Traefik Reverse Proxy Installation
Traefik is a modern, open-source reverse proxy and load balancer designed specifically for microservices and containerized environments. Unlike traditional reverse proxies that require configuration file restarts, Traefik dynamically discovers services and automatically configures routing rules. This guide covers installation, configuration, and deployment of Traefik on your VPS or bare metal infrastructure.
Table of Contents
- System Requirements
- Installation Methods
- Binary Installation
- Docker Installation
- Static Configuration
- Dynamic Configuration
- Entrypoints Configuration
- Routers and Services
- Let's Encrypt Integration
- Dashboard Access
- Health Checks
- Troubleshooting
System Requirements
Before installing Traefik, ensure your system meets the following requirements:
- Linux kernel version 3.10 or higher
- 512 MB RAM minimum (2 GB recommended for production)
- 100 MB disk space for binary
- Network connectivity to your backend services
- Root or sudo access for system-level installation
Traefik is written in Go and distributed as a single binary, making it lightweight and easy to deploy across various architectures including x86_64, ARM, and ARM64.
Installation Methods
Traefik can be installed through multiple approaches depending on your infrastructure:
- Binary Installation: Direct deployment for bare metal servers
- Docker/Docker Compose: Container-based deployment with volume management
- Kubernetes: Native integration with orchestration platforms
- Package Managers: Distribution-specific packages (limited availability)
Binary Installation
Start by downloading the latest Traefik binary from the official releases:
cd /tmp
wget https://github.com/traefik/traefik/releases/download/v2.10.0/traefik_v2.10.0_linux_amd64.tar.gz
tar xzf traefik_v2.10.0_linux_amd64.tar.gz
Create a dedicated user and directories for Traefik:
sudo useradd -r -s /bin/false -d /var/lib/traefik traefik
sudo mkdir -p /etc/traefik
sudo mkdir -p /var/lib/traefik
sudo mkdir -p /var/log/traefik
sudo chown -R traefik:traefik /var/lib/traefik /var/log/traefik
Move the binary to the system path:
sudo mv /tmp/traefik /usr/local/bin/traefik
sudo chmod +x /usr/local/bin/traefik
Verify the installation:
traefik version
Create a systemd service file for automatic startup:
sudo tee /etc/systemd/system/traefik.service > /dev/null <<EOF
[Unit]
Description=Traefik Reverse Proxy
Documentation=https://doc.traefik.io/traefik/
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
User=traefik
Group=traefik
ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yaml
Restart=on-failure
RestartSec=5s
StandardOutput=journal
StandardError=journal
SyslogIdentifier=traefik
[Install]
WantedBy=multi-user.target
EOF
Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable traefik
sudo systemctl start traefik
Docker Installation
For containerized deployments, create a docker-compose.yml file:
version: '3.8'
services:
traefik:
image: traefik:v2.10
restart: always
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/traefik/traefik.yaml:/traefik.yaml:ro
- /etc/traefik/dynamic.yaml:/dynamic.yaml:ro
- /var/lib/traefik/acme.json:/acme.json
networks:
- traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(\`traefik.example.com\`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=websecure"
networks:
traefik:
driver: bridge
Deploy using Docker Compose:
sudo docker-compose -f /etc/traefik/docker-compose.yml up -d
Static Configuration
Static configuration defines the entrypoints, API access, and global settings. Create /etc/traefik/traefik.yaml:
global:
checkNewVersion: false
sendAnonymousUsage: false
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
domains:
- main: example.com
sans:
- '*.example.com'
api:
dashboard: true
insecure: false
debug: false
providers:
file:
filename: /etc/traefik/dynamic.yaml
watch: true
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /var/lib/traefik/acme.json
httpChallenge:
entryPoint: web
certificatesDuration: 2160h
Set appropriate permissions:
sudo chown traefik:traefik /etc/traefik/traefik.yaml
sudo chmod 600 /etc/traefik/traefik.yaml
Dynamic Configuration
