Traefik is a container-aware reverse-proxy server.
Many of the services installed by this playbook need to be exposed to the web (HTTP/HTTPS). This is handled by Traefik, which is installed by default if you have used the example vars.yml
file.
Enabling the Traefik service will automatically wire all other services to use it.
To enable this service, add the following configuration to your vars.yml
file and re-run the installation process.
########################################################################
# #
# traefik #
# #
########################################################################
mash_playbook_reverse_proxy_type: playbook-managed-traefik
# The email address that Traefik will pass to Let's Encrypt when obtaining SSL certificates
traefik_config_certificatesResolvers_acme_email: [email protected]
########################################################################
# #
# /traefik #
# #
########################################################################
Enabling the Traefik service, as shown above, automatically installs a tecnativa/docker-socket-proxy service/container (powered by the com.devture.ansible.role.container_socket_proxy Ansible role) to improve security by not mounting a Docker socket into the Traefik container.
This Ansible role we use for Traefik supports various configuration options. Feel free to consult its default/main.yml
variables file.
Below, you can find some guidance about common tweaks you may wish to do.
Sometimes you may already have a Traefik instance running on the server and you may wish to not have the playbook install Traefik.
To tell the playbook that you're running a Traefik instance and you'd still like all services installed by the playbook to be connected to that Traefik instance, you need the following configuration:
# Tell the playbook you're using Traefik installed in another way.
# It won't bother installing Traefik.
mash_playbook_reverse_proxy_type: other-traefik-container
# Tell the playbook to attach services which require reverse-proxying to an additional network by default (e.g. traefik)
# This needs to match your Traefik network.
mash_playbook_reverse_proxyable_services_additional_network: traefik
# Uncomment and adjust the variables below if you'd like to enable HTTP-compression.
#
# For this to work, you will need to define a compress middleware (https://doc.traefik.io/traefik/middlewares/http/compress/) for your Traefik instance
# using a file (https://doc.traefik.io/traefik/providers/file/) or Docker (https://doc.traefik.io/traefik/providers/docker/) configuration provider.
#
# mash_playbook_reverse_proxy_traefik_middleware_compession_enabled: true
# mash_playbook_reverse_proxy_traefik_middleware_compession_name: my-compression-middleware@file
traefik_config_log_level: DEBUG
This will disable access logging.
traefik_config_accessLog_enabled: false
This will enable a Traefik Dashboard UI at https://traefik.mash.example.com/dashboard/
(note the trailing /
).
traefik_dashboard_enabled: true
traefik_dashboard_hostname: traefik.mash.example.com
traefik_dashboard_basicauth_enabled: true
traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
WARNING: enabling the dashboard on a hostname you use for something else (like mash.example.com
in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all /dashboard
and /api
requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems.
Use the traefik_configuration_extension_yaml
variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
# This is a contrived example.
# You can enable and secure the Dashboard using dedicated variables. See above.
traefik_configuration_extension_yaml: |
api:
dashboard: true