasbrianc/docker-traefik-prometheus
Containous Community - https://community.containo.us/
Containous YouTube - www.youtube.com/c/TraefikLabs/videos
Full course materials
Also included is the complete slide deck from the course. Check the downloads for the PDF.
theByte Coaching
Need help to get your project off the ground? Want to get outside feedback, architecture reviews, or learn how to bootstrap a new project? Then sign-up to theByte coaching - https://www.thebyte.io/coaching
Cloud-Native Coaching
Architecture Reviews
C-Level feedback for your projects
How to bootstrap your projects
How to structure new tech project workshops
Group Calls
Course Announcements
Lifetime Course access
Any course updates we will send out announcements
Traefik updates / new features / new uses cases
New Sections will continue being added/updates
Completion Certificate
Please fill out the survey to receive your Completion Certificate
Be sure to share your certificate on Twitter, Facebook, LinkedIn and tag me as I will reshare your awesome achievement
Fill out this quick survey (less than 2 minutes) to request your certificate: https://form.typeform.com/to/pzruGTXC
Connect with me
Brian Christner
brian@thebyte.io
Founder theByte.io
Twitter: https://twitter.com/idomyowntricks/
LinkedIn: https://www.linkedin.com/in/brianchristner/
Want to learn how Cloud Native Edge routers work? Need to deploy a Reverse Proxy? The Complete Traefik Training course helps you get from 0 to production with Traefik the Cloud Native Edge Router with hands-on labs and valuable lessons built on real-world deployments. The course is built based on real-world customer deployments and using this experience to build a quality course with actual scenarios.