Reverse proxy
A reverse proxy can be used to forward requests to the appropriate backend service like shown in this diagram:
reverse proxy diagram
The same could’ve been achieved by using two different ports, but we want the services to be easily accessible without specifying a port.
Traefik is an easy to use reverse-proxy with an docker image that is also supported by arm devices (e.g. raspberry pi).
- Create a network
docker network create server
- Create an empty
acme.jsonfile and set permissions
touch acme.json
chmod 600 acme.json
- Create configuration file traefik.toml`
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "lets-encrypt"
[api]
dashboard = true
[certificatesResolvers.lets-encrypt.acme]
email = "your@email.com"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
[providers.file]
filename = "traefik_dynamic.toml"
- Create configuration file
traefik_dynamic.toml(replacing redacted htpasswd)
[http.middlewares.simpleAuth.basicAuth]
users = [
"admin:<redacted>"
]
[http.routers.api]
rule = "Host(`eschle.ddnss.eu`)"
entrypoints = ["web","websecure"]
middlewares = ["simpleAuth"]
service = "api@internal"
[http.routers.api.tls]
certResolver = "lets-encrypt"
- Create
docker-compose.ymlfile:
version: '3.9'
services:
traefik:
image: 'traefik:2.5'
container_name: 'traefik'
restart: 'always'
ports:
- '80:80'
- '443:443'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- './traefik.toml:/traefik.toml'
- './traefik_dynamic.toml:/traefik_dynamic.toml'
- './acme.json:/acme.json'
networks:
- server
networks:
server:
external: true
Each webservice that wants to use the reverse proxy must use the same network (here “server”) and set these labels:
| |