Migrating traefik to v2
Usage
I like to host my app with Docker and Traefik is one of the reasons for that. Out of the box, it gives me:
- Let's Encrypt certificates
- Virtual Server (routing based on Host name)
- Redirect http to https
- Basic authentication
With Traefik there is no need to change the centralized config on the proxy, the route is set on the service.
Starting with migration
There are 3 steps of migration:
- Migrate traefik config
- Migrate labels on Traefik service
- Migrate other services
Traefik Config
If you had your previous config in toml, I recommend to change it in Yaml, it is a modern and more popular format. The config should have a web entry point with port 80 and 443, docker provider, and Let's Encrypt certificate resolver. Here is my example of the config:
| entryPoints: | |
| web: | |
| address: ":80" | |
| http: | |
| redirections: | |
| entryPoint: | |
| to: webs | |
| scheme: https | |
| webs: | |
| address: ":443" | |
| http: | |
| tls: | |
| certResolver: letstls | |
| providers: | |
| docker: | |
| exposedByDefault: false | |
| network: $network | |
| swarmMode: $swarmMode | |
| ##endpoint: "unix:///var/run/docker.sock" | |
| certificatesResolvers: | |
| letstls: | |
| acme: | |
| email: $email | |
| storage: acme.json | |
| tlsChallenge: {} |
There are 3 parameters :
- $network - the name of the docker network which is
- $swarmMode - bool, swarm or not
- $email - email for Let's encrypt
Traefik service params
In Traefik 2.0 there is no way to set redirection from 80 to 443 on a global level, but there is a hack to do with Regex. Check that lines from 5 to 8 have been added to the config. Add the following labels to the Traefik service:
| labels: | |
| traefik.enable: true | |
| traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`) | |
| traefik.http.routers.http-catchall.entrypoints: web | |
| traefik.http.routers.http-catchall.middlewares: redirect-to-https@docker | |
| traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https |
Migrating the services
NOTE! For Docker swarm use deploy labels.
To migrate services there are very simple changes in labels. The main idea to give each Traefik "router" unique name. Don't forget '- traefik.enable=true'
Before:
| labels: | |
| traefik.port: 8000 | |
| traefik.frontend.rule: whois.example.com |
After:
| labels: | |
| traefik.enable: true | |
| traefik.http.routers.whoami.rule: Host(`whoami.example.world`) | |
| traefik.http.services.whoami.loadbalancer.server.port: 8000 |
whoami is the name of route and service. It is required to changed for the specific services. Converting like that is the only thing is needed. After all the changes just deploy the compose file.
Final compose file
Here is a simple example of the result after migration:
| version: '2' | |
| services: | |
| traefik: | |
| image: traefik:v2.2.0 | |
| restart: unless-stopped | |
| networks: | |
| - traefik | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| volumes: | |
| - ./acme.json:/acme.json | |
| - ./traefik.yml:/etc/traefik/traefik.yml:ro | |
| - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events | |
| - /etc/localtime:/etc/localtime:ro | |
| labels: | |
| traefik.enable: true | |
| traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`) | |
| traefik.http.routers.http-catchall.entrypoints: web | |
| traefik.http.routers.http-catchall.middlewares: redirect-to-https@docker | |
| traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https | |
| whoami: | |
| image: jwilder/whoami | |
| restart: unless-stopped | |
| networks: | |
| - traefik | |
| labels: | |
| traefik.enable: true | |
| traefik.http.routers.whoami.rule: Host(`whoami.example.world`) | |
| traefik.http.services.whoami.loadbalancer.server.port: 8000 |
All the gist to the post are here: https://gist.github.com/xbIm/6c8b1e46ff50f98a9c8e2ef307457c90
Comments (0)