Posted inDocker

Traefik: The Ultimate Reverse Proxy Solution for Docker (Auto SSL, 5-Minute Setup)

Docker tutorial - IT technology blog
Docker tutorial - IT technology blog

The Nightmare of “Port Conflicts”

Have you ever been in a situation where you need to deploy 3-4 websites on the same VPS? Website A claims port 80, and Website B isn’t far behind, wanting the same. Ultimately, you’re forced to run Website B on port 8081. Users have to type a clunky port number at the end, which looks both unprofessional and insecure.

When I first worked on a project for a clothing shop, I struggled with manual Nginx configurations. Every time I added a new landing page, I had to SSH into the server, edit the nginx.conf file, and then reload. Once, I missed a single semicolon (;), and Nginx crashed. The whole system was down for 15 minutes right when the client was running ads for thousands of orders. After that shock, I vowed to find an automated solution. That’s when Traefik came to the rescue.

On the Scale: Why Traefik Beats Nginx

Before we start typing commands, let’s see why Traefik is becoming the new standard for DevOps professionals:

  • Traditional Nginx: Excellent performance but very manual. You have to write config files for every domain and manually set up Certbot to renew SSL every 90 days.
  • Nginx Proxy Manager (NPM): Has a user-friendly Web UI. However, if you want to manage 20-30 containers using code (Infrastructure as Code), the UI becomes a major hurdle.
  • Traefik Proxy: This is purpose-built for Docker. It doesn’t force you to write endless configuration files. Instead, Traefik actively listens to the Docker Socket to detect when a new container “pops up.”

The Brilliant “Configuration Discovery” Philosophy

Traefik’s biggest selling point is its service discovery capability. Instead of you declaring services to the proxy, Traefik proactively asks Docker: “Is there anything new?”.

At this point, the container just needs a label like: “I am app.com”. Traefik will automatically create the traffic pipeline and request an SSL certificate from Let’s Encrypt. Everything happens automatically in less than 10 seconds.

Real-world Traefik Deployment

You need a clean VPS with Docker installed and a domain with an A record pointing to the server’s IP.

Step 1: Create a connection network

We create a virtual network so Traefik can “talk” to other containers in an isolated environment.

docker network create web_proxy

Step 2: Configure the executable file

Create a traefik directory and a docker-compose.yml file. This is the heart of the system:

version: '3.8'
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=admin@yourdomain.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    networks:
      - web_proxy

Note the line exposedbydefault=false. It helps protect your server. Only containers you explicitly allow will be exposed by Traefik to the internet.

Step 3: Deploy the app and enjoy the results

Try running a simple web application. You don’t need to touch Traefik’s configuration files anymore. Just add a few labels to your app file:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.myapp.rule=Host(`blog.yourdomain.com`)"
  - "traefik.http.routers.myapp.entrypoints=websecure"
  - "traefik.http.routers.myapp.tls.certresolver=myresolver"

Right after the up -d command executes, Traefik will automatically provision the SSL. When you visit the domain, you’ll see the green padlock icon immediately.

“Hard-Earned” Lessons to Avoid Trouble

Here are the common mistakes I’ve spent entire nights debugging:

  1. acme.json file permissions: Traefik is very strict about security. The file storing SSL certificates must have 600 permissions. If you leave it at 777, Traefik will log the error “permissions are too open” and refuse to run.
  2. Let’s Encrypt rate limits: Don’t restart containers too many times while your configuration is incorrect. Let’s Encrypt might block your IP for several hours if you repeatedly send failed SSL requests.
  3. Dashboard: If you enable the Dashboard (port 8080), remember to use Basic Auth. Don’t let hackers see your system map for free.

Conclusion

Switching from Nginx to Traefik is like upgrading from a manual motorcycle to an automatic scooter. It might feel a bit strange at first with the label-based configuration, but once you get used to it, you’ll find it incredibly effortless. It helps you focus on product development instead of fixing proxy errors every night.

If you’re running microservices, give Traefik a try now. Wishing you all smooth-running systems!

Share:
Tags: