This will be used to password protect applications as needed.
htpasswd utility included in the
apache2-utils package to create an encrypted password.
sudo apt-get install apache2-utils
Generate the password with
htpasswd. For example, user
admin and password
htpasswd -nb admin secret
Copy the output, it will be added to the
traefik.toml file created in the next step. For example, copy:
Use Docker Compose to setup Traefik reverse proxy and load balancer as a docker container. Within the home directory, create a new directory named docker for the configuration files. Create another directory for
cd ~/ mkdir docker mkdir docker/traefik
traefik/traefik.toml to configure entry points and the web provider for access to the dashboard interface.
defaultEntryPoints = ["http", "https"] [web] address = ":8080" [web.auth.basic] users = ["admin:$apr1$m7bjJGAs$yoFBU4EmPy0wAQuKccomQ/"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.https.redirect] entryPoint = "http" # [entryPoints.https] # address = ":443" # [entryPoints.https.tls] # [acme] # email = "firstname.lastname@example.org" # storage = "acme.json" # entryPoint = "https" # onDemand = false # OnHostRule = true # [acme.httpChallenge] # entryPoint = "http" # provider = "
" # delayBeforeCheck = 0
- Traefik has built in support for the free Let’s Encrypt SSL certificate retrieval service. A server with a public domain is needed for the service to validate. The
traefik.tomlfile example above contains a commented stub for reference.
Let’s Encrypt has permanently disabled TLS-SNI-0x challenge due to a vulnerability and Traefik prior to 1.5 was using TLS-SNI-01 challenge by default. Refer to the
[acme] configuration docs for the new
[acme.httpChallenge] section as needed.
traefik/dockerfile to add the
traefik.toml to the image.
FROM traefik ADD traefik.toml . EXPOSE 80 EXPOSE 8080 # EXPOSE 443
traefik/docker-compose.yml file to configure Traefik services and networks.
version: '2' services: proxy: build: . restart: always command: --docker --logLevel=DEBUG networks: - webgateway ports: - "80:80" # - "443:443" - "8080:8080" volumes: - /var/run/docker.sock:/var/run/docker.sock networks: webgateway: driver: bridge
Update CSF firewall configuration to allow traffic on the password protected port 8080.
sudo nano /etc/csf/csf.conf
Append 8080 to the list of TCP ports. For example,
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8080" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,8080"
docker-compose to create the Docker container and run the traefik application.
docker-compose -f ~/docker/traefik/docker-compose.yml up -d
whoami/docker-compose.yml file to configure another container application labeled whoami. The image for this container uses a tiny Go webserver that prints system information and HTTP request to output.
mkdir ~/docker/whoami nano ~/docker/whoami/docker-compose.yml
version: '2' services: app: image: emilevauge/whoami networks: - web labels: - "traefik.backend=whoami" - "traefik.frontend.rule=PathPrefixStrip: /whoami" # IP/whoami/ # - "traefik.frontend.rule=Host:vm.ubuntuserver.whoami.com" networks: web: external: name: traefik_webgateway
Access the application in a browser using the VM IP address. For example, http://172.30.0.10. To use a domain name, add
172.30.0.10 vm.ubuntuserver.whoami.com to your computers hosts file. Then remove the comment for the Host frontend rule in the
When you’re done testing everything and ready to enable the firewall, disable the testing flag.
sudo nano /etc/csf/csf.conf
TESTING = "0" and reload.
sudo csf -r