- Cockpit: GUI administration for Linux - Thu, May 25 2023
- Install and configure Traefik on Docker - Mon, May 8 2023
- Traefik: Reverse proxy for Docker - Thu, Apr 20 2023
What is a reverse proxy?
A reverse proxy and a forward proxy are both types of proxy servers, but they function in opposite ways. A forward proxy, also known as a regular proxy, sits between a client device and the internet, intercepting and forwarding client requests to external servers. A reverse proxy, on the other hand, sits between the internet and one or more backend servers, intercepting and forwarding client requests to the appropriate backend server.
What is Traefik?
Traefik is a reverse proxy that sits at the edge of your container network and routes requests to the right backend apps and services. The backend services do not have to be exposed to the outside world. Using a few rules, Traefik will determine which traffic corresponds to a particular backend container, and route the traffic accordingly. Traefik supports native integration with other container environments, such as Docker, Docker Swarm, Kubernetes, and Apache Mesos.
Traefik features
Aside from the benefits of a regular reverse proxy, such as SSL termination and host access control, a Docker-compatible reverse proxy like Traefik comes with some extra advantages. The ability to extract information natively from the Docker socket makes Traefik a compelling choice over other solutions, such as NGINX. Some of the benefits of using Traefik are:
Built-in load balancing
One of the areas in which Traefik shines is load balancing. If a service has more than one container, all traffic to that service will hit Traefik as an edge router first. Traefik will automatically distribute the traffic evenly over all healthy containers for that service. This behavior is built in and does not require special configuration. However, Traefik also allows you to modify its behavior for more advanced load-balancing capabilities.
Easy scaling of services and workloads
Traefik can automatically detect changes in the environment and adjust its routing and load-balancing strategies accordingly. For example, if a new service or workload is added, Traefik can detect it and start routing traffic to it immediately. Similarly, if a service or workload is removed, Traefik can detect it and stop routing traffic to it. The same cannot be said for other reverse proxy solutions, such as NGINX, out of the box.
Minimal configuration
Compared to other reverse proxies, such as NGINX and Apache HTTP Server, Traefik is known to require minimal to no extra configuration to manage routes and enable features. For example, it takes one statement to enable JSON logging in Traefik, while it takes multiple related lines to set up the same feature in NGINX. Also, there's no need to maintain a separate and sometimes complicated list of routing rules. Auto-service discovery means you can set your labels and not have to go into Traefik to make further adjustments to have those services proxied.
Centralized authentication
Traefik can also manage basic authentication to your apps. If enabled and configured, users of your app will be presented with a login prompt by Traefik when they attempt to access the app. Traefik can differentiate the authentication requirements per service by the labels that are applied to the services. Traefik then regulates access accordingly. To enable basic authentication, you can use the BasicAuth middleware. Traefik provides a list of middleware that can be combined to define the processes through which traffic must pass before it reaches destination apps. However, for more complex authentication, Traefik supports ForwardAuth as middleware, which allows you to outsource authentication to third-party solutions such as Dex, Google, and other OpenID providers.
Centralized metrics, logs, and monitoring
Another huge advantage of using a central edge router like Traefik is that all traffic, by design, enters through the Traefik container. This means that you can easily monitor, measure, and log everything that comes into your apps from a single point. Traefik comes with a built-in visual dashboard that enables you to view the state of access to proxied apps, including the health of the services and error rates. You can view logs about your apps and even persist them to external logging solutions or files. Metrics can also be shipped to external solutions, such as Prometheus, for more advanced visualization.
Automatic SSL termination
Regular reverse proxies allow you to slap a certificate on the proxy such that even if your app does not support encrypted transport, it will be able to present an HTTP connection to the outside world courtesy of the reverse proxy. In addition to this standard feature, Traefik can interface with Let's Encrypt to provide automatically renewable SSL certificates for your applications. Engineers are less burdened with maintaining valid HTTPS for apps, and users are more confident and protected when accessing your services. Win–Win!
Traefik limitations and downsides
While Traefik is a popular and powerful tool for managing reverse proxy and load-balancing functionality, it is not without limitations and downsides. Here are some of the most common ones:
Complexity
Even though you can work with minimal configuration, Traefik is a complex tool that requires a certain level of technical knowledge to set up and configure properly. Even with minimal configuration, you still need to have an understanding of the syntax to set up labels appropriately. You also need to understand various terms in Traefik's context, such as entrypoints, routers, and providers. This can be a barrier to entry for some users, especially those who are new to containerization and networking.
Performance overhead
While Traefik is known for its performance and scalability, it still adds a layer of overhead to the network stack, which can impact performance in certain scenarios. Compared to NGINX or even HAProxy, Traefik is known to have worse performance where raw proxying speed is a concern. If you cannot stand the dip in performance and are willing to put up with more complex configurations and a lack of native platform integration features, you should consider NGINX for high-performance reverse proxying.
Resource consumption
Traefik requires a certain amount of resources, such as CPU and memory, to run efficiently. This means that it may not be suitable for low-resource environments, such as small devices or low-powered servers.
Lack of advanced features
While Traefik provides many advanced features, such as load balancing and automatic SSL certificate management, it may not offer all the features that some organizations require, such as advanced traffic shaping or content filtering.
Limited support options
While Traefik has an active and helpful community of users and developers, it may not offer the same level of support options as commercial solutions, such as dedicated support teams or guaranteed response times.
Conclusion
In conclusion, Traefik is a solid choice for a reverse proxy and load balancer in containerized environments and microservices-based architectures. Its ability to work seamlessly with modern containerization platforms and provide some advanced features, such as automatic service discovery and dynamic routing, makes it a popular choice among developers. However, while Traefik has many benefits, it also has a few limitations that should be considered before it is implemented. These include performance overhead and the need for additional configuration for certain use cases. Nevertheless, with its ease of use and configuration options, Traefik remains a reliable and efficient solution for many organizations looking to manage their applications in a containerized environment.
Subscribe to 4sysops newsletter!
In my next post, I will outline how to install Traefik on Docker.