[HN Gopher] Take a look at traefik, even if you don't use contai...
___________________________________________________________________
Take a look at traefik, even if you don't use containers
Author : q2loyp
Score : 192 points
Date : 2024-05-05 11:31 UTC (11 hours ago)
(HTM) web link (j6b72.de)
(TXT) w3m dump (j6b72.de)
| iansinnott wrote:
| > Traefik is more comparable to HAProxy than to
| nginx/caddy/apache2
|
| Aren't caddy and traefik fairly comparable? I've only used them
| both lightly so I may be missing the core point of each, but I
| thought of them as very similar.
| thinkmassive wrote:
| Caddy is primarily a web server like nginx and apache httpd.
| Traefik and HAproxy are primarily reverse proxies.
| mholt wrote:
| Caddy is actually used as a reverse proxy more than a static
| file server. It's equally excellent and proficient as both!
| Caddy's functionality is comparable to nginx, apache httpd,
| and haproxy.
| indigodaddy wrote:
| And while we're at it, it can even forward proxy
| recentlyish I believe?
| mholt wrote:
| Yeah, Caddy v1 had a forwardproxy plugin that finally got
| updated for v2:
| https://github.com/caddyserver/forwardproxy/
| justusthane wrote:
| The rest of the sentence you quoted explains that nginx, Caddy,
| and Apache are all webservers (which can also reverse proxy).
| Traefik and HAproxy are only reverse proxies and not
| webservers.
| IggleSniggle wrote:
| HAProxy can be a web server though, albeit it is not designed
| to operate this way and thus requires some goofy
| configuration to make happen. I only know this because it was
| useful for me while working on a HAProxy extension.
| mkesper wrote:
| Caddy is at the same level as nginx/apache. It is able to do
| everything a web server is expected to (serving web sites,
| files and proxying services) plus handling LetsEncrypt
| automatically. It does not, afaik, do dynamic service discovery
| like traefik nor load balancing of TCP at the protocol layer,
| like e.g. haproxy. https://caddyserver.com/features
| baobun wrote:
| Just to add on, haproxy does service discovery too.
|
| https://www.haproxy.com/blog/consul-service-discovery-for-
| ha...
| mholt wrote:
| Caddy can absolutely do both of those things.
|
| - https://caddyserver.com/docs/modules/http.reverse_proxy.ups
| t...
|
| - https://github.com/mholt/caddy-l4
| lmeyerov wrote:
| We are long-time fans of Caddy, preferring it over traefik
| + nginx especially for our docker-compose flows.. though
| it's fair to distinguish 'can' vs 'easy to do'
|
| E.g., we can imagine writing or using a plugin to figure
| out some upcoming fancy sticky session routing logic based
| on routes/content vs just the user IP, but there are easier
| and more 'with the grain' solutions than with what Caddy
| exposes today, afaict
|
| (Agreed tho: The reverse proxy module, for more typical
| cases, is awesome and we have been enjoying for years!)
| candiddevmike wrote:
| Traefik can't serve static files, or interact with CGI
| providers like PHP.
| psYchotic wrote:
| I'm considering moving reverse proxying to Traefik for my self-
| hosted stuff. Unlike the article's author, I'm running
| containerized workloads with Docker Compose, and currently using
| Caddy with the excellent caddy-docker-proxy plugin. What that
| gets me, currently:
|
| - Reverse proxying, with Docker labels for configuration. New
| workloads are picked up automatically (but I do need to attach
| workloads to Caddy's network bridge).
|
| - TLS certificates
|
| - Automatic DNS configuration (using yet another plugin, caddy-
| dynamicdns), so I don't have to worry too much about losing
| access to my stuff if my ISP decides to hand me a different IP
| address (which hasn't happened yet)
|
| There are a few things I'm currently not entirely happy about my
| setup:
|
| - Any new/restarting workload makes Caddy restart entirely,
| resulting in loss of access to my stuff (temporarily). Caddy
| doesn't hand off existing connections to a new instance,
| unfortunately.
|
| - Using wildcard certs isn't as simple as it could/should be. As
| I don't want every workload to be advertised to the world through
| certificate transparency logs, I use wildcard certs, and that
| means I currently can't use simple Caddy file syntax I otherwise
| would with a cert per hostname. This is something I know is being
| worked on in Caddy, but still.
|
| Anyway, I've used Traefik in k8s environments before, and it's
| been fairly pleasant, so I think I'll give it a go for my
| personal stuff too!
|
| PS: Don't let this comment discourage you trying Caddy, it's
| actually really good!
| mynegation wrote:
| I have not used Caddy, I use traefik and it discovers docker
| properties for configuration and TLS certificates with auto
| update. Not sure about dynamic DNS - I do not use it from
| Traefik. Adding and removing containers does not need a restart
| AFAIR.
| remram wrote:
| Those are giant limitations. This is the first I hear of any
| reverse proxy that has to restart and drop connections to
| update configuration. That is usually the first, most
| fundamental part of any such server's design.
| IggleSniggle wrote:
| Caddy doesn't have to restart, I think it's related to the
| specifics of their setup. The simple/easy path that gets a
| lot of people into caddy has a workflow that's more like, run
| caddy, job done. The next level is, give caddy super simple
| configuration file, reload caddy with "caddy reload --config
| /etc/caddy/Caddyfile". After that, you use the REST API to
| make changes to the server while it is running, which uses a
| JSON configuration definition instead of a Caddyfile, so it
| ends up being a jump for users.
