Full working example of Traefik configuration for a SSL service with file (or Docker) provider

Traefik Traefik v1
,
20

I'll chime in here and share my experience approaching Traefik for the first time and trying to get things running by reading the docs.. I understand everyon'e implementation and use cases vary wildly and that Traefik has a large variety of configurations, I think this adds to the trouble...

I share Rodrigo's frustration and the desire to have a "full working example" - In such a large and fast moving space, I understand the difficulties in providing these examples.

For what it's worth, here is my experience:

I'm running java microservices in an Azure Service Fabric Cluster. Microsoft recommended we use Traefik as our Ingress Gateway/Router vs the Azure App Gateway as Service Fabric is a bit too dynamic for the App Gateway. The Azure App gateway seems to lose track of the Service Fabric services as it doesn't query the SF API directly, it relies on static routing.

The docs provided about the service fabric provider point here: https://docs.traefik.io/configuration/backends/servicefabric/

This page outlines how the Service Fabric Provider works in general and sends you off to another github repo if you want to do more:

(Side note - This repo has now been marked as read-only and I see no mention of Service Fabric in the v2.0 beta documentation)

This documentation walks you through 3 configuration scenarios...

Unfortunately, none of these will work for me as I'm using a LINUX service Fabric Cluster, not a Windows Cluster as most examples point out. There are quite a few differences in how Service Fabric Linux is configured vs Service Fabric Linux.

There are docs for Linux, yes.. But I'm using Visual Studio to publish to Linux... I'm not using sfctl, or docker in this case as its not recomennded.

Now, I don't need everything handed to me on a Silver platter to get something to work, but this still leaves in to where I have no working example to build on... I can't deploy the provided sample to Linux, it won't even run there..

So I spent a ton of time figuring out how to deploy/run and configure Traefik to run in Linux on Service Fabric. I was able to get it to run, but unable to get it to connect to service fabric at all.. A few days later I figured out that I needed to add a read-only localhost certificate to my service fabric cluster and use this certificate to connect. I was running Traefik as another application inside my cluster, so it connects via http://localhost, hence, thats the cert it needs.

I shared this with others once I figured it out: Deploying Traefik on a Linux Service Fabric cluster - #6 by solidcloudio - Traefik v1 - Traefik Labs Community Forum

So, I was able to get it to run and to connect and discover services.. Now to trying to figure out the routing.. This part of the documentation is tough.. If you look at the service fabric page it lists a set of "supported labels"

https://docs.traefik.io/configuration/backends/servicefabric/

Problem with this is I have NO IDEA what labels I need, they are all described somewhat, but still no working examples.. IE, whats the minimum number of labels I need to get routing to work?

So, i tried the PathPrefixStrip Rules, saw how they work, tried other rules, tried multiple rules... I still cant figure out the routing:

(crickets there...)

So, i got some basic routing to work, One PathPrefix per service at least gets me going.. I can route through the gateway to some basic services.. This seems like a big challenge in the docs, some routing samples.. IE, how can I handle routing /test1 & /test1/health & /test1/info re-writing the url for health and info to /health /info, but still routing to the right service.. everything seems to break when I apply more than one rule. Actual rule samples here might help, not just describing how all the matchers and modifiers work. I can't seem to find a single sample of how to use the RegEx Matcher/Modifiers, whats the regex syntax need to look like? A working sample?

Now I need to look at SSL..

This is another can of worms.. The docs talk all about using lets encrpyt..

This is one of the most confusing websites I've ever seen, I can't find any way to "sign up" It seems all the ACME configurations use a login to Lets Encrypt. I don't want to "generate a certificate", I already have a certificate. So this makes 80% of the v1.7 samples that use LetsEncrypt worthless to me. I need some samples using my own certificates.. No, I didn't get real deep into the docs, it doesn't seem like something I want to use. -

It wants me to install Certbot ? - I don't want to isntall anything on the Linux Service fabric nodes! What is this amatuer hour? Since when do I install random software to issue certs on my cluster images ?

