Traefik alternative

We are running a production cluster of 600 containers on docker swarm, but we are in the process of migrating to nomad.
We use Traefik 1.7 for load balancing. We are OK happy, but traefik 1.7 is only receives bug fixes, and will probably not be supported for long term. With Traefik 2.X only the enterprise version supports clustering with letsencrypt, so that is not an option either.

I have been researching for an alternative to traefik and found fabio to be able to meet almost all our needs. One thing however need for most of our services is http auth. In traefik we set this via labels / tags: traefik.docker.frontend.auth.basic.users
In fabio this is not possible so i am writing to get inspiration. What kind of load balancer do you use for nomad? I need one that supports ssl, dynamic frontend / backend creation based on consul service discovery, and also the possibility to set unique authentication for every task.

How do you intend to implement Let’s Encrypt with Fabio, since this seems to be the issue with using Traefik? Couldn’t you just implement same solution with traefik, since it’s already familiar to you (not using the traefik LE integration, just ‘regular’ TLS)?

Example: Your Traefik instances get the tls-certificates from consul k/v, using nomad template-stanza to create the file, but managing the actual certificates are done by a seperate group/job (certbot, etc), which will write any changes to consul k/v (or even better; vault).

traefik instances (tls) --> consul k/v <-- certbot/etc

Depending on how many certificates you get from Let’s Encrypt, you could also just “cluster” the traefik instances (i.e. use “count” > 1 for the task), and have them manage certificates individually (hence you might risk hitting the LE limits.).

NOTE: Traefik also works “out-of-the-box” with consul-connect jobs, which atleast for me is a big plus.

Fabio is great though; and so is Traefik :wink:

EDIT:
I’m not 100% sure how it would work if you just used the LE integration with all traefik instances in the cluster & each had a sidecar to write changes to the cert-files to shared k/v. You would probably risk issues w/multiple writes to same k/v, and that’s why I suggested running as a separate (single) service for managing certificates. Hopefully someone will come along with a simpler solution!

1 Like

You are completely right. Fabio does not support letsencrypt and using acme.sh or similar to fetch certificates was what i had in mind if we went with fabio. We just discussed the issue here and came to the same conclusion as you: Fabio and traefik with plain TLS would be basically the same approach.

Actually you might be right about clustering, and since we use wildcard certs that many backends can use we will most probably not hit the ratelimit.

Thank you for your input. Very valuable.

And i do agree. Traefik is really great!

1 Like