This image is the Traefik base. It comes from alpine-monit.
docker build -t rawmind/alpine-traefik:<version> .
1.7.4-0
(Dockerfile)1.7.3-1
(Dockerfile)1.7.2-0
(Dockerfile)1.7.0-0
(Dockerfile)1.6.6-1
(Dockerfile)1.6.5-2
(Dockerfile)1.6.4-0
(Dockerfile)1.6.3-0
(Dockerfile)1.6.2-0
(Dockerfile)1.6.1-0
(Dockerfile)1.6.0-0
(Dockerfile)1.5.4-0
(Dockerfile)1.5.3-3
(Dockerfile)1.5.2-0
(Dockerfile)1.5.1-0
(Dockerfile)1.5.0-5
(Dockerfile)1.4.6-0
(Dockerfile)1.4.5-3
(Dockerfile)1.4.4-4
(Dockerfile)1.4.3-0
(Dockerfile)1.4.2-0
(Dockerfile)1.4.1-2
(Dockerfile)1.4.0-6
(Dockerfile)1.3.8-4
(Dockerfile)1.3.6
(Dockerfile)1.3.5
(Dockerfile)1.3.3
(Dockerfile)1.3.2-2
(Dockerfile)1.2.3-1
(Dockerfile)1.2.1
(Dockerfile)1.2.0-rc2-1
(Dockerfile)1.1.2-1
(Dockerfile)1.1.1-2
(Dockerfile)1.0.3-1
(Dockerfile)1.0.2-6
(Dockerfile)1.0.1-4
(Dockerfile)1.0.0
(Dockerfile)1.0.0-rc3-3
(Dockerfile)1.0.0-rc2-6
(Dockerfile)1.0.0-beta.771
(Dockerfile)1.0.0-beta.555-6
(Dockerfile)
This image runs Traefik with monit. It is started with traefik user/group with 10001 uid/gid.
Besides, you can customize the configuration in several ways:
Traefik is installed with the default configuration and some parameters can be overrided with env variables:
TRAEFIK_HTTP_PORT=8080 |
http port > 1024 due to run as non privileged user |
TRAEFIK_HTTP_COMPRESSION="true" |
Enable http compression |
TRAEFIK_HTTPS_ENABLE="false" |
"true" enables https and http endpoints. "Only" enables https endpoints and redirect http to https. |
TRAEFIK_HTTPS_PORT=8443 |
https port > 1024 due to run as non privileged user |
TRAEFIK_HTTPS_MIN_TLS="VersionTLS12" |
Minimal allowed tls version to accept connections from |
TRAEFIK_HTTPS_COMPRESSION="true" |
Enable https compression |
TRAEFIK_TRUSTEDIPS="" |
Enable proxyProtocol and forwardHeaders for these IPs (eg: "172.0.0.0/16,192.168.0.1") |
TRAEFIK_ADMIN_ENABLE="false" |
"true" enables api, rest, ping and webui |
TRAEFIK_ADMIN_PORT=8000 |
admin port > 1024 due to run as non privileged user |
TRAEFIK_ADMIN_SSL=false |
"true" enables https on api, rest, ping and webui using TRAEFIK_SSL_CRT certificate |
TRAEFIK_ADMIN_STATISTICS=10 |
Enable more detailed statistics |
TRAEFIK_ADMIN_AUTH_METHOD="basic" |
Auth method to use on api, rest, ping and webui. basic |
TRAEFIK_ADMIN_AUTH_USERS="" |
Basic or digest users created with htpasswd or htdigest. |
TRAEFIK_CONSTRAINTS="" |
Traefik constraint param. EG: \\"tag==api\\" |
TRAEFIK_LOG_LEVEL="INFO" |
Log level |
TRAEFIK_DEBUG="false" |
Enable/disable debug mode |
TRAEFIK_INSECURE_SKIP="false" |
Enable/disable InsecureSkipVerify parameter |
TRAEFIK_LOG_FILE="/opt/traefik/log/traefik.log"} |
Log file. Redirected to docker stdout. |
TRAEFIK_ACCESS_FILE="/opt/traefik/log/access.log"} |
Access file. Redirected to docker stdout. |
TRAEFIK_SSL_PATH="/opt/traefik/certs" |
Path to search .key and .crt files |
TRAEFIK_SSL_KEY=<DEMO KEY> |
ssl key |
TRAEFIK_SSL_KEY_FILE=${TRAEFIK_SSL_PATH}"/"${SERVICE_NAME}".key" |
Default key file. |
TRAEFIK_SSL_CRT=<DEMO CRT> |
ssl cert |
TRAEFIK_SSL_CRT_FILE=${TRAEFIK_SSL_PATH}"/"${SERVICE_NAME}".crt"} |
Default crt file. |
TRAEFIK_ACME_ENABLE="false" |
Enable/disable traefik ACME feature. acme |
TRAEFIK_ACME_CHALLENGE="" |
Set http|dns to activate traefik acme challenge mode. |
TRAEFIK_ACME_CHALLENGE_HTTP_ENTRYPOINT="http" |
Set traefik acme http challenge entrypoint. acme http challenge |
TRAEFIK_ACME_CHALLENGE_DNS_PROVIDER="" |
Set traefik acme dns challenge provider. You need to manually add configuration env variables accordingly the dns provider you use. acme dns provider |
TRAEFIK_ACME_CHALLENGE_DNS_DELAY="" |
Set traefik acme dns challenge delayBeforeCheck. acme dns challenge |
TRAEFIK_ACME_WILDCARD_DOMAIN="" |
Set domain to be used for wildcard ssl - Works only if DNS challenge above is enabled. |