| m_sahaf wrote:
| > After that, you use the REST API to make changes to the
| server while it is running, which uses a JSON configuration
| definition instead of a Caddyfile, so it ends up being a
| jump for users.
|
| You can, in fact, use any configuration format with the API
| as long as Caddy has its adapter compiled-in; you just have
| to use the correct value in the `Content-Type` header. For
| instance, you can use Caddyfile format using the
| `text/caddyfile` value in `Content-Type`. This is
| documented[0].
|
| [0] https://caddyserver.com/docs/api#post-load
| mholt wrote:
| That is absolutely not the case. Caddy config reloads are
| graceful and lightweight. I have no idea why this person is
| stopping their server instead of reloading the config.
| remram wrote:
| That makes more sense. Maybe something with the Docker
| plugin? That or GP messed up.
| Cyykratahk wrote:
| I've used caddy-docker-proxy in production and it doesn't cause
| Caddy to drop connections when loading a new config.
|
| I just tested it locally to check and it works fine.
| psYchotic wrote:
| Hmm, I'll have to take a better look at my setup then,
| because it's a daily occurrence for me. Either I'm "holding
| it wrong" (which is admittedly possible, perhaps even likely
| given the comments here), or I have a ticket to open soon-
| ish.
| eropple wrote:
| I use Caddy for single-purpose hosts and the like, but I 100%
| would throw Traefik at the problems you're describing--and I
| do, it's my k8s cluster ingest and it runs in my dev
| environments to enable using `localtest.me` with hostnames.
|
| It's worth kicking the tires on. Both are great at different
| things.
| sureglymop wrote:
| I use (rootless) docker compose + traefik. Precisely because
| for wildcard certs it was really painless. Although I use my
| own DNS server and use RFC2136 DDNS for the LE DNS challenge.
| No plugins needed, really. I have basically one ansible
| playbook to set all this up on a vm including templating out
| the compose files. Then another playbook that can remove
| everything from the server again (besides data/mounts). For
| backups I use restic with a custom script that can back up
| files, different dbs etc to multiple locations.
|
| In the past I deployed k3s but I realized that was too much and
| too complicated for my self hosted stuff. I just want to deploy
| things quickly and not have to handle the certs myself.
| MrOxiMoron wrote:
| I love treafik, we use it with nomad/consul and docker to setup
| our whole infrastructure. The plugin system is also simple yet
| powerful and the dynamic configs are great for our customers
| custom domains, we can quickly see if a domain points to the
| right IP and put it in to get everything working. And of a domain
| no longer points to is we get a slack notification and it removes
| it from traefik so it no longer tries to get SSL certificates for
| it.
| kopadudl wrote:
| When my company looked at different proxies for k8s, we ended
| upon traefik cause we had experience from docker swarm and it has
| a dashboard.
| silverquiet wrote:
| I use Traefik in production (with containers), and my favorite
| aspect of it is that the configuration is carried via the labels
| on containers which means I rarely if ever need to make any
| modifications to the Traefik config itself. I'd say the biggest
| con is trying to figure out how to pronounce the name - I think
| it's just regular traffic, but I can't help wanting to call it
| "trey-feek" or something like that.
| Projectiboga wrote:
| ae is closest to y, or hi. So Tryfik, is my guess, otherwise is
| Trayfik. If it's European fik, might be feek. *Just taking a
| guess here.
| tazjin wrote:
| I think its "trafik", i.e. "traffic" with a German accent.
| psYchotic wrote:
| > ae is closest to y, or hi. So Tryfik, is my guess,
| otherwise is Trayfik. If it's European fik, might be feek.
| *Just taking a guess here.
|
| I wondered how to pronounce Traefik myself, so I started
| googling, and came across this: https://traefik.io/blog/how-
| to-pronounce-traefik-d06696a3f02...
|
| Tldr: just pronounce as you would "traffic".
| fidotron wrote:
| Heavy +1 on the labels thing. Reduces the scope of things to
| keep track of massively, even if writing them the first time is
| slightly harder because of the escaping and verbosity.
|
| I think a combination of traefik and docker compose are in the
| sweet spot for small scale self hosters that haven't reached
| the point where k8s will pay off. i.e. if you have less servers
| than a k8s HA control plane would use.
| silverquiet wrote:
| Small-scale self hoster would certainly describe my situation
| (though we do have some of the same infrastructure issues as
| larger companies). We actually use Swarm which I generally
| like, but if it was my call we might have looked more at a
| simplified Kubernetes platform like K3s just because of a
| safety in numbers aspect.
| sureglymop wrote:
| I would say the biggest con is that, if a container is not
| existing/running, traefik is not aware of it or its labels.
| Otherwise you could more easily do cool stuff like maintenance
| pages, bringing up containers on the first request after
| inactivity etc. So for me, I have been thinking about creating
| a plugin that is aware of where I store my compose files and
| can look at them instead.
| arcanemachiner wrote:
| I just pronounce it "traffic". I'm not playing their damn head
| games.
| djhworld wrote:
| I've been using traefik for a few years for all my self hosted
| things.
|
| I abandoned the dynamic/discovery/docker labelling functionality
| though it was just too finicky and annoying to debug.
