Traefik 2.2 Brings Entrypoint Redirects and Default Router Configuration

,

I’ve written an article before comparing Traefik 1.7 and Traefik 2.x. In that article, I was criticising how many repetitive labels Traefik 2 requires. For instance you must define entryPointsfor both http and https, declare you want to use tls and appoint certresolverfor every single service under Traefik. After that you need to use a middleware to redirect the traffic from http to https and if you are using a secure header middleware like I do, an extra label for this middleware must be used for each service as well.

I was testing how to use wildcard ssl with acme-dns recently and I found that Traefik had a new release on 26 Mar 2020 which solve a lot of issues I complained about. After some testing, I was amazed how much improvement it had brought to us, hence this article to record what I tried.

  1. Official Blog
  2. An article by containeroo. 👍

Configuration example

Static Configuration

As the changes are mostly related to static configuration, I will start from here.

Here are theentryPointsI defined in my other tutorial for BitWarden. 

1
2
3
4
5
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

This is the upgraded version of entryPoints in Traefik 2.2. As you can see, here are the new settings we can use:

  • Redirect http to https from entry point, no need for a middleware for redirect.
  • Use secureHeaders middleware by default for all services.
  • Enable TLS by default and use letsencrypt as default certResolver .[^1]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
  https:
    address: ":443"
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: letsencrypt

We can do more here in entryPoinsts. For example if we want to request a wildcard certificate or a certificate with multiple FQDNs, we can define it here.

full configuration below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
  https:
    address: ":443"
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: le
              
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@yourdomain
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: http
        
  buypass:
    acme:
      email: admin@yourdomain
      storage: acme.json
      caServer: https://api.buypass.com/acme/directory 
      keyType: EC256
      httpChallenge:
        entryPoint: http

docker compose

Let’s compare the labels we used.

Here are the labels you can find in my previous post 

1
2
3
4
5
6
7
8
9
10
11
12
13
labels:
  - "traefik.enable=true"
  - "traefik.http.routers.traefik.entrypoints=http"
  - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain`)"
  # Entry Point for https
  - "traefik.http.routers.traefik.middlewares=https-redirect@file"
  - "traefik.http.routers.traefik-secure.entrypoints=https"
  - "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
  - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
  # ACME Certificate configuration
  - "traefik.http.routers.traefik-secure.tls=true"
  - "traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt"
  - "traefik.http.routers.traefik-secure.service=api@internal"

As we can see it reduced to 6 labels in version 2.2 because redirect , TLS, secure headers are defined in static configuration now.

1
2
3
4
5
6
7
labels:
  - "traefik.enable=true"
  - "traefik.docker.network=proxy"
  - "traefik.http.routers.traefik-secure.entrypoints=https"
  - "traefik.http.routers.traefik-secure.rule=Host(`raefik.yourdomain`)"
  - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
  - "traefik.http.routers.traefik-secure.service=api@internal"

full configuration below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
version: '3.3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`raefik.yourdomain`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      
networks:
  proxy:
    external: true

As https-redirect is no longer needed, we can delete this middleware from dynamic configuration. If you don’t want to touch this file, you can leave it as it is.

I am very happy to see Traefik is improving over time especially it is improving towards simplifying its configuration. IMO technology should be designed as easy to use as possible to attract more users. A lot of the recent technologies are really complicated for beginners to start with, for example the concept of JAMStack. That’s why a lot of users still choose WordPress as the number one platform for building websites. I look forwards to more interesting improvements Traefik bring to us in future.

Thanks for reading, I hope this article can be of any help.

[^1]: We can overwrite certResolver per service if needed