Is this the BEST Reverse Proxy for Docker? // Traefik Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody christian here and in this video i show you the new reverse proxy traffic that i've been using the last weeks since i started to work more with kubernetes and any cloud service deployments and i show you how to set up traffic on a docker host to expose and load balance all your container applications with trusted ssl certs from lads and crypt it's really cool and probably the most flexible reverse proxy that i've used so far what's also really cool is if you want to protect your administrative web interfaces ssh sessions databases or kubernetes clusters with additional two-factor authentication then take a look at the sponsor of this video teleport because with teleport you can protect and securely authenticate to your server's infrastructure log any users actions and record sessions you can install the free community edition completely self-hosted at no cost so just download and try it out and suppose you want to use teleport within your business environment in that case they also offer an enterprise version with additional 24 7 support and active directory integration and much more so just reach out to the teleport team so guys if you've watched some of my earlier videos about docker or my home server project you probably know that i've often used the nginx proxy manager in my tutorials and the nginx proxy manager is a simple reverse proxy that's based on the nginx web server which you can configure through a very simple and intuitive web interface it's pretty cool but i also had some problems with this project as from time to time it didn't work so well with automatic search renewable and it's probably the tutorial where i get the most questions on my discord server on my youtube comments so far where people just seem to have problems setting up this stuff so it's time to do another reverse proxy tutorial and i just searched for another tool to expose my web services and then i simply just came across traffic because that seems to be the new modern app that most people are using especially in more extensive and more professional environments like kubernetes clusters and any cloud infrastructure in that case traffic is probably one of the most exciting technologies for reverse proxies and load balancing so let's talk about it and understand why it is so powerful i already talked about reverse proxies in load balancing but let's dive a little bit deeper into that because reverse proxies and load balancers are technically not the same although most applications solve both of these tasks so let's assume you as a client you want to run a web application and host this on a server a reverse proxy sitting in between node takes that connection from the client and forwards it to the server where it is processed there are a couple of reasons why this is useful so first you can use that for security reasons a reverse proxy can handle ssl search to encrypt the connection between the client and the server without any additional configuration or certificate management on the server itself so that is often used to expose any unsecured protocols or to offload the encryption and decryption process from the server for performance reasons the other main reason why we are using reverse proxies is to load balance the connections so for example when your application is running on multiple servers you can use a reverse proxy acting as a load balancer to route the connections to multiple target servers and this allows us to scale applications dynamically which means you can add or remove servers at any time based on how many requests you're getting it's essential in cloud environments for example when you're using technologies like kubernetes to set up a high available cluster to deploy your applications at scale so no traffic is it the best reverse proxy or load balancer in that case well it probably is the most flexible one because you can do so much with it are you running a docker host and you want to protect all your services with trusted ssl certs automatically or maybe you are running a production kubernetes cluster in the cloud where you need ingress controllers or you might want to add additional authentication services to it so traffic offers all these different features and is very flexible in configuration but all these features also make it very complex and that's why the documentation is sometimes really confusing for every function you want to implement there are literally 10 different ways to do that so it has a pretty steep learning curve and it took me quite a while to do very basic things and you should also have a very good understanding of containerization networking and web applications before getting started with that in case you don't well i can just recommend take a look at my youtube videos on my channel i make tutorials about all this stuff about setting up containerization with docker about kubernetes and all those different things so just check it out so although traffic might seem a little bit complex in the first place i think in the long term it is very useful because i like software and applications that you need to learn once and that probably will take some time but it will also solve a variety of different problems for you and you can use that in many different scenarios okay so let's start configuring traffic on our docker server and i'll show you how to do that but first of all i want to show you the home page of traffic labs because they also make other products around the traffic proxy so if you want to get started with traffic then just go to the home page go to products and select traffic proxy and if you want to get started with that and know how to configure traffic then just click on get started and this will take you to the official documentation as i said in the beginning of this video the documentation might seem very intimidating when you see it the first time but don't worry i will walk you through all this stuff and we will start with some basics about traffic you should definitely know before taking a look