Reverse Proxy
What is reverse proxying?¶
A reverse proxy server is a server that receives requests and forward them to the appropriate backend services.
Basic example:
- The reverse proxy server receives a HTTP request that originated from the url
http://home.lab - The server checks it's configuration for any services that is configured to receive request from
host.lab - If this service exist, the server will redirect the traffic to this service
- If it doesn't exist, then it will just return a
404 not foundHTTP status code
Why use Traefik for reverse proxying?¶
There are three obvious choices for small-scale reverse proxing; Nginx, HAProxy and Traefik.
Nginx a popular reverse proxy, known for its high-performance and stability. Many have fiddled with it as a web server before, and it's quite easy to configure as a reverse proxy. The downside is that the freemium version lacks health-checks, JWT authorization, real-time metrics and dynamic reconfiguration without reloads. This is due to F5's commercial offering Nginx Plus.
HAProxy is another well known reverse proxy and load balancer. It has DNS based service discovery, soft configuration reload, health checking, tons of detailed metrics, and more. It also has a fairly good reputation for on-premise Kubernetes clusters, as the developers prioritize optimization, resource efficiency and high speed networking.
Traefik is a relatively new (released 2016) edge router, which was created with microservices in mind. A key feature in Traefik is configuration discovery, where Traefik will query a provider API, such as the Docker API, to find relevant information and configure the routing. If you make changes to the configuration or labels on a docker container, it will dynamically update Traefik's routing configuration. You can read more about this here.
Since Docker a the central component in my homelab setup, and the features that are offered out-of-box fits my use-case quite nicely. It just makes sense to use Traefik in my case.
With Traefik, enabling reverse proxying for a application, is as simple as adding three labels to the docker container. If i need more middlewares on a container, like for instance, protecting an app with SSO authorization. Then i can just add another label, and Traefik will enable this for that container.
Here are some neat features you get with Traefik:
- Auto service discovery using the Docker API
- Changes are reflected in realtime (No manual config reloads needed)
- Configuration can be written in yaml
- Automatic certificate issuing using LetsEncrypt
- Metrics (Prometheus/REST)
- Tracing (Jaeger/ELK)
- Supports TCP/UDP
- Lots of built-in middleware for tweaking requests before they reach the service. Such as circuit breakers, retry mechanics, rate limiting and forwardAuth for JWT authorization.