Dynamic configuration defines services, routers, and middlewares without requiring Traefik restart. Create /etc/traefik/dynamic.yaml:
http:
routers:
web-app:
rule: "Host(`app.example.com`)"
service: web-backend
entrypoints:
- websecure
tls:
certResolver: letsencrypt
middlewares:
- compression
- rate-limit
services:
web-backend:
loadBalancer:
servers:
- url: "http://192.168.1.100:8000"
- url: "http://192.168.1.101:8000"
healthCheck:
path: /health
interval: 10s
timeout: 5s
middlewares:
compression:
compress: {}
rate-limit:
rateLimit:
average: 100
period: 60s
burst: 200
Enable file watching to apply configuration changes automatically:
sudo systemctl restart traefik
Entrypoints Configuration
Entrypoints define the network interfaces and ports where Traefik listens:
entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: false
trustedIPs:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
websecure:
address: ":443"
http:
tls:
options: modern
certResolver: letsencrypt
ssh:
address: ":22"
transport: tcp
metrics:
address: ":8082"
metrics:
prometheus:
manualRouting: true
Routers and Services
Routers determine which services handle incoming requests based on rules:
http:
routers:
api-router:
rule: "Host(`api.example.com`) && PathPrefix(`/v1`)"
service: api-backend
entrypoints: [websecure]
priority: 10
middlewares:
- api-auth
- api-ratelimit
static-router:
rule: "Host(`cdn.example.com`)"
service: static-content
entrypoints: [websecure, web]
services:
api-backend:
loadBalancer:
servers:
- url: "http://api1.internal:8080"
- url: "http://api2.internal:8080"
- url: "http://api3.internal:8080"
stickySessions:
cookie:
name: "TRAEFIK_BACKEND"
httpOnly: true
secure: true
sameSite: "Strict"
static-content:
loadBalancer:
servers:
- url: "http://192.168.1.50:80"
healthCheck:
path: /
interval: 30s
timeout: 10s
Let's Encrypt Integration
Configure automatic HTTPS certificate management:
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /var/lib/traefik/acme.json
httpChallenge:
entryPoint: web
caServer: https://acme-v02.api.letsencrypt.org/directory
letsencrypt-staging:
acme:
email: [email protected]
storage: /var/lib/traefik/acme-staging.json
httpChallenge:
entryPoint: web
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
Ensure the acme.json file has correct permissions:
sudo touch /var/lib/traefik/acme.json
sudo chmod 600 /var/lib/traefik/acme.json
sudo chown traefik:traefik /var/lib/traefik/acme.json
Dashboard Access
Enable the Traefik dashboard for monitoring:
api:
dashboard: true
insecure: false
debug: false
http:
routers:
dashboard:
rule: "Host(`traefik.example.com`)"
entrypoints: [websecure]
service: api@internal
tls:
certResolver: letsencrypt
middlewares:
- dashboard-auth
middlewares:
dashboard-auth:
basicAuth:
users:
- "admin:$apr1$xyz123$encrypted_password_here"
Generate HTTP basic auth credentials:
sudo apt install apache2-utils
htpasswd -c /etc/traefik/.htpasswd admin
Access the dashboard at https://traefik.example.com with the configured credentials.
Health Checks
Configure health checking for backend services:
http:
services:
backend:
loadBalancer:
servers:
- url: "http://192.168.1.10:8000"
- url: "http://192.168.1.11:8000"
healthCheck:
path: /health
interval: 10s
timeout: 5s
scheme: http
headers:
X-Check: "health"
Monitor health check status in the Traefik dashboard or logs:
sudo journalctl -u traefik -f
Troubleshooting
Check Traefik logs for configuration errors:
sudo systemctl status traefik
sudo journalctl -u traefik -n 50 -f
Validate configuration syntax:
traefik --configFile=/etc/traefik/traefik.yaml --testConfig
Verify entrypoints are listening:
sudo netstat -tlnp | grep traefik
Check Docker provider connectivity:
ls -l /var/run/docker.sock
Test backend service connectivity:
curl -i http://192.168.1.100:8000/health
Conclusion
Traefik provides a powerful, modern reverse proxy solution with automatic service discovery, dynamic configuration, and Let's Encrypt integration. Whether deploying on bare metal or containerized environments, Traefik's flexibility and performance make it an excellent choice for modern infrastructure. Regular monitoring through the dashboard and log files ensures reliable operation of your services.