|
| Instead I generate a static config file using a template engine,
| pretty much all my things are just a combination of
| host/target/port so very easy to generate the relevant sections -
| I don't really have any complicated middlewares other than
| handling TLS. It sounds like the author of the linked post has
| taken the same route.
|
| The config gets generated through an ansible script and then gets
| copied to the machine where traefik is running - traefik watches
| the directory where that file is and auto-reloads on changes.
|
| It's been working great!
| beestripes wrote:
| Why traefik over nginx for my modest needs, a couple docker hosts
| and a few dozen containers. I use
| https://github.com/NginxProxyManager/nginx-proxy-manager, would
| traefik provide a benefit on such a small scale?
| simonw wrote:
| If what you've got already works then no, I don't think you
| would see any benefit from switching.
|
| The moment you need a feature which Traefik provides that isn't
| in Nginx is when I would consider the switch.
| treyd wrote:
| But what features does Traefik have that nginx doesn't?
| johnchristopher wrote:
| I like traefik hot reload (among other things). Want to hide a
| service (the proxied app), a new route (a router in traefik
| terminology), a middleware (basic auth, https redirection,
| headers manipulation) ? Just drop the file and it gets
| automatically picked up, no need to reload traefik or that
| vhost.
|
| Truth is: I don't like nginx syntax and traefik is/was shiny
| :]. I went in for the LE renewal and containers, I stayed for
| the configuration style.
| drdaeman wrote:
| It's not that nice in practice. Traefik until 3.0 (which was
| released just a few days ago) wasn't been able to reload TLS
| certificates under some circumstances:
| https://github.com/traefik/traefik/pull/9993
|
| Built-in ACME support doesn't work for me, so I still have
| some `systemctl restart traefik` hacks here and there.
| aaomidi wrote:
| Traefik does certificate management for you
| aedocw wrote:
| I think https://github.com/caddyserver is the best option here.
| Automatic handling of SSL certs, it's incredibly lightweight,
| and has super clear config syntax.
| hoistbypetard wrote:
| That's exactly the situation I like Caddy in also.
| treyd wrote:
| Yeah I agree with this. Nginx config is easy and you can just
| set it and forget it. Most of the time you're copypasting from
| other configs you already have anyways. Automatic LE is kinda a
| strange selling point when Certbot is available everywhere and
| supports more scenarios. Traefik's and Caddy's selling points
| just don't make any sense to me because they don't make
| anything easier than the alternatives that are already widely
| supported.
| navels wrote:
| I also use NginxProxyManager (8 hosts) and I'm not seeing any
| replies to your post that would explain why caddyserver or
| traefik provide any benefit over NPM.
| blinded wrote:
| metrics with non enterprise nginx are very limited.
| wg0 wrote:
| Side question - what people use to hide (and make accessible) the
| internal services such as grafana, prometheus, rabbit mq (the web
| interface) and such?
|
| Should they be public behind such a proxy? (seems odd) Or should
| they be totally internal and then setup a Wireguard VPN to reach
| them?
| pyr0hu wrote:
| We use tailscale for this exact use case and has been working
| flawlessly so far. You can even set up ACL lists as a firewall.
| John23832 wrote:
| From the internet? Drop them at the ingress level (if using
| kubernetes). You could also do some ip filtering. Then use an
| internal proxy (or internal ip of some kind) to reach them.
|
| For proof of concepts, I use cloudflare tunnels which allows
| you to add ACLs to particular routes.
| section_me wrote:
| Auth forwarding[1] is normally the route. This allows you to
| basically zero auth your services. You can also use wireguard
| or tailscale[2]
|
| [1]
| https://doc.traefik.io/traefik/middlewares/http/forwardauth/
| [2] https://doc.traefik.io/traefik/master/https/tailscale/
| waldrews wrote:
| Serve them on a firewalled port, then: 1) VPN if you need to
| expose them to multiple trusted users, 2) firewall rules to
| make them accessible to your IP range, or (probably easiest),
| 3) access them by ssh tunnel.
| Hrun0 wrote:
| > what people use to hide (and make accessible) the internal
| services such as grafana, prometheus, rabbit mq (the web
| interface) and such?
|
| Proxies or VPNs like you mentioned. You usually don't expose
| things if you don't have to.
| mrj wrote:
| Cloudflare tunnels are super convenient and provide lots of
| auth mechanisms. If you set up a tunnel using cloudflared and
| proxy the IP through cloudflare, there's nothing even exposed
| directly to the internet. You can even have different auth
| requirements for urls (like /admin) or punch holes for stuff
| like webhooks.
|
| I have set up quite a few as kubernetes pods that direct to
| private hostnames in different namespaces and pretty happy with
| it for internal apps.
| nullify88 wrote:
| For the purposes of some of my self hosted stuff, I wanted to
| see how far I could go without VPN and instead use mutual tls
| authentication with my stuff exposed to the internet. Client
| certs are issued by cert manager in my k8s cluster and traefik
| does my TLS Auth.
| blinded wrote:
| zero trust, host firewalls, mtls, ssh tunnels, bastion hosts.
| btbuilder wrote:
| When looking for a reverse proxy that is performant on Windows
| and Linux around 5 or 6 years ago the options were very limited.
| Traefik is what we ended up using.
|
| I haven't checked recently but at the time nginx on Windows used
| select() and envoy was either beta or needed a recent version of
| the Windows kernel that not all customers were running.
|
| We still use it today.
