alpine-traefik icon indicating copy to clipboard operation
alpine-traefik copied to clipboard

Published 20 hours ago verified publisher icon rawmind0

Metadata

This image is the traefik base. It comes from rawmind/alpine-monit.

alpine-traefik

This image is the Traefik base. It comes from alpine-monit.

Build

docker build -t rawmind/alpine-traefik:<version> .

Versions

Configuration

This image runs Traefik with monit. It is started with traefik user/group with 10001 uid/gid.

Besides, you can customize the configuration in several ways:

Default Configuration

Traefik is installed with the default configuration and some parameters can be overrided with env variables:
TRAEFIK_HTTP_PORT=8080 http port > 1024 due to run as non privileged user
TRAEFIK_HTTP_COMPRESSION="true" Enable http compression
TRAEFIK_HTTPS_ENABLE="false" "true" enables https and http endpoints. "Only" enables https endpoints and redirect http to https.
TRAEFIK_HTTPS_PORT=8443 https port > 1024 due to run as non privileged user
TRAEFIK_HTTPS_MIN_TLS="VersionTLS12" Minimal allowed tls version to accept connections from
TRAEFIK_HTTPS_COMPRESSION="true" Enable https compression
TRAEFIK_TRUSTEDIPS="" Enable proxyProtocol and forwardHeaders for these IPs (eg: "172.0.0.0/16,192.168.0.1")
TRAEFIK_ADMIN_ENABLE="false" "true" enables api, rest, ping and webui
TRAEFIK_ADMIN_PORT=8000 admin port > 1024 due to run as non privileged user
TRAEFIK_ADMIN_SSL=false "true" enables https on api, rest, ping and webui using TRAEFIK_SSL_CRT certificate
TRAEFIK_ADMIN_STATISTICS=10 Enable more detailed statistics
TRAEFIK_ADMIN_AUTH_METHOD="basic" Auth method to use on api, rest, ping and webui. basic
TRAEFIK_ADMIN_AUTH_USERS="" Basic or digest users created with htpasswd or htdigest.
TRAEFIK_CONSTRAINTS="" Traefik constraint param. EG: \\"tag==api\\"
TRAEFIK_LOG_LEVEL="INFO" Log level
TRAEFIK_DEBUG="false" Enable/disable debug mode
TRAEFIK_INSECURE_SKIP="false" Enable/disable InsecureSkipVerify parameter
TRAEFIK_LOG_FILE="/opt/traefik/log/traefik.log"} Log file. Redirected to docker stdout.
TRAEFIK_ACCESS_FILE="/opt/traefik/log/access.log"} Access file. Redirected to docker stdout.
TRAEFIK_SSL_PATH="/opt/traefik/certs" Path to search .key and .crt files
TRAEFIK_SSL_KEY=<DEMO KEY> ssl key
TRAEFIK_SSL_KEY_FILE=${TRAEFIK_SSL_PATH}"/"${SERVICE_NAME}".key" Default key file.
TRAEFIK_SSL_CRT=<DEMO CRT> ssl cert
TRAEFIK_SSL_CRT_FILE=${TRAEFIK_SSL_PATH}"/"${SERVICE_NAME}".crt"} Default crt file.
TRAEFIK_ACME_ENABLE="false" Enable/disable traefik ACME feature. acme
TRAEFIK_ACME_CHALLENGE="" Set http|dns to activate traefik acme challenge mode.
TRAEFIK_ACME_CHALLENGE_HTTP_ENTRYPOINT="http" Set traefik acme http challenge entrypoint. acme http challenge
TRAEFIK_ACME_CHALLENGE_DNS_PROVIDER="" Set traefik acme dns challenge provider. You need to manually add configuration env variables accordingly the dns provider you use. acme dns provider
TRAEFIK_ACME_CHALLENGE_DNS_DELAY="" Set traefik acme dns challenge delayBeforeCheck. acme dns challenge
TRAEFIK_ACME_EMAIL="[email protected]" Default email
TRAEFIK_ACME_ONHOSTRULE="true" ACME OnHostRule parameter
TRAEFIK_ACME_CASERVER="https://acme-v02.api.letsencrypt.org/directory" ACME caServer parameter
TRAEFIK_ACME_KEYTYPE=RSA4096 Acme keytype to use. Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192". acme keytype
TRAEFIK_FILE_ENABLE="false" Enable/disable file backend
TRAEFIK_FILE_NAME="${SERVICE_HOME}/etc/rules.toml" File name for file backend
TRAEFIK_K8S_ENABLE="false" Enable/disable traefik K8S integration
TRAEFIK_RANCHER_ENABLE="false" Enable/disable traefik RANCHER integration
TRAEFIK_RANCHER_REFRESH=15 Rancher poll refresh seconds
TRAEFIK_RANCHER_MODE="api" Rancher integration mode. api|metadata
TRAEFIK_RANCHER_DOMAIN="rancher.internal" Rancher domain
TRAEFIK_RANCHER_EXPOSED="false" Rancher ExposedByDefault
TRAEFIK_RANCHER_HEALTHCHECK="false" Rancher EnableServiceHealthFilter
TRAEFIK_RANCHER_INTERVALPOLL="false" Rancher enable/disable intervalpoll
TRAEFIK_RANCHER_PREFIX="/2016-07-29" Rancher metadata prefix
TRAEFIK_DOCKER_ENABLE="false" Enable/disable traefik DOCKER backend
TRAEFIK_DOCKER_ENTRYPOINT="unix:///var/run/docker.sock" Set docker backend (unix socket or TCP). BEWARE: if you set a unix socket traefik has to be started as root!
TRAEFIK_USAGE_ENABLE="false" Enable/disable send Traefik anonymous usage collection
TRAEFIK_METRICS_ENABLE="false" Enable/disable traefik metrics
TRAEFIK_METRICS_EXPORTER="" Metrics exporter prometheus|datadog|statsd|influxdb
TRAEFIK_METRICS_PUSH="10" Metrics exporter push interval (s). (for datadog or statsd or influxdb)
TRAEFIK_METRICS_ADDRESS="" Metrics exporter address. d(for datadog or statsd or influxdb)b
TRAEFIK_METRICS_PROMETHEUS_BUCKETS="[0.1,0.3,1.2,5.0]" Metrics buckets for prometheus
TRAEFIK_TIMEOUT_READ="0" respondingTimeouts readTimeout
TRAEFIK_TIMEOUT_WRITE="0" respondingTimeouts writeTimeout
TRAEFIK_TIMEOUT_IDLE="180" respondingTimeouts idleTimeout
TRAEFIK_TIMEOUT_DIAL="30" forwardingTimeouts dialTimeout
TRAEFIK_TIMEOUT_HEADER="0" forwardingTimeouts responseHeaderTimeout
TRAEFIK_TIMEOUT_GRACE="10" lifeCycle graceTimeOut
TRAEFIK_TIMEOUT_ACCEPT="0" lifeCycle requestAcceptGraceTimeout
CATTLE_URL="" Rancher API url
CATTLE_ACCESS_KEY="" Rancher access key
CATTLE_SECRET_KEY="" Rancher secret key

