How to setup Traefik 2.2 and Portainer on Ubuntu 18.04
This setup is useful for many use cases, like hosting applications, microservices and/or REST API. For this document, our use case is: Single Server (Cloud, Virtual or Physical) hosting multiple applications like JIRA, Confluence, Drupal, Wordpress, Magento etc using docker, with Traefik to route the traffic to appropriate docker containers and finally Portainer to provide a control panel of sorts to manage Docker. For low-cost physical or cloud server with great support, we recommend Hetzner - (Click on this link to get free €20 in Hetzner Cloud Credits on signup) whom we have been using for more than 5 years. To get much better resiliency, scaling and high availability, we could setup Docker Swarm cluster and use Traefik and Portainer to manage that, but that is out of scope of this article.
A high level diagram of how all the components work as a solution is:
Traefik is the leading open source reverse proxy and load balancer for HTTP and TCP-based applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology
Traefik provides following benefits:
- Dynamic Routing: Once properly setup, Traefik will dynamically add new services and containers as they come up to provide traffic routing to them. Suppose earlier Traefik was only routing traffic for
jira.example.comto the JIRA container, if we now add a new container for Confluence with new endpoint
confluence.example.com, Traefik will automatically detect it and start routing traffic to it.
- Load balancer: If we have multiple instance of a container, then Traefik can provide load balancing between those instances
- Letsencrypt: If properly configured, Traefik can not only route traffic to a newly discovered service, but it can also get the free certs from Lets Encrypt for the domain configured for that service and transparently manage the renewal of the certs. It can then redirect all the
httpsfor enhanced security of your application.
- Traefik Dashboard: New in version 2.0+ of Traefik is very useful User Dashboard that can help visualize all the traffic endpoints, services, middlewares and docker containers. a very simplistic dashboard was available in verion 1.x but the version 2.x+ is much better.
You can read much more details about other functionality on the website of Traefik.
Portainer is a powerful, open-source management toolset that allows you to easily build, manage and maintain Docker environments.
With portainer you can manage your docker instances, add new dockerised applications from app store and visualise various docker services and stacks that are currently running.
You might find some instruction given below quite basic, but we have included them for the sake of completeness. Please skips the steps that you don’t need
Setup secure Ubuntu server
You can follow the instructions on the Secure Ubuntu 18.04 Server Setup to setup a base secure ubuntu server
It is assumed that you have changed the DNS entry of your
example.com domain and pointed the following sub-domain names to the server
docker.example.com traefik.example.com portainer.example.com
Full instruction to install Docker are given at https://docs.docker.com/engine/install/ubuntu/ but in nutshell the commands are:
$ sudo apt-get update # Add required packages $ sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common # Add Docker official GPG key $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - # Add Docker repository $ sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" # Install Docker packages $ sudo apt-get update $ sudo apt-get install docker-ce docker-ce-cli containerd.io # Test to ensure docker is working $ sudo docker run hello-world # Add current user to the Docker group $ sudo groupadd docker $ sudo usermod -aG docker $USER $ sudo reboot
Install Docker Compose
Get latest version from https://github.com/docker/compose/releases
$ sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose # Give execute permissions $ sudo chmod +x /usr/local/bin/docker-compose # Test docker-compose $ docker-compose --version
Create the required directories
You can setup your docker directory structure whichever way you like, our preferred directory structure is:
# Main directory under which all the docker related stuff will be stored /home/ubuntu/docker # core directory containing docker-compose for Traefik and Portainer /home/ubuntu/docker/core /home/ubuntu/docker/core/docker-compose.yml # Traefik config files /home/ubuntu/docker/core/traefik-data # This file is used to store all the certs /home/ubuntu/docker/core/traefik-data/acme.json # Config file for Traefik /home/ubuntu/docker/core/traefik-data/traefik.yml # Portainer config files /home/ubuntu/docker/core/portainer-data # Contains docker-compose files for all dockerised files /home/ubuntu/docker/apps
if you want to use this directory structure then use the commands below:
mkdir -p /home/ubuntu/docker/core/traefik-data mkdir -p /home/ubuntu/docker/core/portainer-data touch /home/ubuntu/docker/core/traefik-data/acme.json chmod 600 /home/ubuntu/docker/core/traefik-data/acme.json touch /home/ubuntu/docker/core/traefik-data/traefik.yml
Traefik config file
api: dashboard: true entryPoints: http: address: ":80" https: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false certificatesResolvers: http: acme: email: [email protected] storage: acme.json httpChallenge: entryPoint: http
Important: Make sure to replace
[email protected] with your actual email id where you want the notifications of the expiry of cert to be sent by Let’s Encrypt
Generate secure password for logging into Traefik
We will use
htpasswd to generate the password that will then be stored in the
docker-compose.yml file. These username and password will be required when trying to log into Traefik interface.
htpasswd is not available on your system then install it using
$ sudo apt install apache2-utils
Then run the following command to generate the secure password
echo $(htpasswd -nb <username> <password>) | sed -e s/\\$/\\$\\$/g
password above with your actual username & password
Create Proxy network
We need to create a new Docker network called
traefik-proxy which will be the only network that is allows outside traffic. To create a docker network use:
docker network create traefik-proxy
docker-compose.yml with both Traefik and Portainer
version: '3' services: traefik: image: traefik:v2.2 container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true networks: - traefik-proxy ports: - 80:80 - 443:443 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik-data/traefik.yml:/traefik.yml:ro - ./traefik-data/acme.json:/acme.json labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)" - "traefik.http.middlewares.traefik-auth.basicauth.users=username:password" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)" - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=http" - "[email protected]" portainer: image: portainer/portainer:latest container_name: portainer restart: unless-stopped security_opt: - no-new-privileges:true networks: - traefik-proxy volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./portainer-data:/data labels: - "traefik.enable=true" - "traefik.http.routers.portainer.entrypoints=http" - "traefik.http.routers.portainer.rule=Host(`portainer.example.com`)" - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.portainer.middlewares=portainer-https-redirect" - "traefik.http.routers.portainer-secure.entrypoints=https" - "traefik.http.routers.portainer-secure.rule=Host(`portainer.example.com`)" - "traefik.http.routers.portainer-secure.tls=true" - "traefik.http.routers.portainer-secure.tls.certresolver=http" - "traefik.http.routers.portainer-secure.service=portainer" - "traefik.http.services.portainer.loadbalancer.server.port=9000" - "traefik.docker.network=traefik-proxy" networks: traefik-proxy: external: true
Important: Make sure to change
portainer.example.com and the
username:password in the above files to the values that are relevant to you.
Once everything is setup, you can start Traefik and Portainer using:
docker-compose up -d
and then you can visit
https://portainer.example.com to use these application.
- When running
docker-composefor the first time, you might want to use
docker-compose upso that you can see the logs and the progress of the process. Use
CTRL+cto exit and then it docker-compose with
-das shown above for normal work
- You can also check the logs using
docker-compose logs. This command will only work when you are in the directory that contains
- To check the status of the containers, use