| riedel wrote:
| Funnily I spend my weekend making a traefik config file to gitlab
| pages on a self hosted instance without pages enabled but using
| the artifact API. No code involved. Had to configure quite some
| rewriting logic and use three different plug-ins, which are
| mostly unmaintained. In the end probably something like nginx,
| Apache or caddy or a bit of code probably would have worked
| better, because of all the layering of different middleware. But
| it worked somehow. I guess it shines through still for easy SSL
| termination of docker and great observability. That is why at
| least I have been using it for the past years.
| cagenut wrote:
| In a mirror/reverse of the OPs premise - I always wondered why so
| many of these open source http reverse proxies sprung up in the
| container era, like what did they offer that varnish or a vmod to
| varnish wasn't already doing or capable of? somehow varnish
| almost completely missed the container era, despite seemingly
| being the exact type of tool a bunch of teams would go on to
| create.
| Starlevel004 wrote:
| Devops guys are mostly incapable of using any service that
| isn't a) written in Go and b) configured using a YAML-based
| DSL.
| TNorthover wrote:
| Traefik's YAML does a particularly bad job at keeping syntax
| (such as it is) separate from user-defined labels, I feel.
|
| Very difficult to just look at a file and see which bits are
| labels for the sake of it, and which bits are direct
| instructions to builtin features.
| lmeyerov wrote:
| For Caddy, LetsEncrypt: Free TLS in one line without talking to
| anyone
|
| For Traefik, afaict, something about k8s
| methou wrote:
| The only problem I'm having with it is that it doesn't support
| unix domain socket[0], in a "cloud native" environment you rarely
| need it but if you are using single node this can be sweet.
|
| -- [0]: https://github.com/traefik/traefik/issues/4881
| meonkeys wrote:
| Could you say more about how a non-network socket would be
| beneficial? I'm guessing simpler code and lower resource usage,
| but I'm curious what you're interested in. And by "single
| node", do you mean one server / one user (even if the user is,
| say, a single API consumer or whatever), or something else?
| siva7 wrote:
| It's nice if you're running a bare metal server on hetzner or DO
| but in the age of cloud platforms like aws or azure there is
| hardly a need for traefik.
| znpy wrote:
| > you mount the docker socket into the traefik container and gain
| the ability to auto-detect other containers that you might want
| to expose using traefik.
|
| Totally not a security issue. Source: trust me bro.
| xorax wrote:
| https://github.com/traefik/traefik/issues/4174
| meonkeys wrote:
| Related:
|
| https://doc.traefik.io/traefik/providers/docker/#docker-
| api-...
|
| https://www.reddit.com/r/Traefik/comments/g46lhh/does_bindin.
| ..
|
| https://github.com/wollomatic/traefik-hardened
| dizhn wrote:
| I use caddy wherever I can. That it can already handle automatic
| certificates is a big plus. Plus it's very easy to congiure.
| jspdown wrote:
| If you like Caddy for it's ACME capabilities, then you might
| enjoy Traefik as well. It supports HTTP, TLS ALPN and DNS
| challenges and can be configured in one line as well.
| chadsix wrote:
| You can also use Cloud Seeder [1] which might be easier since it
| gives each container a dedicated IP. </shamelessplug>
|
| [1] https://github.com/ipv6rslimited/cloudseeder
| jasoneckert wrote:
| Another thing worthy of note is that Traefik is configured by
| default in K3s. This has allowed K3s to be the quickest way to
| spin up a K8s cluster for testing, essentially allowing you to
| treat your cluster like cattle too. Simply add your deployment
| and associated service using NodePort, and you can access your
| app without worrying about the ingress controller.
|
| I use a shell script to spin up K3s clusters and test apps I
| specify as a positional parameter on demand (leveraging the
| ttl.sh ephemeral container registry). The same script tears down
| the cluster when finished.
| sph wrote:
| Traefik is pretty cool, but suffers from the same, terrible
| problem of Ansible: there is a lot of documentation, and a lot of
| words written, yet you can never find anything you need.
|
| I have used it since v1 and I routinely get lost in their docs,
| and get immensely frustrated. I have been using Caddy for smaller
| projects simply because its documentation is not as terrible
| (though not great by any stretch)
|
| Technical writers: documentation by example is good only for
| newbies skimming through. People familiar with your product need
| a reference and exhaustive lists, not explanation for different
| fields spread over 10 tutorial pages. Focus on those that use the
| product day in and day out, not solely on the "onboarding"
| procedure.
|
| This is my pet peeve and the reason why I hate using Ansible so
| damn much, and Traefik to a lesser extent.
| mholt wrote:
| Funny you say that because we don't have nearly any examples in
| the Caddy docs. We're working on improving them later this
| year.
| sph wrote:
| Examples are good in docs. But documentation that's only made
| of examples and tutorials... not so much.
|
| Thanks for Caddy btw. Neat little tool.
| linsomniac wrote:
| Do not agree WRT ansible, been using it for well over 5 years
| and usually a google search points me right at the correct part
| of the documentation to answer my question. Ansible, the tool
| itself, can be a bit obtuse, largely IMHO because of the YAML
| source language, so some concepts are hard to translate into
| the tool, but the documentation has never bothered me.
|
| As far as "a lot of words written, can't find what you need",
| Fortinet is my poster child there (based on trying to use it a
| decade ago). Everything I looked up there had 10,20,30 pages of
| introductory material with the Fortinet stuff spread throughout
| it.
