Hey everyone and welcome back to another video on Tech with Marco. Today's video is about a very cool tool which is called Traefik and it's basically a reverse proxy and a load balancing service which I personally use very often in my personal projects. And this video is to guide you through how to set it up with different services behind the reverse proxy and what Traefik is capable of doing. So let's come to the question, what is Traefik actually? As I already mentioned Traefik is a reverse proxy and a load balancing tool and it's capable of managing SSL certificates for you so you don't have to manage with anything SSL related between Traefik and your service. And for those of you who don't know what a reverse proxy is maybe you've heard of nginx which is basically also a reverse proxy. I've made a little mock-up here about what a reverse or how the reverse proxy Traefik works. and as you can see here we have a request here which is coming through for example a subdomain and then the Traefik instance is able to route the request through a so-called middleware and a middleware in this case is for example let's say an authentication mechanism or the middleware is adding extra headers to the request before the request is routed to the service itself and Traefik works basically with docker or let's say it's the easiest way with docker there are lots of other backends which you can use for example kubernetes marathon and docker swarm for example and these backends they're called providers And in my example, which I'm showing later, I'm using Docker as a provider for Traefik. And because Traefik is able to use Docker as a backend, it's very easily deployable and scalable in modern cloud environments or also on classical servers. The key benefits of Traefik are load balancing algorithms, which you can use and grab a lot of metrics and access logs from the reverse proxy. And a very big benefit is the security gain you have through that reverse proxy because no request is coming directly through to your service which you are deploying. Another big key benefit is the certificate management which I mentioned at the beginning. With Traefik, you get the certificate management automatically, so you don't have to deal with any manual exchange or requesting any SSL certificates for your services. And you can simply rely on the automation in Traefik, which is perfectly working with, for example, Let's Encrypt. And what I really like about the Traefik project is that it's developed open source by Traefik Labs, so you can have a look in the source code how it works and you can also file out issues or feature requests you would like to have and a big thing which i think they introduced like last year you can also add extra custom made plugins for example there are lots of security plugins from the community which are added into the marketplace and I think that's a really good thing that projects are open source and people can contribute to it. So to give you an understanding of the concept of Traefik we need to clarify four words. The first one is the entry point, the second one is the router, the third one is middleware and the fourth is service. So let's come back to the mock-up I made and As you can see here the thing I marked red this is the so-called entry point and basically that's the entry point which is going through the Traefik instance and generally you want to have that on port 80 and port 443 for SSL and that means that every request is entering to your system in the entry point of the Traefik instance And as I said basically HTTP and HTTPS. Now we can continue to the router and I marked the next point here red and there you can see this is the route which is the request taking and this one is managed also by the Traefik instance. So that means any request for a specific subdomain or a specific path is routed from the Traefik instance to your so-called service which is behind the reverse proxy. During the routing there is the so-called middleware. and in the middleware you can define any extra headers or any security authentication mechanism for example the basic authentication or you can also add a more complex setup with open id connect mechanism for example but in my example later i'll show a basic example with the basic authentication And then at the last point we have the so-called services and these services are the services which are answering the HTTP request for example. Most of the times the services are docker containers which are defined in a docker compose file. So that introduction was about how Traefik works or what Traefik basically is and now we're coming to how you could use it in your production environment. And yeah, therefore we are going into my VS code. And now we're starting with the Traefik service here in the Docker compose file. So first of all, we say that we want to use the Traefik latest Docker image, which is available and give the service container name Traefik. And here's the interesting part about the Traefik configuration. So this configuration is done with commands. You could also move these commands into configuration YAML files for example. I would say you should extract the configuration if it gets more complex but for this easy setup I'm sticking here with the inline commands. So the first command here is called API dashboard and I'm setting that to true because later on with that dashboard you can or that dashboard is visualizing how your setup looks like and it's also very nice for debugging so you can see maybe something's not working then I can have a look at that dashboard The second command is about the providers. I already mentioned some which could be Docker or Kubernetes. I'm using Docker here so I'm saying provider docker equals true. The next command is also about the docker provider and this one is called exposed by default. I'm setting that one to false because Otherwise if you set it to true that means every other container which is defined