at this so if you want to quickly get started with that there's a quick start guide where you can just go there learn about the basic infrastructure and just deploy it in a simple dark compose file and then you're ready to go and test this on your local docker setup so in the configuration introduction we can learn about the different ways to configure traffic as i said there are different ways to do that and it is split into two sections here because traffic has a dynamic configuration that is also referred to the dynamic routing configuration and a static configuration that is a startup configuration so there are two different configuration styles and the static configuration can also be configured in three different ways so that makes it sometimes a little bit confusing because if you're searching for other tutorials on the internet about traffic you will see people use a configuration file other people might use command line arguments or environment variables and you don't really know what to use but i have decided to just choose the configuration style where i'm the most familiar with and this is just a configuration yaml file so this is exactly what i've done and i've prepared a new github repository on my personal github page when you go to my boilerplates repository you will find many templates on configurations for various projects such as ansible playbooks docker compose files kubernetes deployments or vagrant files and here in the docker compose section you will find a traffic folder where i've stored a docker compose file you simply can just use to deploy traffic on a docker server and i also added an example configuration file so the example traffic.yml is the official example file and i've modified that a little bit to make it easier for you guys so let's take a look at this so let's first of all start with the traffic.yaml configuration file and i want to copy this on my server so when i deploy traffic on a darker container it can find this configuration file and apply all the settings you configure here so let's basically copy this template here and let's go to my server and create a new file in the etc traffic folder that is called traffic.yaml so note if you are using the traffic.yaml name for the file traffic will automatically find it if you mount that location inside the docker container and i don't want to modify it too much in this file but let's go over this step by step so first of all we will set some global information about checking new versions and send anonymous users and i added some sections for you to enable log information and access logging so this is something we don't need for this tutorial but if you're using that on a production server you might customize it and i also want to add or enable the api in the dashboard for now so now this is something you should not do in a production environment or you can enable the api in the web interface but you should not expose this to the public internet because it is not encrypted and it doesn't have any kind of authentication to it so if you want to use that dashboard which is by the way pretty useful sometimes just use a software like teleport as an access proxy to securely protect this and expose it with two-factor authentication and user logging and now in the entry point sections you define how anyone can access the reverse proxy so you can define custom entry points as well if you want to change the port for whatever reason but in most cases you will have one part that is used for http which is unencrypted and https which is encrypted and you can also enable an optional permanent redirect from the http port to all the https ports this is useful if you don't want to use any unencrypted traffic at all so now in this section we can customize our certificate resolver so if you want to obtain any trusted ssl search from let's encrypt you can just go with these basic entries here the only thing you would need to do is you need to replace this section here with your email address and in the last section we configured the docker provider so this is very important if you use traffic with docker you can also use that in combination with a kubernetes cluster for example but then you would need to change this here and you would need to change the provider configuration but for now we are just focusing on the darker part so this is everything we need to change in this file let's write and exit it and let's come to the deployment of traffic and in this docker compose file you simply can see that i just start traffic and i don't configure it in any way because we are using the static configuration file to do all this stuff and i don't need to add any labels or i don't need to add any command line parameters to configure it now the only thing i need is i need to create a volume to store the ssl search because otherwise anytime you redeploy your container with traffic you probably would need to obtain a new ssl cert and you could hit some rate limits on let's encrypt for example so i want to store them persistently in a volume and i also want to pass through the ad etc traffic folder inside the docker container in that location because traffic will search for a configuration file in that folder that is called traffic.yml in the last section we also want to mount the docker socket as a read only and this is just important when you're using docker as your provider because as i just said traffic will monitor which container you will deploy on the docker server and then it will dynamically configure itself so this is really cool i will show you how that works in a few seconds and you can also expose the dashboard on port 8080 but don't do this in production as i said protect this with an access proxy or any authentication so let's copy all this stuff and let's go to my portena server and let's create a new stack that is called traffic test and paste the content of the docker compose file in here and let's just deploy it and in the container section you can now see that i've created a new container which is called traffic from the traffic test stack here and we can now just access