| sph wrote:
| Alright, please link me to an exhaustive list of Jinja
| filters supported by Ansible out of the box. I'll wait.
|
| What you are given is https://docs.ansible.com/ansible/latest
| /playbook_guide/playb... and you need basically to read/scan
| each example until you find what you need [1]. Do you call
| that _good_ , especially when these are basically the only
| way of doing anything a little complex? That's a sure way of
| killing my flow and productivity in its tracks. I have been
| through this page in anger a dozen times, and I still have no
| idea what Ansible filters can or cannot do.
|
| Also, using Google to find stuff is "cheating". The goal of
| documentation is to be able to use it as reference; if you
| need an external tool to find anything in it, that defeats
| its purpose a bit. When people wrote documentation books,
| they had to make sure it's usable, legible and efficient.
| These days apparently that's become lost art.
|
| 1: these examples are not even exhaustive, because they don't
| list all the builtin Jinja filters; chances are that what you
| need isn't listed on that page, but you should instead refer
| to https://tedboy.github.io/jinja2/templ14.html
| throwaway984393 wrote:
| I like that it forces users to read the docs to find the
| functionality. Users don't read the docs, and then they
| wander around the internet looking for a random blog post
| with a snippet for one problem, and they don't ever really
| learn how to use the program.
|
| Users are a bit like high school students just skimming
| books for an answer to fill in on a test. They need to be
| forced to learn.
| freedomben wrote:
| This doesn't make a lot of sense in the context of the
| parents. Did you post this to the wrong parent? To
| accomplish what you are asking, a project needs actual
| good documentation. Everyone has agreed that is good. The
| only real disagreement here is whether Ansible docs have
| this, and regardless whether they do, they definitely
| have the example-driven docs that I think you are saying
| you don't think should exist, so you definitely aren't
| supporting the Ansible status quo.
| freedomben wrote:
| I'm not GP, but I agree with both them and you so thought
| I'd chime in.
|
| You're absolutely right that there are big omissions/holes
| in the Ansible docs, but I also think that using Google is
| not "cheating." My ideal of great documentation sounds like
| exactly what you would agree with: A complete and
| comprehensive "book" (could become a physical printed book,
| but needn't have to as it should be equally usable with
| good old-fashioned hyperlinks). It should have a logical
| flow, introductory sections to describe pre-requisite
| knowledge/concepts and things that are broadly applicable
| to the project as a whole. It should have a table of
| contents, and it should _definitely_ have an index and
| comprehensive lists /tables of API details such as
| available field/properties, which options are valid (for
| enum fields), etc. Your example of Jinja filters supported
| by Ansible is a great one. I really miss the 90's era here
| where such manuals were common practice, even for things
| like PCs.
|
| With that ideal described, though, I think it's important
| to recognize pragmatism and feasibility. Documentation
| takes time and money to produce. Search tools (including
| Google) already exist and can provide a valuable addition
| without spending time/effort on it, so I think they should
| be used. That said, I agree that it's not a good idea for
| doc writers to rely on that for things to be found! Table
| of contents, logical flow, and indexes should absolutely be
| thought through. If the documentation is just a bunch of
| random unorganized and uncatalogued pages that can only be
| found with a search engine, that is really bad and they
| should feel bad.
|
| I think Ansible falls right in the middle there. It
| undoubtedly has some real glaring omissions/holes in it,
| but it is also not nearly the worst I've seen as well. I do
| dread having to go the Ansible docs though, which is an
| indictment against their quality, and the more I
| think/write about this the more I agree with you lol.
| linsomniac wrote:
| As you say, Ansible's filter list does not include the base
| Jinja2 filters, which I guess is a difference of opinion. I
| feel that is preferred to reproducing the Jinja2
| documentation, especially as the Jinja2 filter list is the
| first (non-TOC) link on the page.
|
| Also going to disagree about "using Google is cheating".
| The purpose of documentation is to help me get stuff done.
| The Internet is not printed on dead trees, I don't want to
| read through a TOC or index looking for what I want when
| I'm searching, I want to use a search engine. I often don't
| want a reference, I want to quickly find how to do
| something. I rarely want to read about all the filters,
| instead I want to find the even/odd filter, or the the
| default or omit filter. Yes, sometimes I want to brush up
| on all available filters, but that's rare.
| throwfaraway398 wrote:
| It's funny because one thing I like about ansible is how easy
| it is to get the reference doc for any module with `ansible-doc
| -t module`.
|
| I do sometimes struggle to find the right doc when I'm
| searching for something about ansible core itself, but that
| doesn't happen too often.
| plantain wrote:
| My latest gripe in this category - opentelemetry. Thousands of
| pages. Very little about actually achieving basic common
| workflows.
| tnolet wrote:
| Oh boy that hits home. Been deep in the OTEL world the last
| months and the official docs are very, very undercooked.
| silisili wrote:
| Same experience. Otel is one of the wordiest docs I've ever
| come across that says very little.
|
| Further, I found a lot of little bugs that are hard to
| Google, or when Googling finding open issues that are either
| known and working on, or no response at all.
|
| I ended up just throwing it in the garbage and using direct
| connectors. I like what Otel is trying to achieve, but it
| feels extremely opaque and half baked at the moment.
