Bravery Family

Install Traefik Proxy on Debian.

Written by

GoldKeeperSnr

in

This post is intended to cover how to install the Traefik Proxy on a Debian server. The process is a little complex as, unfortunately, there isn’t a .deb file that I could find.

This means a bit more manual fiddling about.

Logo for Traefik Proxy

First off, some of the steps here come from this blog:
https://blog.emka.web.id/2022/09/how-to-install-traefik-in-debian.html
and the Traefik site:
https://doc.traefik.io/traefik/getting-started/install-traefik/#use-the-binary-distribution

I’ve adjusted the steps to cover my own needs.

Preparation

The installation of Traefik proxy on Debian requires some setup task.

Create a group for Traefik – obviously check the group ID is unique.

sudo groupadd -g 321 traefik

Then a user – obviously check the group ID is unique:

sudo useradd \
 -g traefik --no-user-group \
 --home-dir /var/www --no-create-home \
 --shell /usr/sbin/nologin \
 --system --uid 321 traefik

Create necessary directories for the software. 

mkdir /opt/traefik
mkdir /etc/traefik
mkdir /var/opt/traefik

I’m not fiddling about with directory permissions yet – as I am trying to avoid having to run everything through sudo.

Now download a copy of Traefik Proxy software. That’s done by getting an appropriate file from here:
https://github.com/traefik/traefik/releases

Finally fetch a copy of the service file from here:
https://github.com/traefik/traefik/raw/master/contrib/systemd/traefik.service

Install

Install Traefik Proxy Service

Update the traefik.service file:

vi traefik.service

Removed the comments from:

  • Within [Unit]
    • After
    • AssertFileIsExecutable
      Fixing the path to the executable.
    • AssertPathExists
      Fixing the file to be traefik.yaml
  • Within [Service]
    • User
    • AmbientCapabilities
    • ExecStart
      Fixing the executable path and making the configFile parameter point to traefik.yaml file.

Then transfer the service file to the correct location:

sudo mv traefik.service /etc/system/system/
sudo chown root: root /etc/systemd/system/traefik.service
sudo chmod 644 /etc/systemd/system/traefik.service

Then update systemd:

systemctl daemon-reload

This will not be use under a functional configuration is in place.

Starter Configuration

Static Configuration

Now copy the below starter configuration and place it in /etc/traefik/traefik.yaml

################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: 
# https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
#
################################################################

################################################################
# Global configuration
################################################################
global:
  checkNewVersion: true
  sendAnonymousUsage: true
################################################################
# EntryPoints configuration
################################################################
entryPoints:
  web:
    address: :85
  websecure:
    address: :448
################################################################
# Traefik logs configuration
################################################################
log:
  level: DEBUG
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
api:
  dashboard: true

providers:
  file:
    filename: /etc/traefik/dynamic.yaml

In short, this file will:

  • Make traefik listen on port 85 and 448
  • Increase logging to debug level
    So, we can see what is going on
  • Enable the API and the Dashboard
  • Configure a file provider call dynamic.yaml

Dynamic Configuration

Now create an authentication user (replace the content of the angle brackets) – you will need the output from this in the next step.

htpasswd -nb <user> <password>

Follow this up with placing this in /etc/traefik/dynamic.yaml replacing <string from htpasswd> with your string from htpasswd (yes, put it inside the double quotes).

# dynamic.yaml

http:
  routers:
    api:
      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
      service: api@internal
      entryPoints:
        - "web"
      middlewares:
        - auth
    catchall:
      # attached only to web entryPoint
      entryPoints:
        - "web"
      # catchall rule
      rule: "PathPrefix(`/`)"
      service: unavailable
      # lowest possible priority
      # evaluated when no other router is matched
      priority: 1
  middlewares:
    auth:
      basicAuth:
        users:
          - "<string from htpasswd>"
  services:
    # Service that will always answer a 503 Service Unavailable response
    unavailable:
      loadBalancer:
        servers: {}

Yes, the back ticks are correct, single quote will cause a problem due to go.

This file sets up the following:

  • Two routers
    1. API
      • catch traffic coming in from the “web” entry point (85)
      • protects using the auth middleware
      • looks for /api and /dashboard traffic
      • will then route trafic to api@internal service
    2. CatchAll
      • catch traffic coming in from the “web” entry point (85)
      • looks for anything under /
      • will route traffic to unavailable service.
  • Middleware
    To protect the api and dashboard endpoints from prying eyes.
  • Service
    To show when things are broken.

Install Traefik Proxy

The next step of the install of Traefik Proxy on Debian is to extract the downloaded zip file:

cd /opt/traefik
tar -zxvf <download location>/traefik_v<version>_<platform>.tar.gz

Since traefik proxy will be using privileged ports, it therefore needs a permission setting:

sudo setcap 'cap_net_bind_service=+ep' traefik

Testing Traefik Proxy

This is where things begin to get fun. I had some fun and games with getting the Dashboard to work initially, hence why I am writing this and posting it for posterity.

You MUST have the PathPrefix rule to make Dashboard and API endpoints work right.

On the plus side, its presence in dynamic.yaml means we can fiddle about with the file and Traefik Proxy will just reload it.

Now, simply run the Traefik Proxy executable – it looks in standard locations for configuration and /etc/traefik/traefik.yaml is one of those.

./traefik

If it works you should see something like this:






You should also be able to access various URLs.





api/endpoints







dashboard







anything else







Assuming everything is working we can now go about locking the software installation, enabling the services configuration that was setup, and linking it to the Docker.





Troubleshooting





Hopefully, Traefic Proxy is working for you. If it isn’t the terminal that Traefic is running in should give you some indication of what has gone wrong.





It is likely to be related to listening on the selected ports. The simplest option would then be to move to a different port by altering the values for address in /etc/traefik/traefik.yaml.





Having done this, stop traefik [if needed] and re-run it.



		
		

			

		

		
		
		


	
	
	




		

	

	
	


	
	
More posts