Custom Configuration

Traefik is installed under /opt/traefik and make use of /opt/traefik/etc/traefik.toml and /opt/traefik/etc/rules.toml.

You can edit or overwrite this files in order to customize your own configuration or certificates.

You could also include FROM rawmind/alpine-traefik at the top of your Dockerfile, and add your custom config.

SSL Configuration

Added SSL configuration. Set TRAEFIK_HTTPS_ENABLE="< true || only >" to enable it.

SSL certificates are located by default in /opt/traefik/certs. You need to provide .key AND .crt files to that directory, in order Traefik gets automatically configured with ssl.

If you put more that one key/crt files in the certs directory, Traefik gets sni enabled and configured. You also could map you cert storage volume to Traefik and mount it in $TRAEFIK_SSL_PATH value.

You could also include FROM rawmind/alpine-traefik at the top of your Dockerfile, and add your custom ssl files.

If you need to let legacy tls versions connect to traefik then setting TRAEFIK_HTTPS_MIN_TLS will set minVersion on the https Entrypoint. See the Traefik documentation for allowed values. Default is VersionTLS12.

Let's Encrypt Configuration

If you enable SSL configuration, you could enable Traefik Let's Encrypt support as well (ACME). To do it, set TRAEFIK_ACME_ENABLE="true".

Rancher

If you are running it in rancher, you could use in 2 ways:

  • Traefik built rancher integration. Add env TRAEFIK_RANCHER_ENABLE=true
  • You could run rancher-traefik as a sidekick to get dynamic configuration.

Example

See rancher-example, that run a Traefik lb in all infrastructure servers and publish ${TRAEFIK_HTTP_PORT}, ${TRAEFIK_HTTPS_PORT} and ${TRAEFIK_ADMIN_PORT} throught them.

TODO

Add sni automation to the Traefik.

Metadata

66
Stars
56
Forks
Watchers

Owner

verified publisher icon rawmind0

Metadata

This image is the traefik base. It comes from rawmind/alpine-monit.

Back