| deepersprout wrote:
| I usually feed all the documentation to an llm and ask the
| question to the llm that fetches the info with rag. For
| example:
|
| > how do i configure Traefik to proxy traffic to two backend
| services?
|
| Configuring Traefik to proxy traffic to multiple backend
| services is a common use case. You can achieve this by defining
| multiple entry points and routers in Traefik's configuration,
| each pointing to a different backend service. Here's a basic
| example of how you can configure Traefik to proxy traffic to
| two backend services: yaml #
| traefik.yaml # Enable API and Dashboard api:
| dashboard: true # Define entry points
| entryPoints: web: address: ":80"
| app1: address: ":8081" app2:
| address: ":8082"
|
| [...more stuff...]
| san-fran wrote:
| This might be an additional way to quickly iterate on the
| content of the documentation itself. If I were the one
| writing, an easy test is passing the documentation to a lay
| person and asking them if they have what they need to perform
| X by following the documentation.
|
| Perhaps having a focused LLM generate the steps could help
| catch some documentation deficiencies.
| freedomben wrote:
| > _If I were the one writing, an easy test is passing the
| documentation to a lay person and asking them if they have
| what they need to perform X by following the
| documentation._
|
| What kind of documentation is this though? Is this how to
| bake a cake or tie a necktie, or is it how to setup a
| reverse proxy for the services in your k8s cluster?
|
| If it's something a lay-person could do then I think this
| is a good strategy (though depending on the size/scope of
| the project/documentaiton it does seem like a pretty big
| effort to undertake without compensation), but if it's
| something highly technical like Traefik, I expect a lay-
| person to not even understand half the words/vocabulary in
| the documentation, let alone be able to perform X by
| reading it and following it.
| freedomben wrote:
| Can you describe more on your process? Which LLM are you
| using? Are you doing soething specific to make it us RAG or
| is that automagic (might be obvious depending on which LLM
| you are using but)? How do you feed the documentation in? for
| example, when the documentation has more than one page, how
| do you get that content in to the LLM? Is it part of the
| prompt or something you've tuned it on? have to clone the
| docs site, turn it into plan text and feed that in to the
| prompt or can you pass a URL and have it crawl ahead of time
| or something?
|
| This is the system I've been dreaming about but haven't had
| time to dig into yet. I've got ollama and openwebui set up
| now though, and with OpenAI getting bigger context windows it
| seems like it might be possible to inject the whole set of
| docs into the prompt, but I'm not sure how to go about that
| johanbcn wrote:
| > Technical writers: documentation by example is good only for
| newbies skimming through. People familiar with your product
| need a reference and exhaustive lists, not explanation for
| different fields spread over 10 tutorial pages. Focus on those
| that use the product day in and day out, not solely on the
| "onboarding" procedure.
|
| I agree. We all would benefit by giving more exposure to
| documentation frameworks such as https://diataxis.fr
| adolph wrote:
| I'm glad to have clicked through for curiosity's sake.
| Diataxis is tremendously interesting.
|
| For folks who might recognize the author's name:
|
| _Daniele Procida: Director of Engineering at Canonical.
| Creator of Diataxis and BrachioGraph. Django core developer.
| Fellow of the Python Software Foundation._
| yoyojojofosho wrote:
| Discussed on HN:
| https://news.ycombinator.com/item?id=33721314
| lopkeny12ko wrote:
| This take is, at best, disingenuous, and at worst, dangerous.
| The Traefik maintainers and community contributors (including
| myself) have collectively invested _hundreds_ of man-hours
| writing and improving documentation, _specifically_ in response
| to feedback from users that things are hard, unintuitive, or
| complex.
|
| You are discounting massive amounts of unpaid labor done
| _specifically for people like you._ At this point, if you can
| 't find what you're looking for, it's on you. Maybe do a little
| bit of your own homework instead of throwing your hands up
| after 2 minutes and crying to the maintainers.
| alex_lav wrote:
| Investing a lot of time and trying really hard is not the
| same as adding a lot of value. If your users don't find value
| in your documentation, saying "But we spent a lot of time on
| it!" doesn't really change anything.
|
| And, to be clear, I have no idea if the person you're
| responding to's criticism is valid. But I also know that your
| response does not negate their criticism at all.
| lopkeny12ko wrote:
| How about submitting a PR to improve the documentation
| instead of complaining about it?
| Thiez wrote:
| This is why OSS looks like a cult at times. People _are_
| allowed to criticize your project and complain about it.
| They have no obligation to become a contributor. "Submit
| a PR" is such a conversation killer.
| alex_lav wrote:
| Your adversarialism isn't a good look. Users are allowed
| to have opinions, this does not mean they have maintain
| the work themselves.
| joshmanders wrote:
| Customer: I can't find anything I'm looking for in your
| store.
|
| Store: I spent a lot of time arranging things around in
| the store, if you can't find what you're looking for you
| can stop complaining and write signs for us.
|
| Customer: Or I can just use your competitor who actually
| cares about their customers. -\\_(tsu)_/-
| HellzStormer wrote:
| I didn't use try Traefik's documentation, but the
| complains appear to be somewhat structural. Meaning a PR
| would need to possibly restructure at least part of the
| documentation, or add a whole section of documentation of
| a different type.
|
| You can't expect someone not core to a project to just
| propose to restructure the whole documentation. Which may
| also mean changing the website.
|
| And in any case, such overhaul coming from a "nobody"
| would very likely be rejected as being both too large or
| incomplete or not desirable.
