Traefik Overview¶
What Is Traefik?¶
Traefik is a modern reverse proxy and load balancer designed for containerized environments. It automatically discovers services and configures itself using Docker container labels, eliminating the need for manual configuration files.
Core Concept¶
Traefik sits between your users and your applications, routing traffic based on rules you define via Docker labels.
Why We Use Traefik¶
1. Automatic Service Discovery¶
Instead of manually editing nginx config files, Traefik reads Docker labels:
Benefit: Add new services without restarting Traefik.
2. Dynamic Configuration¶
Changes take effect immediately when containers start/stop. No configuration files to edit, no reloads needed.
3. Docker-Native Design¶
Built specifically for Docker. Uses the Docker socket to discover services automatically.
4. Path-Based Routing¶
Route multiple services on the same domain:
All on 50.3.85.110 with Traefik handling the routing.
5. Built-in Dashboard¶
Visual interface to monitor: - Active routes and services - Middleware configuration - Health status - Traffic metrics
Access at: http://50.3.85.110:8080/dashboard/
6. HTTPS & Let's Encrypt Integration¶
Traefik can automatically: - Request Let's Encrypt certificates - Handle certificate renewal - Redirect HTTP to HTTPS
7. Load Balancing¶
Distribute traffic across multiple container instances automatically.
How Traefik Works¶
Step 1: Container Starts¶
Docker container is created with Traefik labels:
services:
my-app:
image: my-app:latest
labels:
- traefik.enable=true
- traefik.http.routers.my-app.rule=Host(`app.egygeeks.com`)
- traefik.http.services.my-app.loadbalancer.server.port=3000
Step 2: Traefik Detects Service¶
Traefik watches the Docker socket and sees the new container with traefik.enable=true.
Step 3: Route Configuration¶
Traefik reads the labels and creates routes:
| Label | Meaning |
|---|---|
traefik.http.routers.my-app.rule | When does this route match? (e.g., Host(app.egygeeks.com)) |
traefik.http.routers.my-app.entrypoints | Which ports? (e.g., websecure for HTTPS) |
traefik.http.services.my-app.loadbalancer.server.port | Which port on the container? |
Step 4: Traffic Routing¶
When a request arrives:
1. User visits app.egygeeks.com
2. Traefik receives request on port 80/443
3. Matches against router rules
4. Finds matching route (Host(`app.egygeeks.com`))
5. Forwards to container port 3000
6. Returns response to user
Step 5: Health Checks¶
Traefik monitors container health via Docker health checks:
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \
CMD wget --quiet --tries=1 --spider http://127.0.0.1:8000/ || exit 1
Important: Traefik only routes to healthy containers.
Architecture Diagram¶
graph LR
Internet["🌍 Internet"]
Traefik["🔀 Traefik<br/>Port 80/443"]
DocRouter["📚 Route 1<br/>app.egygeeks.com"]
AppRouter["🚀 Route 2<br/>api.egygeeks.com"]
PathRouter["📱 Route 3<br/>Path: /app"]
App1["🐳 App 1<br/>Port 3000"]
App2["🐳 App 2<br/>Port 8000"]
App3["🐳 App 3<br/>Port 5000"]
Internet -->|HTTP/HTTPS| Traefik
Traefik -->|Host-based| DocRouter
Traefik -->|Host-based| AppRouter
Traefik -->|Path-based| PathRouter
DocRouter --> App1
AppRouter --> App2
PathRouter --> App3Key Components¶
Entrypoints¶
Entry points are the network interfaces Traefik listens on:
- web - HTTP traffic (port 80)
- websecure - HTTPS traffic (port 443)
Routers¶
Routers define rules that match incoming requests:
Available rule types: - Host() - Match domain names - PathPrefix() - Match URL paths - Method() - Match HTTP methods (GET, POST, etc.) - Combinations: Host() && PathPrefix()
Services¶
Services define where to forward matched traffic:
Specifies the container port to forward to.
