93 lines
3.2 KiB
Markdown
93 lines
3.2 KiB
Markdown
# GB Traefik Setup
|
|
|
|
This repository contains the configuration files and setup instructions for deploying [Traefik](https://traefik.io/), a modern reverse proxy and load balancer.
|
|
|
|
Configuration files is customized for Gbanyan personal usage.
|
|
|
|
## Prerequisites
|
|
|
|
- Docker installed on your system
|
|
- Docker Compose (if using `docker-compose.yml`)
|
|
|
|
## Getting Started
|
|
|
|
1. Clone this repository:
|
|
```bash
|
|
git clone https://gitea.gbanyan.net/gbanyan/GB-Traefik.git
|
|
cd GB-Traefik
|
|
```
|
|
|
|
2. Update the `traefik.yml` and `docker-compose.yml` files as needed for your environment.
|
|
|
|
3. Start Traefik:
|
|
```bash
|
|
docker compose up -d
|
|
```
|
|
|
|
4. Access the Traefik dashboard (if enabled) at `http://<your-domain-or-ip>:8080`.
|
|
|
|
## Configuration
|
|
|
|
- **.env**: Cloudflare E-mail and API Token for SSL DNS Challenge
|
|
- **Traefik Configuration**: Modify `traefik.yml`, `dynamic.yml` to customize Traefik's behavior.
|
|
- **Docker Compose**: Use `docker-compose.yml` to define services and networks.
|
|
|
|
|
|
## Detail:
|
|
|
|
My traefik is split into internal and external entrypoint.
|
|
|
|
Internal entrypoint is for private and secure service without exposing.
|
|
|
|
Each entrypoint is binded to different ip address for isolation.
|
|
|
|
Then, other docker service is attached to different entrypoint guided by label in docker compose
|
|
|
|
```yaml
|
|
label:
|
|
- "traefik.http.routers.service-name.entrypoints=websecure"
|
|
```
|
|
|
|
Besides the entrypoint setup, I add cloudflare proxy (for exposing real ip to access.log for crowdsec to read), crowdsec-firewall-bouncer, compression with brotli middlrewares method in traefik.yml and dynamic.yml
|
|
|
|
Adding middlewares is also guided by labels:
|
|
|
|
```yaml
|
|
label:
|
|
- "traefik.http.routers.service-name.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
|
|
```
|
|
|
|
The order of middlewares is meaningful.
|
|
|
|
Traefik has ability to apply SSL certs automatically.
|
|
Just offer the required DNS API authentication (Like cloudflare).
|
|
|
|
Please refer the traefik documentation.
|
|
|
|
The following is an example of a docker service I hosted in its docker-compose.yaml:
|
|
|
|
```yaml
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ghost.entrypoints=websecure"
|
|
- "traefik.http.routers.ghost.rule=Host(`blog.gbanyan.net`)"
|
|
- "traefik.http.services.ghost.loadbalancer.server.port=2368"
|
|
- "traefik.http.routers.ghost.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.ghost.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
|
|
- "com.centurylinklabs.watchtower.enable=true"
|
|
- "traefik.docker.network=traefik_default"
|
|
```
|
|
|
|
I mount the access.log for crowdsec firewall to read.
|
|
|
|
PS: Because I access my traefik dashboard through my local network. I commented out the authetication method for dashboard.
|
|
|
|
## Discussion and Changelog
|
|
|
|
1. Traefik vs Nginx
|
|
- Performance: Nginx is still better at high traffic. After all it is written in C. Traefik 3 though claims it has higher 20% performance than before. The latency still showed a little higher than nginx.
|
|
- Docker Deployment Ease: Traefik is easier for docker service deployment. In my environment, I can assign each docker stack with labels and then guides the traefik to add Let's encrypt SSL.
|
|
|
|
2. ChangeLog:
|
|
|
|
- 2025.4.18 Add Souin HTTP Cache Middleware. |