computer_science:docker:traefik_docker_https_ssl_for_containers

Using "Traefik" for Reverse Proxy and "Let's Encrypt" for Automatic HTTPS certificates

This is an alternative method to Using Nginx as a Reverse Proxy.

The purpose of using Traefik are:

  • Prevent having to restart the nginx Reverse-Proxy Container everytime we want to test a new / deploy a new service.
  • Ease of Escalability - We will be able to scale our infrastructure faster, since we don't have to manage HTTPS Certificates for every subdomain
  • Keep the services so that, they are individuals service, but working though a central distributor. This could also be done with a nginx Reverse-Proxy Container but since we will have an WebUI, it will be easier to troubleshoot instead of having to SSH into the Host.
  • Change the Path under “STORAGE_PATH” to match your environment.
#!/bin/bash
STORAGE_PATH="/home/docker-user/traefik"
mkdir -p "$STORAGE_PATH"/storage/traefik/data
touch "$STORAGE_PATH"/storage/traefik/data/acme.json
chmod 600 "$STORAGE_PATH"/storage/traefik/data/acme.json
touch "$STORAGE_PATH"/storage/traefik/data/traefik.yml
  • Change “email: email@example.com” to your Email address.
nano traefik.yml
api:
  dashboard: true
 
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
 
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
 
certificatesResolvers:
  http:
    acme:
      email: email@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: http
  • Change the “traefik.example.com” to your own “sub.domain.tld”
  • Create a USER:PASSWORD combo for “[…]users=USER:PASSWORD” with
echo $(htpasswd -nb <USER> <PASSWORD>) | sed -e s/\\$/\\$\\$/g
version: '3'
 
services:
  traefik:
    image: traefik:v2.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./storage/traefik/data/traefik.yml:/traefik.yml:ro
      - ./storage/traefik/data/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"
 
networks:
  proxy:
    external: true
"traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"
 
networks:
  proxy:
    external: true

Start the traefik container - docker-compose up -d

Change your docker-compose.yml from other services to be available via Traefik.

As example, here is my docker-compose.yml for DokuWiki before and after Traefik.

Before

version: '3'

volumes:
    dokuwiki_data:
        external: true
    dokuwiki_conf:
        external: true
    dokuwiki_lib-plugins:
        external: true
    dokuwiki_lib-tpl:
        external: true
    dokuwiki_logs:
        external: true

services:
  dokuwiki:
    image: 'mprasil/dokuwiki'
    container_name: 'dokuwiki_zebra'
    ports:
      - '80:80'
    volumes:
        - dokuwiki_data:/dokuwiki/data
        - dokuwiki_conf:/dokuwiki/conf
        - dokuwiki_lib-plugins:/dokuwiki/lib/plugins
        - dokuwiki_lib-tpl:/dokuwiki/lib/tpl
        - dokuwiki_logs:/var/log

After

  • You can uncomment the “ports:” so, if you start just that container, it will be reachable over your domain.tld. Sometimes it is usefull for troubleshooting
  • Add the “labels”. You have/should replace […].dokuwiki.[…] with the name of the service, so it is easier to identify on the Traefik WebUI
  • Don't forget to change the “rule=Host” and “[…]-secure.rule=Host” to your “sub.domain.tld”
  • Don't forget to change the “.server.port” to the Port where the Service is listening
  • For complex services (for example Wordpress + MySQL), add an extra network, for eg. “wordpress_network” so the MySQL instant is only reachable via the Wordpress Service, and not over the Proxy configuration
version: '3'

volumes:
    dokuwiki_data:
        external: true
    dokuwiki_conf:
        external: true
    dokuwiki_lib-plugins:
        external: true
    dokuwiki_lib-tpl:
        external: true
    dokuwiki_logs:
        external: true

services:
  dokuwiki:
    image: 'mprasil/dokuwiki'
    container_name: 'dokuwiki'
    restart: unless-stopped
    networks:
        - proxy
    #ports:
    #  - '80:80'
    volumes:
        - dokuwiki_data:/dokuwiki/data
        - dokuwiki_conf:/dokuwiki/conf
        - dokuwiki_lib-plugins:/dokuwiki/lib/plugins
        - dokuwiki_lib-tpl:/dokuwiki/lib/tpl
        - dokuwiki_logs:/var/log
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dokuwiki.entrypoints=http"
      - "traefik.http.routers.dokuwiki.rule=Host(`wiki.carlossousa.tech`)"
      - "traefik.http.middlewares.dokuwiki-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.dokuwiki.middlewares=dokuwiki-https-redirect"
      - "traefik.http.routers.dokuwiki-secure.entrypoints=https"
      - "traefik.http.routers.dokuwiki-secure.rule=Host(`wiki.carlossousa.tech`)"
      - "traefik.http.routers.dokuwiki-secure.tls=true"
      - "traefik.http.routers.dokuwiki-secure.tls.certresolver=http"
      - "traefik.http.routers.dokuwiki-secure.service=dokuwiki"
      - "traefik.http.services.dokuwiki.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"

networks:
   proxy:
     external: true

After starting the service, it should now be available.

  • computer_science/docker/traefik_docker_https_ssl_for_containers.txt
  • Last modified: 2023/12/01 12:07
  • by 127.0.0.1