Middlewares¶
Middlewares modify requests/responses before they reach your app:
- StripPrefix - Remove path prefix before forwarding
- BasicAuth - Require username/password
- Compress - Gzip compression
- RateLimit - Limit requests per time period
Middleware Example¶
labels:
# Strip /api prefix before forwarding to container
- traefik.http.middlewares.api-strip.stripprefix.prefixes=/api
- traefik.http.routers.api.rule=PathPrefix(`/api`)
- traefik.http.routers.api.middlewares=api-strip
Result: Request to /api/users becomes /users before reaching the container.
Comparison: Traefik vs nginx¶
| Feature | Traefik | nginx |
|---|---|---|
| Configuration | Docker labels | Config files |
| Service discovery | Automatic | Manual |
| Reload needed | Never | Yes (nginx reload) |
| Learning curve | Easier | Steeper |
| Docker-native | Yes | No |
| HTTPS/Let's Encrypt | Built-in | Manual/add-ons |
| Dashboard | Yes | No |
Common Use Cases¶
Single Application¶
One application on one domain:
Multiple Applications (Host-Based)¶
Different applications on different domains:
# App 1
- traefik.http.routers.app1.rule=Host(`app1.egygeeks.com`)
# App 2
- traefik.http.routers.app2.rule=Host(`app2.egygeeks.com`)
Multiple Services (Path-Based)¶
Multiple services under one domain:
# Documentation at /developers
- traefik.http.routers.docs.rule=PathPrefix(`/developers`)
- traefik.http.middlewares.docs-strip.stripprefix.prefixes=/developers
# API at /api
- traefik.http.routers.api.rule=PathPrefix(`/api`)
- traefik.http.middlewares.api-strip.stripprefix.prefixes=/api
# Web app at /app
- traefik.http.routers.app.rule=PathPrefix(`/app`)
- traefik.http.middlewares.app-strip.stripprefix.prefixes=/app
Load Balancing¶
Multiple container instances automatically balanced:
services:
app-1:
# ... app configuration
labels:
- traefik.enable=true
- traefik.http.routers.app.rule=Host(`app.egygeeks.com`)
- traefik.http.services.app.loadbalancer.server.port=3000
app-2:
# ... identical configuration
labels:
- traefik.enable=true
- traefik.http.routers.app.rule=Host(`app.egygeeks.com`)
- traefik.http.services.app.loadbalancer.server.port=3000
Both instances serve the same route with traffic balanced between them.
Network Requirements¶
Container Network¶
Traefik must be on the same Docker network as your containers:
services:
traefik:
networks:
- traefik_public
app:
networks:
- traefik_public
networks:
traefik_public:
external: true
Docker Socket Access¶
Traefik needs access to the Docker socket:
This allows Traefik to read container information (read-only for security).
Labels Deep Dive¶
All Traefik configuration uses Docker labels. Label format:
Example Breakdown¶
| Part | Meaning |
|---|---|
traefik | Traefik configuration prefix |
http | HTTP protocol (not TCP) |
routers | This is a router definition |
my-app | Router name (must be unique) |
rule | The property being set |
Host(app.egygeeks.com) | The value |
Label Naming Rules¶
- Must start with
traefik. - Names are case-sensitive
- Use dots to separate hierarchy
- No spaces in label names
Security Considerations¶
Never Expose Databases¶
Use separate networks:
services:
app:
networks:
- traefik_public # Internet-facing
- internal # Database access
database:
networks:
- internal # NOT on traefik_public
Health Check with Localhost¶
Always use 127.0.0.1 in health checks:
# ✅ Correct - works in Alpine
CMD wget http://127.0.0.1:8000/
# ❌ Avoid - DNS resolution may fail
CMD wget http://localhost:8000/
Traefik Dashboard Authentication¶
In production, disable insecure dashboard:
Never Commit Secrets¶
Store passwords and API keys in .env files on the server, never in git.
Next Steps¶
- Labels Reference - Complete label documentation: labels.md
- Troubleshooting - Solve common Traefik issues: troubleshooting.md
- Deploy Guide - Get started with a template: Templates
For how-to guides and step-by-step tutorials, see the Journey guides.