TRAEFIK_ACME_EMAIL="[email protected]" |
Default email |
TRAEFIK_ACME_ONHOSTRULE="true" |
ACME OnHostRule parameter |
TRAEFIK_ACME_CASERVER="https://acme-v02.api.letsencrypt.org/directory" |
ACME caServer parameter |
TRAEFIK_FILE_ENABLE="false" |
Enable/disable file backend |
TRAEFIK_FILE_NAME="${SERVICE_HOME}/etc/rules.toml" |
File name for file backend |
TRAEFIK_K8S_ENABLE="false" |
Enable/disable traefik K8S integration |
TRAEFIK_RANCHER_ENABLE="false" |
Enable/disable traefik RANCHER integration |
TRAEFIK_RANCHER_REFRESH=15 |
Rancher poll refresh seconds |
TRAEFIK_RANCHER_MODE="api" |
Rancher integration mode. api|metadata |
TRAEFIK_RANCHER_DOMAIN="rancher.internal" |
Rancher domain |
TRAEFIK_RANCHER_EXPOSED="false" |
Rancher ExposedByDefault |
TRAEFIK_RANCHER_HEALTHCHECK="false" |
Rancher EnableServiceHealthFilter |
TRAEFIK_RANCHER_INTERVALPOLL="false" |
Rancher enable/disable intervalpoll |
TRAEFIK_RANCHER_PREFIX="/2016-07-29" |
Rancher metadata prefix |
TRAEFIK_USAGE_ENABLE="false" |
Enable/disable send Traefik anonymous usage collection |
TRAEFIK_METRICS_ENABLE="false" |
Enable/disable traefik metrics |
TRAEFIK_METRICS_EXPORTER="" |
Metrics exporter prometheus|datadog|statsd|influxdb |
TRAEFIK_METRICS_PUSH="10" |
Metrics exporter push interval (s). (for datadog or statsd or influxdb) |
TRAEFIK_METRICS_ADDRESS="" |
Metrics exporter address. d(for datadog or statsd or influxdb)b |
TRAEFIK_METRICS_PROMETHEUS_BUCKETS="[0.1,0.3,1.2,5.0]" |
Metrics buckets for prometheus |
TRAEFIK_TIMEOUT_READ="0" |
respondingTimeouts readTimeout |
TRAEFIK_TIMEOUT_WRITE="0" |
respondingTimeouts writeTimeout |
TRAEFIK_TIMEOUT_IDLE="180" |
respondingTimeouts idleTimeout |
TRAEFIK_TIMEOUT_DIAL="30" |
forwardingTimeouts dialTimeout |
TRAEFIK_TIMEOUT_HEADER="0" |
forwardingTimeouts responseHeaderTimeout |
TRAEFIK_TIMEOUT_GRACE="10" |
lifeCycle graceTimeOut |
TRAEFIK_TIMEOUT_ACCEPT="0" |
lifeCycle requestAcceptGraceTimeout |
CATTLE_URL="" |
Rancher API url |
CATTLE_ACCESS_KEY="" |
Rancher access key |
CATTLE_SECRET_KEY="" |
Rancher secret key |
Traefik is installed under /opt/traefik
and make use of /opt/traefik/etc/traefik.toml
and /opt/traefik/etc/rules.toml
.
You can edit or overwrite this files in order to customize your own configuration or certificates.
You could also include FROM rawmind/alpine-traefik
at the top of your Dockerfile, and add your custom config.
Added SSL configuration. Set TRAEFIK_HTTPS_ENABLE="< true || only >"
to enable it.
SSL certificates are located by default in /opt/traefik/certs
.
You need to provide .key
AND .crt
files to that directory, in order Traefik gets automatically configured with ssl.
If you put more that one key/crt files in the certs directory, Traefik gets sni enabled and configured. You also could map you cert storage volume to Traefik and mount it in $TRAEFIK_SSL_PATH value.
You could also include FROM rawmind/alpine-traefik
at the top of your Dockerfile, and add your custom ssl files.
If you need to let legacy tls versions connect to traefik then setting TRAEFIK_HTTPS_MIN_TLS
will set minVersion
on the https Entrypoint.
See the Traefik documentation for allowed values. Default is VersionTLS12
.
If you enable SSL configuration, you could enable Traefik Let's Encrypt support as well (ACME).
To do it, set TRAEFIK_ACME_ENABLE="true".
If you are running it in rancher, you could use in 2 ways:
- Traefik built rancher integration. Add
env TRAEFIK_RANCHER_ENABLE=true
- You could run rancher-traefik as a sidekick to get dynamic configuration.
See rancher-example, that run a Traefik lb in all infrastructure servers and publish ${TRAEFIK_HTTP_PORT}
, ${TRAEFIK_HTTPS_PORT}
and ${TRAEFIK_ADMIN_PORT}
throught them.
Add sni automation to the Traefik.