Deploy Traefik Reverse Proxy on RamNode VPS - Complete Guide

Why Choose Traefik?

Traefik is a modern, cloud-native edge router that makes deploying microservices easy. It automatically discovers services, handles SSL certificates via Let's Encrypt, and provides powerful routing capabilities with minimal configuration.

Key Features

• Automatic service discovery
• Native Docker integration
• Automatic SSL with Let's Encrypt
• Load balancing & health checks
• Middleware support (auth, rate limiting)
• Real-time metrics & monitoring

Use Cases

• Microservices architecture
• Multiple web applications
• Automated SSL management
• Load balancing
• API gateway
• Development environments

Prerequisites

Before beginning, ensure you have:

Requirements

• RAM: 1GB minimum (2GB recommended)
• Storage: 20GB minimum
• OS: Ubuntu 22.04 LTS or newer
• Access: Root or sudo privileges
• Domain: Domain name(s) with DNS configured
• Ports: 80, 443, and 8080 available

Initial Server Setup

Update your system and install essential packages:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget git ufw

Configure the firewall:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 8080/tcp
sudo ufw --force enable

Install Docker

Install Docker and Docker Compose:

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

# Add current user to docker group
sudo usermod -aG docker $USER

# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# Verify installation
docker --version
docker-compose --version

Note: Log out and back in for group changes to take effect.

Create Docker Network

Create a dedicated Docker network for Traefik:

docker network create traefik-network

This network allows Traefik to communicate with your containers.

Traefik Installation

Create a directory structure for Traefik:

mkdir -p ~/traefik
cd ~/traefik
mkdir -p config data
touch docker-compose.yml
touch config/traefik.yml
touch config/dynamic.yml
touch data/acme.json
chmod 600 data/acme.json

Configuration Files

Create the main Traefik configuration file:

# config/traefik.yml
api:
  dashboard: true
  insecure: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt

certificatesResolvers:
  letsencrypt:
    acme:
      email: your-email@example.com
      storage: /data/acme.json
      httpChallenge:
        entryPoint: web

providers:
  docker:
    network: traefik-network
    exposedByDefault: false
  file:
    filename: /config/dynamic.yml
    watch: true

log:
  level: INFO

accessLog:
  filePath: /logs/access.log

Create the Docker Compose file:

# docker-compose.yml
version: '3.8'

services:
  traefik:
    image: traefik:v2.11
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik-network
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/traefik.yml:ro
      - ./config/dynamic.yml:/config/dynamic.yml:ro
      - ./data/acme.json:/data/acme.json
      - ./logs:/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
    environment:
      - TZ=America/New_York

networks:
  traefik-network:
    external: true

SSL with Let's Encrypt

Traefik automatically handles SSL certificates. Update your email in the configuration:

# Edit config/traefik.yml
nano config/traefik.yml

# Change:
email: your-email@example.com

SSL Features

• Automatic certificate issuance
• Auto-renewal before expiration
• HTTP to HTTPS redirect
• Wildcard certificate support
• Multiple domain support

Secure Traefik Dashboard

Create basic authentication for the dashboard:

# Generate password hash
sudo apt install -y apache2-utils
htpasswd -nb admin your-secure-password

# Output example:
# admin:$apr1$xyz...

Add authentication middleware to dynamic.yml:

# config/dynamic.yml
http:
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "admin:$apr1$xyz..."  # Replace with your generated hash
    
    security-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000

Start Traefik:

docker-compose up -d

# Check logs
docker logs traefik -f

Deploying Services Behind Traefik

Example: Deploy a simple web application:

# example-app/docker-compose.yml
version: '3.8'

services:
  whoami:
    image: traefik/whoami
    container_name: whoami
    restart: unless-stopped
    networks:
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`app.your-domain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"

networks:
  traefik-network:
    external: true

Deploy the service:

docker-compose up -d

Middleware Configuration

Add powerful middleware for various use cases:

# config/dynamic.yml
http:
  middlewares:
    # Rate limiting
    rate-limit:
      rateLimit:
        average: 100
        burst: 50
    
    # Compression
    gzip:
      compress: {}
    
    # IP whitelist
    ip-whitelist:
      ipWhiteList:
        sourceRange:
          - "192.168.1.0/24"
          - "10.0.0.0/8"
    
    # Redirect www to non-www
    redirect-www:
      redirectRegex:
        regex: "^https://www\.(.+)"
        replacement: "https://${1}"
        permanent: true
    
    # Custom headers
    custom-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        customResponseHeaders:
          X-Custom-Header: "value"

Apply middleware to a service:

labels:
  - "traefik.http.routers.myapp.middlewares=rate-limit@file,gzip@file"

Load Balancing

Scale services with automatic load balancing:

# docker-compose.yml with scaling
services:
  app:
    image: your-app:latest
    deploy:
      replicas: 3
    networks:
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.your-domain.com`)"
      - "traefik.http.routers.app.entrypoints=websecure"
      - "traefik.http.routers.app.tls.certresolver=letsencrypt"
      - "traefik.http.services.app.loadbalancer.server.port=80"
      - "traefik.http.services.app.loadbalancer.sticky.cookie=true"
      - "traefik.http.services.app.loadbalancer.healthcheck.path=/health"
      - "traefik.http.services.app.loadbalancer.healthcheck.interval=10s"

Scale the service:

docker-compose up -d --scale app=3

Monitoring & Logs

Monitor Traefik and your services:

# View Traefik logs
docker logs traefik -f

# View access logs
tail -f ~/traefik/logs/access.log

# Check service status
docker ps

# View Traefik dashboard
# https://traefik.your-domain.com

Monitoring Options

• Built-in dashboard with real-time metrics
• Prometheus metrics endpoint
• Access logs for traffic analysis
• Health check endpoints
• Integration with monitoring tools

Troubleshooting Common Issues

Certificate not issued

Check Let's Encrypt logs and DNS configuration:

docker logs traefik | grep -i acme
# Verify DNS points to your server
dig +short your-domain.com

Service not routing

Verify service is on correct network:

docker network inspect traefik-network
docker logs traefik | grep -i "your-service"

502 Bad Gateway

Check service health and port configuration:

docker ps
docker logs your-service-name
# Verify port in labels matches container port

Dashboard not accessible

Verify authentication and DNS:

# Check Traefik logs
docker logs traefik | grep dashboard
# Verify firewall allows port 8080
sudo ufw status

Best Practices

Security

• Always use HTTPS (force redirect)
• Secure dashboard with authentication
• Regular security updates
• Use security headers middleware
• Implement rate limiting
• Monitor access logs

Performance

• Enable compression middleware
• Use health checks
• Configure proper timeouts
• Implement caching strategies
• Load balance multiple instances
• Monitor resource usage

Configuration

• Use environment variables
• Keep configuration in version control
• Document custom middleware
• Use meaningful service names
• Test changes in staging first
• Backup acme.json regularly

Operations

• Regular updates for Traefik
• Monitor certificate expiration
• Set up log rotation
• Regular backup of configuration
• Document deployment procedures
• Test disaster recovery

Ready to Deploy?

Get started with a RamNode Cloud VPS optimized for Traefik and containerized applications. Deploy your modern reverse proxy infrastructure today.

View Cloud VPS Plans More Deployment Guides