Setting Up Traefik Reverse Proxy (with HTTPS) - Docker Compose

December 20, 2022

Setting Up Traefik Reverse Proxy

Traefik is a reverse proxy program often used with docker to route web requests to different services on the backend.

It also has some really handy features like automatic HTTPS certs and a configuration syntax based on labels that makes it relatively easy to add to existing docker-compose files or even Docker Swarm and Kubernetes.

Be sure to look at the docs to get a better overview.

Using Traefik as a reverse proxy to Wordpress example

Here is the docker-compose.yml example that has Traefik as a HTTPS proxy sitting in front of a wordpress and whoami service.

This file is also taken from the Traefik docs but slightly modified to add Wordpress to the mix.

Notice: The arguments for command: passed to Traefik are the default configuraion. The labels: for wordpress and whoami direct - or inform Traefik on things like hostname, resolver and cert.

# docker-compose.yml
version: "3.3"

services:

  traefik:
    image: "traefik:v2.9"
    container_name: "traefik"
    command:
      # log level will make logs more verbose (for debugging ssl/tls certs)
      # - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      # using the "staging" ca server for letsencrypt is better for testing (less rate limiting)
      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=${LETSENCRYPT_EMAIL}"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
        # port 8080 is for traefik's builtin dashboard. traefik can be run without
        # - "8080:8080"
    volumes:
      # store certs in current working directory
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

  wordpress:
    image: wordpress
    container_name: "${DEFAULT_HOST}-wordpress"
    restart: unless-stopped
    environment:
      WORDPRESS_DB_HOST: "${WORDPRESS_DB_HOST}"
      WORDPRESS_DB_USER: "${WORDPRESS_DB_USER}"
      WORDPRESS_DB_PASSWORD: "${WORDPRESS_DB_PASSWORD}"
      WORDPRESS_DB_NAME: "${WORDPRESS_DB_NAME}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wordpress.rule=Host(`example.com`)"
      - "traefik.http.routers.wordpress.entrypoints=websecure"
      - "traefik.http.routers.wordpress.tls.certresolver=myresolver"
    volumes:
      - wordpress:/var/www/html

  db:
    image: mysql:5.7
    container_name: "${DEFAULT_HOST}-mysql"
    restart: unless-stopped
    environment:
      MYSQL_DATABASE: "${MYSQL_DATABASE}"
      MYSQL_USER: "${MYSQL_USER}"
      MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql

volumes:
  wordpress:
  db:

So in effect - if all goes correctly running docker-compose up, then:

https://whoami.example.com will route requests to whoami https://example.com will route requests to wordpress

Troubleshooting

The logs for traefik are generally very helpful in debugging issues. Usually it is something DNS/TLS/port related.