[d33]

I wish I could like Traefik, but it really isn't easy.

The use case in our Hackerspace was to dispatch different Docker containers through our wild-card subdomains. Traefik is supposed to also automatically create TLS certificates. I had numerous problems with the Let's Encrypt functionality.

Debugging information is quite cryptic, the documentation seems all over to me, which is even more problematic given the number of breaking changes between 1.x and 2.x versions. The way you automatically configure things through Docker labels means that a simple typo can render your configuration ignored.

Also, plugging in Traefik to complex docker-compose projects such as Sentry or Gitlab is next to impossible, because of networking: whatever I tried, Traefik just couldn't pick up containers and forward to them unless I changed the definition of every single container in the docker-compose to include an extra network. I don't feel this should be this complex.

Sometimes I just feel that we should get back to using Nginx and write our rules manually. While the concept of Traefik is awesome, the way one uses it is extremely cumbersome.

[atombender]

I worked on a project last year where we tried using Traefik on Kubernetes together with Let's Encrypt certs. It worked... sometimes.

We had significant issues with Traefik not allocating or renewing certs, resulting in some painful outages. The worst part was that there was no workaround; when adding a new domain to an ingress, it was completely incomprehensible why Traefik wasn't requesting a cert, or indeed why it wasn't renewing older ones that were close to expiration. We filed GitHub issues with concrete errors, but they were never addressed. At the time, I tried to debug Traefik to understand how it worked and maybe chase down some of those bugs. I don't like to speak ill of other people's code — let's just say that peeking under the covers made me realize perfectly why Traefik was so brittle and buggy.

We eventually ditched Traefik in favour of Google Load Balancer ingresses, combined with Cert-Manager for Let's Encrypt, and this combination worked flawlessly out of the box despite not being a 1.0 release at the time. The beauty of this setup is that the control plane (cert and ingress configuration) is kept separate from the data plane (web server), so the two can be maintained and upgraded/replaced separately.

[simplecto]

Seems that when any popular project has lacking documentation this creates an opportunity for users to swoop in and own part of that story.

I did this with traefik and consequently many of my blog posts about it are my top visited pages.

And to be fair it the Traefik team invests in developer success and advocacy. They even send you swag for making contributions like popular posts.

I agree to parent posts though the docs lack concrete examples to take the ambiguity out. And debugging logs is painful sometimes.

[pibefision]

I second this. It's incredible complex to debug how Traefik understand it's configuration, and also documentation and examples over the internet are very confusing because the version 1.x vs 2.x changes.

[atombender]

Yep. I believe part of the wonkiness comes from the way the configuration is stored. They have this weird design where the config is mapped to key/value stores using an abstraction. You can use a TOML file, YAML file, Etcd, Redis, etc. If you use Let's Encrypt, it also uses this mechanism (e.g. Etcd) to store the state.

It ends up being confusing and brittle, and exposes the underlying store as an API (you can modify Etcd directly and the changes are picked up). There's no intermediate layer that validates or controls the lifecycle of the config or state. You can end up in a situation where you break Traefik by pushing an invalid configuration, for example.

[imtringued]

Can't they just take the text based format and create a config tool that reads TOML/YAML and then writes that configuration to etcd, redis or whatever else they support?

[kalev]

Ouch, we’re currently using nginx but recently switched one service to use traefik. I’m so afraid what you describe is what will bite us in the end. I wrote treafik instead of traefik in one of the labels and only noticed it after hours of debugging. When it works, it works great. But to get it in that state..

[viraptor]

I see where the op is coming from, but I found the debugging quite easy in practice. If something doesn't work, go to the traefik panel and find the element you're looking for. If it's not there, it's normally fairly obvious.

[fomine3]

I wish I can also see actual active configuration at the page. I feel it lacks some debug outputs.

[fuzzy2]

I actually have the same setup and it's working perfectly fine, even with my IPv4+6 specific address only config + lots of file-based configuration. I absolutely recommend using the TLS challenge with Let's Encrypt.

No problems with Docker (Compose) networks either, but I'm not using it with GitLab because I have enough IPs.

The biggest problem I see is the accumulation of certificates that will all be kept up-to-date, whether in use or not.

[zwayhowder]

I also have a working system that I found very easy (for me) to setup.

Recently it all came crashing down when an old domain I had expired and I was no longer able to update the DNS in Digital Ocean. The one - unused - domain failing stopped Traefik renewing all my certificates. But I'm also on 1.7 still and really should update to 2.x

[fuzzy2]

This type of configuration is _much_ more verbose on 2.x, especially if you want automatic HTTP→HTTPS redirects.

Also, Traefik 2.x still does not clean up the certificate store automatically.