Intro
When I created my first droplet at DigitalOcean, I needed a service discovery. At that time I had no idea how to deal with it. Eventually, I went for Nginx. But not knowing the concept, syntax, the workaround I was having a difficult time. Then I discovered nginx-proxy which made the process a bit easier as there was few app/services on my droplet running in docker. nginx-proxy adjusts the configuration automatically based on the environment variables.
But, when I discovered traefik, everything changed. As it has YAML supported configuration, easy to start-with behavior, and fully docker support: it became my favorite service discovery tool.
Dashboard
Traefik provides a nice-looking dashboard to manage and observe configuration to routers and services. It’s relatively easy to set up TLS with Let’s Encrypt to a router by configuring traefik. However, it was a bit tricky for me to set up TLS for the dashboard itself.
Add TLS
Here is the configuration for docker-compose labels:
labels:
traefik.enable: true
traefik.http.routers.traefik_https.rule: Host(`traefik.example.com`)
traefik.http.routers.traefik_https.entrypoints: websecure
traefik.http.routers.traefik_https.tls: true
traefik.http.routers.traefik_https.tls.certResolver: myresolver
traefik.http.routers.traefik_https.service: api@internalAfter putting the above labels in your docker-compose for traefik container, just execute docker-compose up. As there are changes in the compose file, it will restart the container. As soon as you do this, you will see a new route protected with TLS in your dashboard like below:
For me the tricky part was naming the service: api@internal
Add basic auth
Of course, you don’t want to keep this dashboard open. In my case, I just added basic auth to keep it protected. So add these labels additionally to your docker-compose file for traefik container.
traefik.http.routers.traefik_https.middlewares: basic-auth-global
traefik.http.middlewares.basic-auth-global.basicauth.users: <username>:<encoded-password>I thought it would read the middleware from traefik configuration which is: traefik.yml. But that was not the case. I had to create the middleware on docker-compose file with label.
Disable insecure mode
Finally, you want to disable insecure mode to prevent access with HTTP. To do so make your trafik API configuration in traefik.yml like below:
api:
insecure: false
dashboard: trueConclusion
After doing these works, you will see that your traefik dashboard can’t be accessed through HTTP anymore, rather HTTPS. And you need to enter your username and password for the first time in a browser.
