traefik: a powerful reverse proxy

In a systems infrastructure, it is common that a single physical hosts presents many different services to the world. For example, one can have https://app1.my.domain/ and https://app2.my.domain/ point to the same host, whereas the actual services inside the organization reside on different physical or virtual machines. A typical way to handle this is to use Apache or NGinx as a reverse proxy, and configure it to handle virtual hosts and redirects.

Over time, the configuration can become increasingly hard to maintain: when a service changes, a new server is added or changes location, the configuration must be updated. Furthermore, the management of TLS connections, even though made easier thanks to letsencrypt, still requires the handling and renewal of certificates.

traefik is a modern reverse-proxy tool that strives to make the publishing of services easier, featuring notably:

  • simple tool, easy to install (single binary);
  • automatic configuration by inspecting the infrastructure to discover services (suports Docker, Kubernetes, etc.);
  • letsencrypt support with automatic renewal.

Without going into details, traefik’s architecture is organized with the following components:

  • Entrypoints define the incoming traffic (ports to listen to).
  • Routers apply rules to analyze the requests and determine where they belong.
  • Middleware can transform the requests (e.g. limit rate, rewrite, authenticate).
  • Services forward the requests to the actual services, possibly applying round-robin or load balancing.

Besides HTTP, TCP, Websocket and GRPC connections are all supported.

The C4DT manages several services in its infrastructure, currently handled with Apache. We are planning to use traefik in the hope to make our systems maintenance easier.