traefik-fn61
tl;dr: your Docker Swarm -based services are discovered and loadbalanced automatically.
Traefik configured for needs of function61.com:
- Service discovery via Docker Swarm - multi-host overlay networking.
- Explicit
traefik.enable=true
required, i.e. whitelist instead of blacklist - we're not animals here. - Default frontends are
public_http
andpublic_https
. If you have company-internal services (like monitoring via Prometheus), create that service with-l traefik.frontend.entryPoints=backoffice
to have it not exposed publicly, but via the backoffice entrypoint (https+client cert auth in port 9001).
Running
Docker socket must be mounted at /run/docker.sock
.
Run command looks somewhat like this:
$ docker service create --name traefik-fn61 \
--network your-network \
--mount type=bind,src=/run/docker.sock,dst=/run/docker.sock \
-p 80:80 \
-p 443:443 \
-p 9001:9001 \
-e 'SSL_CERT_PRIVATE_KEY=... public_https.key base64-encoded ...' \
fn61/traefik-fn61
NOTE: current limitation is that you have to run Traefik on the same node as as a Swarm manager.
SSL config
These three files live in Traefik's configuration:
- ca.crt
- public_https.crt
- public_https.key (secret - injected via ENV variable at container startup)
+------------------+
| |
| ca.crt (root CA) |
| (self-signed) |
| |
+--------------+---+
|
| +--------------------+
| | |
+------+ Server cert: |
| | - public_https.crt |
| | - public_https.key |
| | |
| +--------------------+
|
| +---------------------------------+
| | |
+------+ Client certs |
| - authentication to backoffice |
| |
+---------------------------------+
Port 443
is backed by public_https
certificate. It is self-signed and thus not accepted
by general web users, but that is okay because we're fronted by Cloudflare which serves its
own SSL cert to users, and their cert is backed by publicly recognized CAs.
Port 9001
is backed by the same public_https
certificate, but with attached to different
frontend, "backoffice". Backoffice is for company-internal services that require authentication.
Authentication is implemented via client certs that must anchor to ca.crt
.
SSL cert setup is documented here.