|
| Re-structuring needs to be pushed for by at least one
| person from the core team.
|
| So yeah "Just submit a PR" in that context is not an
| answer, it's an excuse to avoid trying to understand the
| problem and actually improve the situation.
| halJordan wrote:
| Disagree that this isnt a generic problem. And i'll take the
| same amount of umbrage at you calling it disingenuous. There
| are dual needs here. Having to read a story and take in a
| wholly unrelated workflow just to discover only half of the
| switches available to the feature im looking up is a problem.
|
| And when there isn't just straight documenting of what's been
| implemented then it is an unreasonable gate to usage which
| limits customers to only the flows imagined by the technical
| writer.
|
| Which itself breeds this sort of refusal to participate.
| Either the end user is ungrateful and needs to express that
| gratitude through silence or there's a smug moderator who's
| read everything and knows which paragraph of which tutorial
| has the answer and harangues anyone asking with a link and a
| "why didnt you read sentence 5 of paragraph 2 of a tutorial
| written 2 years and 3 major versions ago?"
| arp242 wrote:
| I never used Traefik and have no opinion on it one way or the
| other as such. But if _this_ is the response to some
| criticism of the documentation - which you can agree or
| disagree with, then you 've done more to turn me of from
| Traefik than anything anyone here can write.
| igor_varga wrote:
| I'm using the Traefik and have the same experience with the
| documentation. It can be time consuming to configure it
| properly if you are not a power user.
|
| I'm happy with it though, it's a great piece of software. I
| wonder is there any other product out there with a similar
| feature set?
| lamontcg wrote:
| > Technical writers: documentation by example is good only for
| newbies skimming through. People familiar with your product
| need a reference and exhaustive lists, not explanation for
| different fields spread over 10 tutorial pages. Focus on those
| that use the product day in and day out, not solely on the
| "onboarding" procedure.
|
| You really need at least three documentation targets:
|
| - onboarding the newbies workflows/tutorials - intermediate
| "focus on the important bits" workflows/tutorials - exhaustive
| references
|
| There might be other useful ones as well, but I never see those
| three hit at the same time adequately.
| hinkley wrote:
| Some projects need documentation, some need cookbooks. Sounds
| like traefik is the latter.
|
| Hopefully as an aside (I know very little about traefik so
| maybe I am talking about them too and don't know it), it seems
| like in the time since I abandoned Java they have weaponized
| that architectural strategy and I have no patience for it. I
| look at that sort of documentation and my eyes glaze over. Or
| if they don't I feel disgust or anger and all three result in
| my stomping off.
|
| Opentelemetry, particularly the stats code (vs the span code)
| triggered a lot of this in me. It has several sets of
| documentation that say different things. It took me a long time
| to figure out how to connect the amorphous dots, and then I
| didn't entirely agree with their solution anyway.
| jethro_tell wrote:
| One of the problems that the yaml interpreter class of
| languages, or whatever you'd call them, suffer from is the fact
| that yaml itself is a language and tends to be more or less
| undocumented in the interpreter docs.
|
| It's sort of assumed that you are going to do extremely simple
| tasks on very flat data structures. That doesn't tend to be the
| reality that most of us live in. And to really get the most out
| of these languages you have to understand an entire unspoken
| set of rules on how to use yaml. That's never really pointed
| out in the docs.
|
| Additionally, there are docs for the unique settings for each
| module but as far as using the standard settings, additionally,
| its rarely clear how to operate on the data that might be
| returned or combined with anything mildly complex, you are
| given a dozen 1 stanza examples for each item like a stack of
| ingredients and then told to bake a cake.
|
| I've had this experience with basically every one of the
| various yaml interpreter systems I've used.
|
| After a few 100k lines of yaml I can get things done but the
| docs are useless other than a listing of settings.
| ornornor wrote:
| To illustrate this point, here is how to have a multi line
| value in yaml: just kidding, it's so confusing that there is
| a whole _website_ to help you figure it out: https://yaml-
| multiline.info/
| cromka wrote:
| Isn't it why toml is seemingly increasingly used to replace
| yaml in projects?
| bshacklett wrote:
| This was exactly my experience. It's incredibly frustrating to
| search documentation only to be stuck with examples that are
| related, but don't fit one's exact situation, and don't explain
| the underlying behavior.
| cdelsolar wrote:
| If only there were a program that had crawled bazillions of
| documents, including all of the traefik documentation,
| examples, and thousands of code files using it, and if only
| said program were especially designed to answer natural-
| language queries about said documents.
| arush15june wrote:
| I use caddy rather traefik. It's much easier to manage the
| Caddyfile compared to the traefik YAML config IMO, and we just
| keep three separate Caddyfiles for local, production and on-prem
| deployments. There are a plethora of great plugins, we use the
| coraza WAF plugin for caddy and it works well.
| pricci wrote:
| I moved from Traefik to Caddy with caddy-docker-proxy for my
| self-hosting setup.
|
| All the features I need but *much* simpler.
|
| https://github.com/lucaslorentz/caddy-docker-proxy
| sureglymop wrote:
| Looks interesting but I don't see the benefits really. Still
| looks like a lot of labels exactly like with traefik. Why
| should one switch?
| BrandoElFollito wrote:
| Having had used traefik, caddy and now caddy proxy, I like
| the latter because labels are simple pointers to actual
| caddy features (reasonably documented).
