Skip to content

Latest commit

 

History

History

traefik

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

main.tf

main.tf

 
 

traefik.hcl.tpl

traefik.hcl.tpl

 
 

README.md

Traefik

The Traefik load balancer is the main ingress point for all public-facing services in the cluster. It is responsible for terminating SSL using LetsEncrypt and forwarding connections to the proper services.

Installation

To set up Traefik to handle SSL for your cluster, first assign a DNS name to the nodes that will run Traefik. Ensure that all subdomains also point to the same IPs. Store in Consul the domain name as well as the contact email address for your SSL certificates:

consul kv put traefik/config/domain example.com
consul kv put traefik/config/email contact@example.com

No further configuration is necessary for Traefik.

Usage

Traefik will scan the Consul catalog for additional services and automatically configure SSL and forwarding for them. To use this, apply these tags:

service {
  tags = [
    "traefik.enable=true",
    "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=le",
  ]
}

The usage of ${NOMAD_JOB_NAME} means that the subdomain for the service will default to the job's name. If you want to customize the behavior, see the Traefik documentation.

Note: Traefik is configured to automatically redirect all HTTP traffic to the corresponding HTTPS endpoint, regardless of any dynamic configuration.

Debugging

The first place to look should be the Traefik dashboard. This will list all configured services and the rules required to access them. If something isn't listed there, check the Consul dashboard to ensure that the service is properly registered and healthy.

It may be helpful to enable the DEBUG log level in Traefik, which will cause it to log to stdout every change in configuration.

Tunnel to a WireGuard peer

It's possible to use Traefik to forward a specific subdomain to a WireGuard peer, for example a laptop. This serves as a very basic alternative to ngrok. In this configuration, Traefik will unwrap the SSL and forward the connection over WireGuard.

Setting the traefik/config/tunnel key in Consul will cause Traefik to forward the "tunnel" subdomain to that address.

consul kv put traefik/config/tunnel 172.30.15.1:3000
# Later, remove with
consul kv delete traefik/config/tunnel