Traefik Configuration & Management
Comprehensive guide to Traefik v2.11 setup, configuration, and management.Overview
Traefik is an advanced reverse proxy and load balancer that automatically discovers services and configures routing. It handles:- HTTP/HTTPS routing
- SSL/TLS termination and certificate generation
- Load balancing
- Middleware application
- Service discovery via Docker
Configuration Files
Static Configuration (traefik.yml)
The static configuration file defines global settings that rarely change.
Dynamic Configuration (Docker Labels)
Dynamic configuration is defined indocker-compose.yml using Docker labels.
Example Service:
Routing Rules
Host-Based Routing
Route based on the requested hostname:Path-Based Routing
Route based on URL path:Combined Rules
Middleware
Middleware allows you to modify requests/responses and handle cross-cutting concerns.Authentication Middleware
Redirect Middleware
Rate Limiting
Headers Modification
SSL/TLS Certificates
Automatic Certificate Generation
Traefik automatically generates certificates for routes with:- Entry point:
websecure - TLS resolver:
cloudflare
ACME Challenge Flow
Certificate Storage
Certificates stored in:/opt/traefik/acme/acme.json
Never commit this file to Git - it contains private keys!
Load Balancing
Basic Load Balancing
If a service has multiple instances, Traefik automatically distributes traffic:Round-Robin Distribution
Traefik uses round-robin by default:- Request 1 → app1
- Request 2 → app2
- Request 3 → app1
- Request 4 → app2
Health Checks
Service Discovery
Docker Provider
Traefik automatically discovers services with:- Enabled:
traefik.enable=true - Network:
traefik-proxy - Labels for configuration
Service Registration Process
Monitoring & Troubleshooting
Dashboard Access
- Registered routers
- Active services
- Middleware definitions
- Entry points
- Health status
API Endpoints
Viewing Logs
Common Issues
Route Not Found (404)
Symptoms: Service returns 404 when accessed Causes:- Route not registered (check labels)
- Service not on traefik-proxy network
- Typo in hostname rule
Certificate Not Generating
Symptoms: SSL certificate error, no HTTPS Causes:- DNS not resolving
- Cloudflare API token invalid
- Service not on websecure entrypoint
Service Unreachable
Symptoms: 502 Bad Gateway Causes:- Backend service crashed
- Wrong port configured
- Service not on traefik-proxy network
Best Practices
-
Always use HTTPS
- Redirect HTTP to HTTPS
- Use websecure entrypoint
- Configure certificate resolver
-
Proper Naming
- Use descriptive router names
- Use lowercase with hyphens
- Name services consistently
-
Network Isolation
- Always add services to traefik-proxy network
- Use
exposedByDefault: falsein provider - Explicitly enable routing with labels
-
Security
- Use authentication middleware for sensitive services
- Don’t expose sensitive endpoints
- Keep credentials in environment variables
- Rotate API tokens regularly
-
Monitoring
- Enable access logs
- Monitor Traefik resource usage
- Set up alerting for certificate expiration
- Review logs for errors regularly
-
Configuration Management
- Keep docker-compose.yml in version control
- Document custom middleware
- Version your configuration changes
- Test changes before deploying to production
Next: Descope Authentication Setup