[ Traefik ] [ 2.2.0.0 ] [ CLI ] Modern HTTP reverse proxy and load balancer

[QNAP_Stephane]

Source : https://github.com/containous/traefik/b ... /README.md


Download :

https://www.qnapclub.eu/fr/qpkg/340

Note :

Warning listen on 80 and 8081
config file example inside /opt/Traefik/traefik.toml

traefik command line added to NAS $PATH (no need to enter the full path)

About :

Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services. If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths:

domain api.domain.com will point the microservice api in your private network
path domain.com/web will point the microservice web in your private network
domain backoffice.domain.com will point the microservices backoffice in your private network, load-balancing between your multiple instances
But a microservices architecture is dynamic... Services are added, removed, killed or upgraded often, eventually several times a day.

Traditional reverse-proxies are not natively dynamic. You can't change their configuration and hot-reload easily.


Træfɪk can listen to your service registry/orchestrator API, and knows each time a microservice is added, removed, killed or upgraded, and can generate its configuration automatically. Routes to your services will be created instantly.

Run it and forget it!

Features

It's fast
No dependency hell, single binary made with go
Rest API
Multiple backends supported: Docker, Mesos/Marathon, Consul, Etcd, and more to come
Watchers for backends, can listen change in backends to apply a new configuration automatically
Hot-reloading of configuration. No need to restart the process
Graceful shutdown http connections
Circuit breakers on backends
Round Robin, rebalancer load-balancers
Rest Metrics
Tiny official docker image included
SSL backends support
SSL frontend support (with SNI)
Clean AngularJS Web UI
Websocket support
HTTP/2 support
Retry request if network error
Let's Encrypt support (Automatic HTTPS with renewal)

[QNAP_Stephane]

updated to 1.0.2

[QNAP_Stephane]

updated following giopas request

[QNAP_Stephane]

updated to last 1.1.1

[MickyGX]

I am looking at setting up reverse proxies using Traefik but I am struggling finding examples of how to do this. What I am after doing is redirecting traffic to various services I have running on my qnap. For example when I type in http://couchpotato.mydomain.com it forwards to http://localhost:5555 and http://sickbeard.mydomain.com it forwards to http://localhost:6666. I have the subdomains set-up with DNS provider just need to configure Traefik. Any help would be much appreciated.

[mlai]

Any step by step?

[giopas]

Hi,

Few months ago I tried to set up Traefik with the fantastic support of Celena-007. Unfortunately I stopped at the end as Traefik was still not fitting all my requirements.

However I think it is time to share some information, as I remember (I may have skipped some steps, in case please tell me and I will clarify).

Important note
As Traefik in intended to work as a reverse proxy on port 80 (and 443 if needed), the easiest way to do not interfere with the built-in QTS apache service is to make Traefik listening on a specific network interface (e.g. 192.168.1.09) and make the built-in QTS apache running on the other(s) (e.g. 192.168.1.10).

This means that - in the easiest situation - you will have to run Traefik on a NAS having at least 2 ethernet ports.

Installation

1. on QTS activate the "service binding" feature and exclude ALL services from the interface where Traefik will run.

2. from the general settings panel of QTS, ensure the NAS WebUI is not accessible from port 80 (nor 443)

3. change built-in QTS apache service to listen on a specific interface. To do so, from an SSH terminal, modify /etc/config/apache/apache.conf to obtain the line below:

Code: Select all

Listen 192.168.1.10:80

4. install Traefik (pay attention to download the right x32 or x64 version otherwise it does not work!)

5. as suggested by Celena-007 the easiest is to separate the config file (traefik.toml) with the server one (servers.toml) of Traefik which will be available on /opt/Traefik/.