the public dashboard that we've just enabled and when you open it the first time you can see there is a dashboard of traffic where you can monitor what's happening on your reverse proxy and you can see this is pretty nice it also has a dark theme which is pretty cool and you can monitor all the different configuration parameters you have set here so for example any of the http routers the http services the middleware so we will go over this step by step so now if you want to expose a new application let's first deploy a simple web server on the potential server for example i want to add a new container which is called engine x so i will just add a new simple web server i don't need to expose this port because this is something that traffic will then do for us and i simply can just deploy the container one thing you need to take care of you need to put all the containers inside the traffic test network so the traffic network that you've used to create your stack otherwise the traffic container couldn't connect to the applications it want to expose so you need to put them all in one network or you need to put traffic in all the container networks as well so now we need to configure traffic to expose this nginx container here and we could now use the several different ways of creating a dynamic configuration in traffic so it can just go here to the entry points and the routers and create a new router for every container in the configuration file and all this stuff so you could do this in the yammer configuration file but i'm using a different approach i'm using the dynamic configuration in docker labels and this is pretty cool because then we don't need to restart traffic every time when we want to expose a new container this is pretty useful so you can see in the documentation what are the different labels and what are the different arguments you can pass through these containers but i want to make it easy for you guys so let's do this step by step and let's do it together so if i want to expose engine x now i can just go to the container and edit it and add some labels to it the first label i need to add to enable traffic monitoring this container is traffic enable and set this to true so only then traffic will recognize any changes in the label configurations of this container and will react to it so traffic works in a specific way to configure it and i just want to show you it with this simple example here so first of all you will need to define an entry point the entry point is where the client sends a request in the traffic reverse proxy will pick it up and once it decided what to do with this entry point it will route it to an http router and in this router you can configure what should happen with this request and you can configure if it should pass a specific middleware so if you want to do any redirections or if you want to make any modifications to request you can also put any authentication parts in there and then it will forward the request to a service and the service is responsible for accessing the darker container you can also inspect all the details in the web ui of traffic so therefore it's sometimes pretty useful to see what is going on in that specific configuration so first of all we will need to define an entry point for our nginx container so the label to do that is traffic http routers and then we need to define a router name so you could put anything in here i just simply name it nginx but you could also use it custom router for example so let's go with nginx entry points and let's define the entry point remember in the traffic configuration we've configured two different entity points so in my simple example i will just go with http so we will define the name for the entry point which is called web so now i also need to add a hostname so that traffic knows which host name it should direct so we now configure the http router with another label that is called http routers engine x rule and in this rule we can configure which host names we want to attach to this container so in my case i have a public dns record that is called nginx.disrapid.com and it will point to the public ip address of my server so let's deploy this container with these labels and let's take a look in the traffic ui and you can see if you reload the page you should now see a new entry in here which is now called host nginxdistrab.com if we click on that you can also see the route that the traffic will take so it first comes to the entry point web that we have configured on port 80 then it would send this request to the nginx router which will then forward it to the engine x servers and if you want to know what's happening in here you can just click on http services and then you can see it redirects it to this ip address which is the ip address of our docker container of nginx so you can see this is this particular ip address here as you can see that this has a type load balancer and you can add multiple servers if you want to load balance the traffic to different containers that are somehow stored in a docker swamp cluster or anything like this and now let's just try to open this location here in the web browser and now we can access the web server so you can see that this connection is not secured because we haven't used the https entry point yet and this is probably the reason why you're watching this tutorial because you want to protect your containers with trusted ssl so let's take a look at this as well so first of all we have configured the certificate resolvers here and you can see that i've configured two different certificate resolvers the first one is staging and the second one is production so now that you could simply just use a production server of let's encrypt to obtain any trusted ssl certs but in case you you have some misconfiguration or you do something wrong you could hit a rate limit so therefore you should test your configuration with a staging certificate resolver first so let's go back to our container the nice thing about traffic is know that we don't need to modify any of the configuration files of traffic itself if we want