Manage episode 234884428 series 2422542
First, we specify the
backend name which corresponds to the actual service we're routing to.
We also tell Traefik to use the
web network to route HTTP traffic to this container. With the
traefik.enable label, we tell Traefik to include this container in its internal configuration.
frontend.rule label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the
app.my-awesome-app.org. Essentially, this is the actual rule used for Layer-7 load balancing.
Finally but not unimportantly, we tell Traefik to route to port
9000, since that is the actual TCP/IP port the container actually listens on.
Service labels allow managing many routes for the same container.
container labels and
service labels are defined,
container labels are just used as default values for missing
service labels but no frontend/backend are going to be defined only with these labels. Obviously, labels
traefik.port described above, will only be used to complete information set in
service labels during the container frontends/backends creation.
In the example, two service names are defined :
admin. They allow creating two frontends and two backends.
basichas only one
traefik.basic.protocol. Traefik will use values set in
traefik.portto create the
basicfrontend and backend. The frontend listens to incoming HTTP requests which contain the
app.my-awesome-app.organd redirect them in
HTTPto the port
9000of the backend.
adminhas all the
services labelsneeded to create the
adminfrontend and backend (
traefik.admin.port). Traefik will create a frontend to listen to incoming HTTP requests which contain the
admin-app.my-awesome-app.organd redirect them in
HTTPSto the port
9443of the backend.
Gotchas and tips¶
- Always specify the correct port where the container expects HTTP traffic using
- If a container exposes multiple ports, Traefik may forward traffic to the wrong port. Even if a container only exposes one port, you should always write configuration defensively and explicitly.
- Should you choose to enable the
exposedByDefaultflag in the
traefik.tomlconfiguration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see. Usually, this is a bad idea.
- With the
traefik.frontend.auth.basiclabel, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
- Traefik has built-in support to automatically export Prometheus metrics
- Traefik supports websockets out of the box. In the example above, the
events-service could be a NodeJS-based application which allows clients to connect using websocket protocol. Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)