|
| I used to have all my docker compose files in elaborate
| structures but moved to portainer for simplicity. Together
| with caddy proxy it rocks (well, there are several things
| missing but I have hope)
| preya2k wrote:
| Same here. I enjoyed Traefik for being able to use docker
| tags for my reverse proxy configuration. The mechanism is
| great, however I did not like Traefiks internal config
| structure. Caddy is much easier for me to understand and
| matches my (small scale) use cases much better. Using Caddy
| via Docker labels through caddy-docker-proxy is about as
| perfect as it gets (for me).
| muhehe wrote:
| In the future our company will migrate to k8s. It looks like it
| will be openshift, specifically. Do we need this in openshift or
| is there some "native" mechanism baked in?
| verdverm wrote:
| You'll likely have an ingress controller provided with
| openshift, which tends to be more batteries included. There are
| quite a few options:
| https://kubernetes.io/docs/concepts/services-networking/ingr...
| lakomen wrote:
| Traefik is considerably slower and more resource hungry than
| nginx. There is nothing more to say.
| engine_y wrote:
| We've been using Traefik in prod for 2 years. While I used NGINX
| in the past, I decided to migrate to Traefik mainly because of
| the automatic let's encrypt integration. I am sorry for that
| decision. Traefik's documentation does not make sense to me or my
| team. It is finicky and misbehaves without proper logging. As an
| example - when I want to recreate the certificates - it fails
| sporadically leaving prod down for an indefinite amount of time.
|
| We're moving back to NGINX.
| spyspy wrote:
| I've always just used go's built in reverse proxy if I need an
| API gateway. You can adapt it to meet any specific need, easily
| find libraries to do common tasks (CORS, rate limiting,
| retries, etc), and the best part: no configuration language.
| You just write go.
| jimmyl02 wrote:
| curious what are the performance characteristics here? I
| would assume something like Nginx that has been optimized
| over a longer period of time / a more specific use case would
| have non-negligible performance benefits at scale?
| Sincere6066 wrote:
| I'll stick with caddy. It's worked for me for years.
| rglullis wrote:
| For authentication, I had good luck with authentik as forward
| proxy.
|
| The one thing that bothers me with traefik is that their
| implementation of ACME does not work if you have some sort of DNS
| load balancing. I had one setup with three servers responding to
| the same domain. It seems the first request )to start the ACME
| dance) would go to one server, and if the second one (with the
| .well-known address) is sent to a different one, it will just
| return a 404 and fail the whole thing. Now I either have * to
| delegate the certificate management to the service itself or add
| Caddy as a secondary proxy just to get certificate from it.
|
| * Of course, someone smarter than me will point me to a better
| solution and I will be forever grateful.
| jackweirdy wrote:
| If I am not misunderstanding (sorry if I am) it sounds like you
| use the http challenge where your cert provider tries to GET
| your challenge file -- if so, could the DNS challenge be better
| suited? There, you put the challenge in a TXT record value
| rglullis wrote:
| You got it, but your solution won't work because of one
| detail: I can not use the DNS challenge because I am running
| a managed service provider, and my customers are the ones who
| own the domain. All I can do is ask them "please add a CNAME
| to my gateway", and I need to figure out everything else on
| my side.
| jspdown wrote:
| It might not be suitable for your use case but, have you
| tried ACME DNS challenge delegation to a different one
| hosted by yourself?
| barbazoo wrote:
| I'd stay away from it. The magical way to set it up via docker
| compose tags is nice but doesn't allow for zero downtime
| deployment at least until recently.
|
| Getting true zero downtime deployments only worked with their
| file provider but that's a bit archaic these days.
| ofrzeta wrote:
| Is it any better than HAProxy? HAProxy has served me well for at
| least a decade and has also been modernized for the cloud age
| with the runtime API that allows dynamic configuration.
| ljhtlajdfqasd wrote:
| All of these proxies seemed to have achieved feature parity
| within the last couple years.
|
| Where they seem differ is the licensing, enterprise model,
| source language, and data plane model (sidecar vs no sidecar).
| teekert wrote:
| I have used traefik a lot. But I mostly got frustrated with all
| the docker-compose labels and layers and so many lines just to
| have a rev proxy. Then I found Caddy. Never looked back.
|
| I guess I was never the audience for Traefik. I just need an
| https enabled rev proxy. Or a basic-auth layer. In Caddy both are
| just 1 line, very concise, no layers (which I still don't
| understand...)
| cab404 wrote:
| Somehow, I find myself using Caddy everywhere I would use Traefik
| in the past.
| vedmed wrote:
| I needed a reverse proxy the other week. OPNSense is my firewall.
| I tried traefik, but it was too complicated. So I installed
| caddy, and it was easy as pie. My .02
| firesteelrain wrote:
| We just started running Traefik in production since looking at
| self managed K8s was just too hard and complicated for what we
| were trying to do. We have an Ansible Docker compose service
| (that's what we call it), that starts up the containers and auto
| registers the containers with Traefik. It works really well.
|
| We are airgapped so can't use Let's Encrypt. We inject the certs
| into our containers via Ansible or Docker Compose.
| brainzap wrote:
| It would be nice if proxies are opinionated about typical URL
| usecases and offer an easy way to redirect www to non-www or
| handle path with missing slash.
___________________________________________________________________
(page generated 2024-05-05 23:01 UTC)