to change the configuration to expose our nginx container we simply can't configure or change the labels of it so let's add another label that is called traffic http routers nginx tls and we now set this to true so now we also need to take care that we need to switch our entry point from web to web secure because otherwise traffic wouldn't accept the request on the port https so make sure you are setting the entry point as well and we also need to add another label to obtain a trusted ssl search so this label is called traffic http routers nginx tls search resolver and we now need to set the name of our certificate reserver and let's set the search resolver to saging here and let's redeploy our nginx container so no i can't reach this application on port http anymore i need to put in https and you can see that this certificate is not trusted but don't worry about this this is normal if you're using the staging resolver because when we take a look at the certificate here you can see that it's using the staging certificate which is usually not trusted so this is just for any testing purposes so this configuration is now fine we can now move this to production but i also want to do something else because i talked about https redirection and this is something you usually want to do because you don't want to accept the traffic on port 80 anymore but you want to also redirect if anyone tries to access your website on port http because otherwise this one will just get this page page not found and you want to redirect this traffic to the https website so this is something you can configure in labels as well if you want to do that but this is something i want to configure for every container no matter which label it has attached and i want to do this in a steady configuration traffic so now we can remove the optional comments here and enable the permanent redirection for every connection that is coming into the entry point web on port 80 and redirect this to web secure which is port http which is port four for free https okay so let's write and exit this file and because we have changed something in the steady configuration of traffic need to restart the traffic container and you can see that something went wrong here the container didn't start so let's take a look at the log files and you can see i've messed up something in the configuration file redirections not found and you can see there is a type error here so this is something i probably need to upgrade on the git repository as well shins so let's ride and exit and now the container is started again so let's go to the traffic ui and you can see that no nothing has changed we still have the web secure entry point and this is something i have forgotten because now the application will still not accept any connections on port 80 because we haven't set the entry point to http so let's go back to the nginx container and let's add the label and in the label you can also define multiple entry points so you can also add an entry point web comma web secure and redeploy the container so now let's go back to the web server and try to access it on port 80 and you can see it now redirects automatically to https which is exactly what we need but we still haven't moved this application to production so let's go back to the nginx container let's edit the labels again and let's change the certificate resolver from staging to production so if you now think it automatically changes well this is something that took me quite some time to figure out what is going on here it didn't change the certificate because the staging certificate is still valid so you could now just wait 90 days or you can just go to the darker container where docker stores the volume switch to the root user and search for volumes go into the volume of the darker container and you need to edit the achmed.json files so this is a file where traffic stores their certificates so we have configured this in the steady configuration file and let's just remove this file so then you can reset all the certificates that traffic has stored so now we also need to restart traffic once again because we have reset the certificate volume and now it might take some time until traffic has obtained a trusted ssl server from let's encrypt remember it needs to do the http challenge in the background so you might need to wait one or two minutes and see if it's working but now you can see it now obtained the trusted ssl sort so if we go click on that icon and inspect the certificate you can see that this is a trusted ssl cert from let's encrypt for this domain here so this worked as i said you can find all this stuff in the documentation you can read about the different parameters the labels and how you can configure this but you probably will need some time to get through this and understand traffic because sometimes it's a little bit complicated but on the other hand traffic is very flexible and you can do a lot of stuff with that so don't worry if you have a problem and you can't solve it yourself then just go to our discord community check out and just talk to other people who are using this and you might get help from there as well okay guys so i hope this helped you to get started with traffic i know there's so much more we need to talk about for example how to use traffic in kubernetes or how to configure authentication middlewares i know all this stuff is on my radar for making new exciting videos for you guys and as always i've put you a suggestion for another great video you should watch next in the description down below so check that out and thanks everybody for watching i see you in the next one take care bye bye

Info

Channel: Christian Lempa

Views: 299,517

Rating: undefined out of 5

Keywords: traefik tutorial, traefik tutorial docker, traefik tutorial kubernetes, traefik, traefik 2 tutorial, traefik docker, traefik docker compose tutorial, traefik portainer, traefik reverse proxy, traefik tls, traefik v2 tutorial, backend engineering, reverse proxy

Id: wLrmmh1eI94

Channel Id: undefined

Length: 21min 56sec (1316 seconds)

Published: Tue Sep 28 2021