I will attach here a simple configuration file, knowing that you are of course free to read, adjust and add additional parameters (I have only configured the plain HTTP part):

Code: Select all

################################################################
# Global configuration
################################################################

# Entrypoints definition

[entryPoints]
	[entryPoints.http]
		address = "192.168.1.9:80"
#       [entryPoints.https]
#               address = "192.168.1.9:443"
#	[entryPoints.http.redirect]
#		entryPoint = "https"
#	[entryPoints.https]
#		address = "192.168.1.9:443"
#	[entryPoints.https.tls]
#	[[entryPoints.https.tls.certificates]]
#	CertFile = "/opt/Traefik/certificate.crt"
#	KeyFile = "/opt/Traefik/certificate.key"

# Traefik logs file
# If not defined logs to stdout

traefikLogsFile = "traefik.log"

################################################################
# Web configuration backend
################################################################

# Enable web configuration backend
#
# Optional
#
	[web]

# Web administration port
#
# Required
#
	address = "127.0.0.1:8088"

# SSL certificate and key used
#
# Optional
#
# CertFile = "traefik.crt"
# KeyFile = "traefik.key"
#
# Set REST API to read-only mode
#
# Optional
	ReadOnly = false

################################################################
# File configuration backend
################################################################

# Enable file configuration backend
#
# Optional
#
	[file]

# Rules file
# If defined, traefik will load rules from this file,
# otherwise, it will load rules from current file (cf Sample rules below).
#
# Optional
#
	filename = "servers.toml"

# Enable watch file changes
#
# Optional
#
	watch = true

The following is the servers.toml:

Code: Select all

loglevel = "DEBUG"

[backends]

## QTS access
[backends.server1]
        [backends.server1.servers.server1]
            url = "http://192.168.1.10:8080"
[backends.server2]
        [backends.server2.servers.server1]
            url = "http://127.0.0.1:8080"

## Traefik WebUI
[backends.traefik]
        [backends.traefik.servers.server1]
            url = "http://127.0.0.1:8088"

## Router
[backends.router]
        [backends.router.servers.server1]
            url = "http://192.168.1.1"

# Other apps
[backends.keybox]
        [backends.keybox.servers.server1]
            url = "http://127.0.0.1:58000"
[backends.sonarr]
        [backends.sonarr.servers.server1]
            url = "http://127.0.0.1:8989"
[backends.couchpotato]
        [backends.couchpotato.servers.server1]
            url = "http://127.0.0.1:5050"
[backends.transmission]
        [backends.transmission.servers.server1]
            url = "http://127.0.0.1:9091"
[backends.jackett]
        [backends.jackett.servers.server1]
            url = "http://127.0.0.1:9117"
[backends.cardigann]
        [backends.cardigann.servers.server1]
            url = "http://127.0.0.1:5060"
[backends.plex]
        [backends.plex.servers.server1]
            url = "http://127.0.0.1:32400"

## External sites
[backends.pastebin]
        [backends.pastebin.servers.server1]
            url = "http://pastebin.com"

[frontends]

## QTS access
[frontends.server1]
    backend = "server1"
    entrypoints = ["http"]
        [frontends.server1.routes.server1_1]
        rule = "Host:server1.mydomain.com"
[frontends.server2]
    backend = "server2"
    entrypoints = ["http"]
        [frontends.server2.routes.server2_1]
        rule = "Host:server2.mydomain.com"

## Traefik WebUI
[frontends.traefik]
    backend = "traefik"
    entrypoints = ["http"]
        [frontends.traefik.routes.traefik_1]
        rule = "Host:traefik.mydomain.com"

## Router
    [frontends.router]
    backend = "router"
    entrypoints = ["http"]
        [frontends.router.routes.router_1]
        rule = "Host:router.mydomain.com"

## server2 installed applications
[frontends.keybox]
     backend = "keybox"
     entrypoints = ["http"]
         [frontends.keybox.routes.keybox_1]
         rule = "Host:keybox.mydomain.com"
[frontends.sonarr]
    backend = "sonarr"
    entrypoints = ["http"]
        [frontends.sonarr.routes.sonarr_1]
        rule = "Host:sonarr.mydomain.com"
[frontends.couchpotato]
   backend = "couchpotato"
    entrypoints = ["http"]
        [frontends.couchpotato.routes.couchpotato_1]
        rule = "Host:couchpotato.mydomain.com"
[frontends.transmission]
    backend = "transmission"
    entrypoints = ["http"]
        [frontends.transmission.routes.transmission_1]
        rule = "Host:transmission.mydomain.com"
[frontends.jackett]
    backend = "jackett"
    entrypoints = ["http"]
        [frontends.jackett.routes.jackett_1]
        rule = "Host:jackett.mydomain.com"
[frontends.cardigann]
    backend = "cardigann"
    entrypoints = ["http"]
        [frontends.cardigann.routes.cardigann_1]
        rule = "Host:cardigann.mydomain.com"
[frontends.plex]
    backend = "plex"
    entrypoints = ["http"]
        [frontends.plex.routes.plex_1]
        rule = "Host:plex.mydomain.com"

