How to setup Traefik 2.2 and Portainer on Ubuntu 18.04
This tutorial will explain how to setup Traefik along with Portainer with Docker and Docker Compose on Ubuntu 18.04.
Use case
This setup is useful for many use cases, like hosting applications, microservices and/or REST API. For this document, our use case is: Single Server (Cloud, Virtual or Physical) hosting multiple applications like JIRA, Confluence, Drupal, Wordpress, Magento etc using docker, with Traefik to route the traffic to appropriate docker containers and finally Portainer to provide a control panel of sorts to manage Docker. For low-cost physical or cloud server with great support, we recommend Hetzner - (Click on this link to get free €20 in Hetzner Cloud Credits on signup) whom we have been using for more than 5 years. To get much better resiliency, scaling and high availability, we could setup Docker Swarm cluster and use Traefik and Portainer to manage that, but that is out of scope of this article.
A high level diagram of how all the components work as a solution is:
Traefik
Traefik is the leading open source reverse proxy and load balancer for HTTP and TCP-based applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology
Traefik provides following benefits:
- Dynamic Routing: Once properly setup, Traefik will dynamically add new services and containers as they come up to provide traffic routing to them. Suppose earlier Traefik was only routing traffic for
jira.example.comto the JIRA container, if we now add a new container for Confluence with new endpointconfluence.example.com, Traefik will automatically detect it and start routing traffic to it. - Load balancer: If we have multiple instance of a container, then Traefik can provide load balancing between those instances
- Letsencrypt: If properly configured, Traefik can not only route traffic to a newly discovered service, but it can also get the free certs from Lets Encrypt for the domain configured for that service and transparently manage the renewal of the certs. It can then redirect all the
httptraffic tohttpsfor enhanced security of your application. - Traefik Dashboard: New in version 2.0+ of Traefik is very useful User Dashboard that can help visualize all the traffic endpoints, services, middlewares and docker containers. a very simplistic dashboard was available in verion 1.x but the version 2.x+ is much better.
You can read much more details about other functionality on the website of Traefik.
Portainer
Portainer is a powerful, open-source management toolset that allows you to easily build, manage and maintain Docker environments.
With portainer you can manage your docker instances, add new dockerised applications from app store and visualise various docker services and stacks that are currently running.
Setup instructions
You might find some instruction given below quite basic, but we have included them for the sake of completeness. Please skips the steps that you don’t need
Setup secure Ubuntu server
You can follow the instructions on the Secure Ubuntu 18.04 Server Setup to setup a base secure ubuntu server
Assumptions
It is assumed that you have changed the DNS entry of your example.com domain and pointed the following sub-domain names to the server
docker.example.com
traefik.example.com
portainer.example.com
Install Docker
Full instruction to install Docker are given at https://docs.docker.com/engine/install/ubuntu/ but in nutshell the commands are:
$ sudo apt-get update
# Add required packages
$ sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
# Add Docker official GPG key
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# Add Docker repository
$ sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
# Install Docker packages
$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli containerd.io
# Test to ensure docker is working
$ sudo docker run hello-world
# Add current user to the Docker group
$ sudo groupadd docker
$ sudo usermod -aG docker $USER
$ sudo reboot
Install Docker Compose
Get latest version from https://github.com/docker/compose/releases
$ sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# Give execute permissions
$ sudo chmod +x /usr/local/bin/docker-compose
# Test docker-compose
$ docker-compose --version
Create the required directories
You can setup your docker directory structure whichever way you like, our preferred directory structure is:
# Main directory under which all the docker related stuff will be stored
/home/ubuntu/docker
# core directory containing docker-compose for Traefik and Portainer
/home/ubuntu/docker/core
/home/ubuntu/docker/core/docker-compose.yml
# Traefik config files
/home/ubuntu/docker/core/traefik-data
# This file is used to store all the certs
/home/ubuntu/docker/core/traefik-data/acme.json
# Config file for Traefik
/home/ubuntu/docker/core/traefik-data/traefik.yml
# Portainer config files
/home/ubuntu/docker/core/portainer-data
# Contains docker-compose files for all dockerised files
/home/ubuntu/docker/apps
if you want to use this directory structure then use the commands below:
mkdir -p /home/ubuntu/docker/core/traefik-data
mkdir -p /home/ubuntu/docker/core/portainer-data
touch /home/ubuntu/docker/core/traefik-data/acme.json
chmod 600 /home/ubuntu/docker/core/traefik-data/acme.json
touch /home/ubuntu/docker/core/traefik-data/traefik.yml
Traefik config file
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: [email protected]
storage: acme.json
httpChallenge:
entryPoint: http
Important: Make sure to replace [email protected] with your actual email id where you want the notifications of the expiry of cert to be sent by Let’s Encrypt
Generate secure password for logging into Traefik
We will use htpasswd to generate the password that will then be stored in the docker-compose.yml file. These username and password will be required when trying to log into Traefik interface.
If htpasswd is not available on your system then install it using
$ sudo apt install apache2-utils
Then run the following command to generate the secure password
echo $(htpasswd -nb <username> <password>) | sed -e s/\\$/\\$\\$/g
Replace username & password above with your actual username & password
Create Proxy network
We need to create a new Docker network called traefik-proxy which will be the only network that is allows outside traffic. To create a docker network use:
docker network create traefik-proxy
docker-compose.yml with both Traefik and Portainer
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-data/traefik.yml:/traefik.yml:ro
- ./traefik-data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=username:password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
portainer:
image: portainer/portainer:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./portainer-data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.rule=Host(`portainer.example.com`)"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.example.com`)"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.tls.certresolver=http"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.docker.network=traefik-proxy"
networks:
traefik-proxy:
external: true
Important: Make sure to change traefik.example.com, portainer.example.com and the username:password in the above files to the values that are relevant to you.
Run docker-compose
Once everything is setup, you can start Traefik and Portainer using:
docker-compose up -d
and then you can visit
https://traefik.example.com and https://portainer.example.com to use these application.
Note:
- When running
docker-composefor the first time, you might want to usedocker-compose upso that you can see the logs and the progress of the process. UseCTRL+cto exit and then it docker-compose with-das shown above for normal work - You can also check the logs using
docker-compose logs. This command will only work when you are in the directory that containsdocker-compose.yml - To check the status of the containers, use
docker-compose ps
- Indivar Software Solutions Pvt Limited, India and New Zealand: Co-Founder and CTO
- Credence Medicure Corporation: Co-Founder & Director - IT
- Stakteck Limited: Co-Founder and CTO
