High CPU Load Issue with Traefik on Debian Server: Seeking Configuration Tips

Hello everyone,

I'm relatively new to Traefik and I'm facing a puzzling issue with my Debian server setup, particularly concerning Traefik and its CPU load. Here's a summary of the issue and the configuration details:

Server Specifications:

• Dedicated Debian server
• AMD EPYC 6 cores
• 16 GB RAM

Issue Overview:

• I've noticed that Traefik's CPU load is unexpectedly high, especially when handling small sites and WordPress instances. For instance, the Traefik dashboard alone consumes up to 600% CPU load and has a long response time.
• Despite all SSL certificates being valid, I suspect there might be a TLS configuration error.
• Traefik is containerized using Podman, and all websites are also containerized.

Observations:

• WordPress sites seem to particularly strain the server, often causing it to struggle even with a single request.

Configuration Files:
Here are the relevant compose and configuration files:

1. Compose.yml for Portainer behind Traefik

version: "3.8"

services:
  traefik:
    container_name: traefik
    image: "traefik:latest"
    command:
      # Configuration for Traefik
      - --api.dashboard=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443 
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --providers.docker
      - --log.level=ERROR
      - --certificatesresolvers.myresolver.acme.httpchallenge=true
      - --certificatesresolvers.myresolver.acme.email=admin@example.com
      - --certificatesresolvers.myresolver.acme.storage=./acme.json
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
      - --providers.file.directory=/etc/traefik/traefik.d
    networks:
      - traefik
    ports:
      - "80:80"
      - "443:443"
    restart: unless-stopped
    volumes:
      - "/run/user/1001/podman/podman.sock:/var/run/docker.sock:ro"
      - "./traefik.d:/etc/traefik/traefik.d"
      - "./acme.json:/acme.json"
    labels:
      # Traefik dashboard configuration
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`proxy.example.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=auth@file"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
  portainer:
    container_name: portainer
    networks:
      - traefik
    image: portainer/portainer-ce:latest
    command: -H unix:///var/run/docker.sock  # Connect to Docker socket
    restart: always
    volumes:
      - /run/user/1001/podman/podman.sock:/var/run/docker.sock
      - portainer_data:/data
    labels:
      # Traefik configuration for Portainer
      - "traefik.enable=true"
      - "traefik.http.routers.frontend.rule=Host(`container.example.com`)"
      - "traefik.http.services.frontend.loadbalancer.server.port=9000"
      - "traefik.http.routers.frontend.service=frontend"
      - "traefik.http.routers.frontend.tls=true"
      - "traefik.http.routers.frontend.tls.certresolver=myresolver"
      - "traefik.http.routers.edge.rule=Host(`edge.example.com`)"
      - "traefik.http.services.edge.loadbalancer.server.port=8000"
      - "traefik.http.routers.edge.service=edge"
      - "traefik.http.routers.edge.tls=true"
      - "traefik.http.routers.edge.tls.certresolver=myresolver"
volumes:
    portainer_data:

networks:
  traefik:

2. Compose.yml for a Simple Website

version: '3.8'
name: example2
services:
  lighttpd:
    image: jitesoft/lighttpd:latest
    networks: example2
    ports:
    - ':80'
    - ':443'
    volumes:
    - ./html:/var/www/html:ro
    labels:
    - "traefik.enable=true"
    - "traefik.enable=true"
    - "traefik.http.routers.example2.rule=Host(`example2.com`) || Host(`www.example2.com`)"
#    - "traefik.http.routers.example2.middlewares=redirect-to-non-www@file, auth@file"
    - "traefik.http.routers.example2.tls=true"
    - "traefik.http.routers.example2.tls.certresolver=myresolver"

networks:
  example2:

Middleware

http:
  middlewares:
    redirect-to-non-www:
      redirectRegex:
        regex: "^https://www\\.(.*)"
        replacement: "https://${1}"
        permanent: true
    auth:
      basicAuth:
        users:
          - "name:password"

Traefik Log:

time="2024-02-29T07:13:14Z" level=info msg="Configuration loaded from flags."

As a beginner, I'd greatly appreciate any configuration tips or insights into resolving this issue. Specifically, I'm curious about the most resource-efficient way to configure Traefik. Would the HTTP challenge, TLS challenge, or SSL challenge be the best approach in terms of resource savings and overall efficiency?

I've been delving into logs and configurations, but I haven't been able to pinpoint the root cause. Any suggestions or guidance on troubleshooting and resolving this issue would be immensely helpful!

Thank you for your assistance.

Can you run your setup with Docker instead of Podman? It could be there are incompatibilities with the Podman socket.

Thank you for your reply!
I honestly think it's not a problem related to podman. I've never had any compatibility issues with it, and the rootless approach is a mandatory advantage for me.
So, are the config files looking good?

Best regards

Edit:
I tested the same configuration on Docker in my local test lab. On a single core vm the dashboard generates 100% load for about 5 seconds until the page is loaded. So about the same problem. That behavior is not expected, right?

I've found the issue. Apparently, I applied excessive encryption with bcrypt on a long password for basicauth. I used the recommend method (htpsswd) to generate my password for the basic auth middleware and chose a shorter one, now everything runs fine.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.