Containerized Apps
These days it is very cost effective to rent a Virtual Private Server for a few dollars a month and host all your cloud apps in one single place. Back in the day I would host a Portainer console and a host of other docker containerized apps on a low end VPS instance and everything was OK, as far as I was concerned.
The setup worked fine but I had to hard code my VPS IP address and bookmark it to access my applications. All apps would serve on a different port and though workable, the setup lacked proper TLS certificates, and juggling the different app's ports plus the IP address felt like a mess.
In order to make my deployed apps easier to track, reconfigure, portable, secure, I decided to look into adding a simple reverse proxy. I also decided to buy a domain name to make the most out of the reverse proxy setup (cheaz.win).
Traefik to the Rescue
A reverse proxy is exactly what it sounds like: A proxy that sits between your apps and the Internet, and works in "reverse". It takes in a request, and by examining properties of the request, it dispatches the request to a target port.
Simple concept, but it is soooo useful in this day and age of cheaply hosting multiple apps running on a server. Thank you Linux, Docker, and low cost VPS vendors.
I decided to look into Traefik as it is a more recent modern reverse proxy and has some very good momentum behind it.
The tech savvy readers will say, yup, but Kubernetes does a lot of this for you, why do you need a reverse proxy? Well, I don't use Kubernetes for my own apps. It is not cost effective to run Docker if your budget is tight, and Kubernetes adds a layer of complexity that is not always welcomed for personal projects.
What about Nginx others may add... Well, it gets a little harder and we could argue back and forth which one works best, etc. If you want to use Nginx, it is a fine choice also, just not the one I picked for my own use.
The goal was to setup subdomains for each application, add basic authentication, TLS certificates, and handle all traffic to my server on the secure 443 port.
How to get started
My approach, and the one I recommend people take is setup Traefik as a container on your VPS. This is the easiest way to get up and running, and it codifies the setup and makes it repeatable in case you need to move all your apps to another server.
The Traefik project maintains an official Docker image on Dockerhub. The setup is pretty straightforward and I may write a "Hello World" tutorial in the future, but there are a number of good tutorials on the web that walk you through the steps of creating the initial setup and show you how to configure apps on the server to utilize the services your Traefik container provides.
Here are a few options I enabled in my specific setup:
- Redirect all traffic to the secure port (443)
- I use the amazing (and free) Let's Encrypt service to sign my TLS certificate and mitigate spoofing (and man in the middle attacks)
- Add a layer of Basic Authentication to selectively secure unprotected apps that are not meant to be used by unauthorized users
- Route traffic for a specific sub domain to the intended application's port
These options are pretty vanilla and trivial to setup when used with Docker containerized apps. In contrast to Nginx and maybe others, there is no need to go to the main Traefik configuration eachtime there is a need to onboard a new app. There is not even a need to go to the Traefik configuration to enable any of the options either. This is all done with Docker labels in a declarative manner using Docker Labels on the individual app's configuration.
Sounds great. Right. So what's the catch? Well, I don't know if there is any catch. This thing works pretty much as advertised, it's easy to use, maintain, and provides a good deal of very useful features for those looking to host online applications.
I did run into one major issue when I moved from an old VPS instance to the current one I am using now. In the process of setting up Traefik in the new server I found that Traefik 2 was the latest and greatest, and that was great, but my Traefik 1 configurations were not usable anymore, so I had research to redo all the configuration I previously had. not the best experience, and I chuck it to the fact that Traefik is a relatively recent project (Circa July 2016), so version 2 was a way for them to apply the lessons learned from version 1 to make the product that much better.
Conclusion
Reading the above, you can guess my experience setting up Traefik has been pretty positive. Despite some minor issues, it has performed well and gives me what I was looking for when I started looking for a way to reverse proxy my apps.
Would I do this again? Yup, I think so. I now have a more secure, flexible and repeatable configuration. This was achieved with little ramp up for learning curve, no licensing costs, low complexity, and clearly makes my life easier.
If you need to see a demo of Traefik in action, you don't have to look far. This blog is hosted on my VPS as a Ghost CMS container behind Traefik.