I already have a certificate, from a CA, I just want to use that.

So I extracted my certs, added the configuration section..

Now all my routing fails.. The cert shows up with a lock and shows its valid in the browser, but all the routing fails, rturns 404s and says "backend not found"

So, I've spent 2 weeks working on getting a sample to work, I still don't have routing working right, the SSL doesn't seem to work, my questions go un-answered, and most of the documentation is worthless as it doesnt apply.

One of the challenges of my configuration also, is the base endpoint configuration is in the TOML, but the backend configuration is dynamically discovered.. So, again most of the samples that use the [file] moniker are worthless to my use case..

I think this all comes down to the TOML configuration. I don't understand this markup language, maybe others are familiar with it, but it feels like a non-typed,
schema-less, yaml like mess.. In many of the samples I'm seen there are variations like this:

traefik.toml

logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/ssl/tls.crt"
      keyFile = "/ssl/tls.key"

Another sample:
https://www.grzegorowski.com/traefik-proxy-development-server-self-signed-ssl/

This one uses:

[entryPoints]
  [entryPoints.httpSSL]
  address = ":4000"
    [entryPoints.httpSSL.tls]
    [entryPoints.httpSSL.tls.defaultCertificate]
      certFile = "/certs/cert.crt"
      keyFile = "/certs/cert.key"

Then a configuration from the docs
https://docs.traefik.io/configuration/entrypoints

This one uses:

[entryPoints]
  [entryPoints.http]
    address = ":80"
    compress = true

    [entryPoints.http.whitelist]
      sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
      useXForwardedFor = true

    [entryPoints.http.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
       ]
      [[entryPoints.http.tls.certificates]]
        certFile = "path/to/my.cert"
        keyFile = "path/to/my.key"
      [[entryPoints.http.tls.certificates]]
        certFile = "path/to/other.cert"
        keyFile = "path/to/other.key"
      # ...
      [entryPoints.http.tls.clientCA]
        files = ["path/to/ca1.crt", "path/to/ca2.crt"]
        optional = false

How can it be vaild to set certificates for:

[entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]

[entryPoints.httpSSL.tls]
    [entryPoints.httpSSL.tls.defaultCertificate]

and this last sample.. adding all this to HTTP???
https://www.grzegorowski.com/traefik-proxy-development-server-self-signed-ssl/
(somehow it does show up in the Traefix UI httpSSL... I'm not using a self signed cert, and I'm not using docker, so most this post doesnt apply.)

Is there a type definition or data dictionary for valid entries in the TOML file? Maybe that would help, because without this we have to try and find working samples somewhere, and they are all pretty different. I don't know what "monikers" are valid and which ones aren't.

None of this explains why my routing would fail when I start using TLS, or why I can't configure more than one routing rule without breaking the others..

Each "provider" in the documentation seems to introduce its own set of configuration metadata, so any samples you find aren't specific to your context. I find tons of samples using docker, using kubernities, etc, but most aren't relavent.

So, after 2 weeks, I'm about to give up on Traefik, I can't get everything to work the way I need it to, my questions go un-answered. -- most the samples, blog posts, etc dont apply because the space is so large. I'm not using docker, I'm not using Lets encrypt, My configuration is split between TOML and service fabric.. It's really quite complex to set this up other than a simple demo.

Most Engineers can "figure stuff out" by trial and error, but it helps to have something that works in your context, as basic as it needs to be, and build on it.. I couldn't even get a working configuration for a few weeks, thats why I understand the original post here..

I don't have "working samples" for the rotuing I need to do, and no way to trouble shoot why my SSL isnt working. There isnt any support here, we all just hope somebody knows something. (Gotta love open source) Problem is most of us use different contexts so its hard to get something that works for everybody or somebody in the forum that understands your context.

Even the stack overflow page Newest 'traefik' Questions - Stack Overflow
Everyones questions go unanswered... There are literally no responses...

My time is to valuable to spend 2-3 weeks trying to get this to work.
At this point I'd pay for a better product, or some support even...