traefik is a convenient way to have a reverse proxy in your Docker setup.
Docker containers hosting web applications or webservices can register in traefik and traefik does routing, load-balancing, ssl termination and HTTP/2 for you out of the box.
This works smoothly but we had the following setup:
We took a Atlassian confluence Wiki setup having it’s own docker-compose.yml, a keycloak WebSSO having it’s own docker-compose.yml and traefik having it’s own docker-compose.yml.
When using keycloak and confluence the following happenes:
- the user opens confluence in the browser
- confluence recognizes authentication is required and redirects to keycloak
- keycloak does the authentication and redirects back to confluence
- confluence decides if the user is authorized to see content
In this flow cconfluence needs to know keycloak and vice versa. As traefik does the SSL termination for us the direct communication between both containers is not sufficient and traefik needs to do the routing.
As each application complex (traefik, confluence, keycloak) is connected to a virtual network the applications can communicate, but Docker uses it’s own internal DNS service andd ignores i.e. settings in the hosts file.
The consequence is in the containers the full qualified name (FQDN) of the applications is not known and only configured in traefik.
There are three approaches to make the FQDNs known in the containers.
In the docker-compose.yml there can be additional settings given for the container’s hosts file, this is done in the
extra_hosts part of the service:
version: "3" services: confluence: ... extra_hosts: - "keycloak.my.domain:188.8.131.52" (internal IP of the traefik container) ...
Docker adds the additional setting in the hosts file and confluence now can use the FQDN to access keycloak.
A drawback is we need to give a static IP which points to traefik, which is not very handy.
By default Docker uses the Google’s DNS server to resolve any host which can’t be resolved by the internal DNS.
If you use a DNS server in your network where all FQDNs hosted in Docker points to the Docker host (we only have a single Docker host), then you can configure docker-compose to set this DNS server in the container.
version: "3" services: confluence: ... dns: - 192.168.10.11 (IP of your DNS server) ...
A drawback is the central DNS server prohibits local development.
By default the used names in the Docker integrated DNS Server is the container name.
To route all requests to traefik, traefik needs to have all alias names set. This is done in the
version: "3" services: traefik: ... networks: proxy: aliases: - keycloak.my.domain - confluence.my.domain ...
For local development this seems to be the most elegant solution but if you add a new web application which needs to be handled by traefik.
You can find a working demo application in GitHub.
Please give me some input if you have trouble with the demo application.
Happy traefik-ing! 😉