## External sites
[frontends.pastebin]
    backend = "pastebin"
    entrypoints = ["http"]
        [frontends.pastebin.routes.pastebin_1]
        rule = "Host:pastebin.mydomain.com"

6. restart the NAS (it is easier).

7. start Traefik (if it is not running already, it is also useful to see if there is a problem):

Code: Select all

[~] # /etc/init.d/Traefik.sh restart

8. on the router portforward requests to port 80 to 192.168.1.09.

9. from outside of your network (unless your router is smart enough to understand that you are actually requesting a local content), go to any of the addresses above and see if Traefik works.

I hope this is helpful. Please leave a feedback as I may want to try again later.

giopas

ps: I leave here a list of useful commands to understand if Traefik and QTS built-in apache are listening correctly on the right interfaces:

a) receive a list of available network interfaces and their ipv4 address:

Code: Select all

[~] # /sbin/ifconfig |grep -B1 "inet addr" |awk '{ if ( $1 == "inet" ) { print $2 } else if ( $2 == "Link" ) { printf "%s:" ,$1 } }' |awk -F: '{ print $1 ": " $3 }'

b) know which services are listening on port 80:

Code: Select all

[~] # lsof -Pnl +M -i4 |grep :80

c) know which services are using ports:

Code: Select all

[~] # lsof -i :80 | grep LISTEN

d) quickly see if apache.conf is well pointing to the right ip:

Code: Select all

[~] # cat /etc/config/apache/apache.conf |grep Listen

e) quickly see if Traefik is well pointing to the right ip:

Code: Select all

[~] # cat /opt/Traefik/traefik.toml |grep 80

f) quickly know if Traefik is running:

Code: Select all

[~] # ps aux |grep Traefik

[mlai]

Thank you very much! But are these instructions for the qpkg install? Or manual install onto the NAS?

[giopas]

This is for the configuration of Traefik. For the installation, use the qpkg provided by QNAP_Stephane as it will create all necessary to start.

Sent from my A0001 using Tapatalk

[QNAP_Stephane]

updated to 1.2.0.0

[giopas]

Thank you Stéphane !!!

Sent from my A0001 using Tapatalk

[mdhwoods]

This is for the configuration of Traefik. For the installation, use the qpkg provided by QNAP_Stephane as it will create all necessary to start.

Sent from my A0001 using Tapatalk

will this break the access to the qnap interface? I want to set a reverse proxy up but still maintain access to the qnap interface. I have 4 nics on my box so separating shouldn't be an issue.

Do i leave apache on port 80 but bound to ip 192.168.1.21 and leave the qnap interface on port 8080 and 443? This is the part that im a bit confused on. I do want my reverse proxy to be ssl also.

i would set built in web server to 192.168.1.21
i would set traefik to 192.168.1.22

Thanks

[giopas]

For access to QTS on port 8080 you should not have a problem. In relation to ssl, you should use a port other than 80, but I am afraid I cannot really help you out on this.

Also look at Browser Station, which gives you a quick way to access resources within your LAN from within a remote browser.

Sent from my A0001 using Tapatalk

[mdhwoods]

already using browser station, works well. im trying to give access to a few services running on my nas but do not want to open the ports on my firewall, nor have passwords sent plain text. so a reverse proxy is what I need.

[giopas]

The major problem would be ssl but if you manage to do so, please write here a quick how-to.

Sent from my A0001 using Tapatalk