here in this Docker Compose file is exposed to the world by default and most of the time we don't want this because maybe you have some little helping containers for any other service for example a database and that service should only be visible to the internal containers and not the outside world. The next commands are about the entry points I already mentioned in the beginning. So I'm setting here the entry point web to the address column 80. That means basic HTTP port. And I'm also giving Traefik another entry point option. which I'm naming here websecure and I'm setting that to the address column 443. So that is the SSL port HTTPS. The next command is also an important one. It's about the certificate resolvers. I defined here a resolver which is called my resolver. You can name it any different here. And in this case here, I'm using the TLS challenge because I'm setting TNS challenge equals true. But for the DNS challenge, you need also a DNS provider here, for example, Cloudflare. And there you have to enter your API key. And for the ease of use, I'm using the TLS challenge here. And the last command about the certificate reserver is about the storage and this is basically the path where the issued certificates are stored for Traefik and i'm saying here let's encrypt And in my volume mapping here for Traefik, I am mapping a Let's Encrypt folder on my host machine to the slash Let's Encrypt path, which I entered here. So that means whenever I'm stopping the Traefik in Docker instance, and I'm starting it up again, that the Traefik instance is able to use the already issued certificates again, and don't have to request any new ones. Another important detail about the volume mapping here is the docker socket mapping and this is therefore needed because the Traefik instance must be able to read any other docker containers and to extract the labels of the docker containers which are very important for the Traefik configuration. So to expose a docker container via Traefik, we need the so-called labels. The first label I'm setting here is Traefik enabled true. This is because I've set the expose by default to false. So that means if I have set that to true, I don't have to enable it explicitly. And to continue to the next label, I have here the HTTP router and I'm naming that one Traefik. So every other router has to be for Traefik. And I'm setting the rule that when the request is going to Traefik.marco minus my last name.de, the routing rule should be that this request is going to that Traefik instance here. So the next router rule is the entry point and I'm on. only enabling the web secure entry point so that means every request which is going to the domain at port 80 is not coming through. So i'm only allowing HTTPS incoming Traefik. Another Traefik specific configuration here is the service and Because I enabled the dashboard here to have an overview about the running services and containers and so on. I have to enable the Traefik service to AP at internal. This is just taken from the Traefik documentation. This is how it works and for the TLS certificate solving I'm saying that this container Traefik should use my resolver which I defined in the configuration up here. and I am also defining middleware for the Traefik container and in the next line here we have the middleware Traefik minus off and I'm setting that one to basic authentication and the user which is able to log in is yeah like that that name and and an encoded password and now we have the Traefik instance configured correctly but we don't have any service behind Traefik service so that means we have to define another docker container here and for the example here i'm using plausible analytics which is a privacy friendly google analytics alternative yeah i just took here this configuration from the plausible documentation i'll link that in the description below but what's very interesting here is also the labels and via that labels Traefik is able to discover this docker container here and basically now i have only three configurations here i have a domain mentioned here under which the service should be available i'm also only allowing the web secure entry point and for the certificate management i'm using the my resolver and now i'm showing you how this one works So I'm switching here to a server in the cloud, which I just started up, SSH-ing into it. And as you can see, docker ps, no containers running. And now to start the docker instance up, I'm using docker compose up minus D for detached state. and now everything is created and now we should be able to check these services in the web here so I'm going to Traefik my domain.de and now it's asking me for the basic authentication I defined And this is the Traefik dashboard here. We can see we have the two configured entry points. I mentioned the web on port 80 and the web secure on port 443. And we have two routing rules. So that one is relying on the host plausible.domain.de. And that one is routing to the service plausible Ubuntu that is just a container name. So we have also different services here. These are some internal bioTraefiks and we have these two services here. Yeah, that means the provider here is Docker and any request which is coming to plausible.mydomain is routed through to the internal Docker IP and the port. which the service is running on here. Let's come to to the middleware here we can see we have the Traefik of middleware which is from the type basic of and yeah so that's how Traefik works. Yeah we still have the plausible service and i'm requesting the webpage here. Yeah, to sum it up, I think Traefik is a very nice reverse proxy, which is easy to deploy and easy to configure, but gives you a great outcome. I hope you enjoyed the examples and I'll make sure to make these examples available on my GitHub. I would be happy if you check them out or if you give me a thumbs up and subscribe to this channel. Yeah, see you in the next video. Until then, bye.
