I’ve been using haproxy as my reverse proxy for a while and it’s hard not to like. The challenge for any production system is deploying new services and sometimes updates. One definite weakness is updating https certs. Keep in mind if you believe in configuration as code then haproxy and an all in one deploy might not be a bad thing but that could be applied to various dimensions in the “system”.For the purpose of discussion haproxy and traefik perform a similar function but where haproxy is static, traefik services register. Traefik has two killer features.  registration of dynamic services  dynamic wildcard support at let’s encrypt.PREREQUISITESdocker, docker-composedocker-machine could be useful if you want to do remote deploys (post for another day)dns + nameservertraefik supported DNS service (I’m using digitalocean in this example)at least one demo serviceLAUNCH TRAEFIKThis was cobbled together from a number of sources…$ mkdir -p /opt/traefik$ cd /opt/traefik$ touch acme.json docker-compose.yml traefik.toml$ chmod 0600 acme.jsonThe acme file starts empty because traefik will fill it in with certs etc. The other two have some simple config. But first things first… create a docker network for the services to communicate with traefik.$ docker network create webThe docker-compose.yml looks like this and is a standard compose file. The only interesting bits are the DO_AUTH_TOKEN which is configured at digital ocean and is used to update the DNS for let’s encrypt. And the labels which are used by traefik and similar to passing environment variables into a container but more special purpose.version: ‘3’services: traefik: image: traefik command: –api –docker restart: always ports: - 80:80 - 443:443 networks: - web environment: - DO_AUTH_TOKEN=<token here> volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/traefik/traefik.toml:/traefik.toml - /opt/traefik/acme.json:/acme.json labels: - “traefik.basic.frontend.rule=Host:traefik.ooc.systems” container_name: traefiknetworks: web: external: trueThe traefik.toml file can be used to stitch traefik and it’s functions together as well as some basics for the user services. I have implemented the basic authentication feature in my traefic.toml but in reality the services are supposed to implement their own. Certainly if I were implementing a single signon solution integration right here would make sense along with some RBAC built into the apps/services. At the bottom of the file are the let’s encrypt configuration items. That includes wildcard. (let’s encrypt has some rate limits to beware)debug = falselogLevel = “ERROR”defaultEntryPoints = [“https”,“http”]# openssl passwd -apr1 myPassword[entryPoints] [entryPoints.http] address = “:80” [entryPoints.http.redirect] entryPoint = “https” [entryPoints.https.auth.basic] users = [“admin:passwd hash goes here”] [entryPoints.http.auth.basic] users = [“admin:passwd hash goes here”] [entryPoints.https] address = “:443” [entryPoints.https.tls][retry][docker]endpoint = “unix:///var/run/docker.sock”domain = “ooc.systems”watch = trueexposedByDefault = false[acme]email = “my email addr here”storage = “acme.json”entryPoint = “https”onHostRule = true[[acme.domains]] main = “*.ooc.systems” sans = [“ooc.systems”][acme.httpChallenge]entryPoint = “http”[acme.dnsChallenge] provider = “digitalocean” delayBeforeCheck = 0Now that everything is configured… time to launch.$ docker-compose up -dAt this point traefik is running; and it’s time to launch a service.$ mkdir -p $HOME/who$ cd $HOME/who$ touch docker-compose.ymlAnd here is the docker-compose.yml file.version: “3”services: app: image: emilevauge/whoami restart: always networks: - web - default expose: - “80” labels: - “traefik.docker.network=web” - “traefik.enable=true” - “traefik.basic.frontend.rule=Host:who.ooc.systems” - “traefik.basic.port=80” - “traefik.basic.protocol=http”networks: web: external: trueLaunching the service is as simple as$ docker-compose up -dNOTE this is not a docker swarm. That config is different and for another day but based on this config.