After many tries, I finally did a single domain to SSL docker traefik itself. However I would like to replace my NGINX proxy, so been searching and searching for an answer without any luck.
So my goal is to have domain1.com point to traefik server1 and domain2.com point to traefik and redirect to server2:xxxx
I believe I need to do something inside the docker-compose.yml and config.yml however it's so confusing at the moment. Maybe someone can help me out?
my traefik.yml
api:
dashboard: true
insecure: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
certificatesResolvers:
staging:
acme:
email: x@gmail.com
storage: /ssl-certs/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
production:
acme:
email: x@gmail.com
storage: /ssl-certs/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
# -- (Optional) Disable TLS Cert verification check
# serversTransport:
# insecureSkipVerify: true
# -- (Optional) Overwrite Default Certificates
# tls:
# stores:
# default:
# defaultCertificate:
# certFile: /etc/traefik/certs/cert.pem
# keyFile: /etc/traefik/certs/cert-key.pem
# -- (Optional) Disable TLS version 1.0 and 1.1
# options:
# default:
# minVersion: VersionTLS12
providers:
docker:
# -- (Optional) Enable this, if you want to expose all containers automatically
exposedByDefault: false
file:
directory: /etc/traefik
watch: true
my docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.10.4
container_name: traefik
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/etc/traefik
- ./data/certs:/ssl-certs
- ./data/config.yml:/config.yml:ro
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web,websecure"
- "traefik.http.routers.traefik.rule=Host(`domain1.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=production"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
- proxy
networks:
proxy:
external: true
name: proxy
P.S. domain2.com might be docker running on different computer or non docker apps
Create a router and service for your "external" domain in a dynamic config file (e.g. traefik-dynamic.yml), use loadbalancer.servers.url (doc) for the "internal" target URL. Load the file in static config with providers.file.
Hi @bluepuma77 thank you for the reply. Is it too much for me to ask if you maybe can put an example of simple traefik-dynamic,yml and config.yml. so it's easier for me to understand? reading the traefik page is a lot to follow and very confusing.
In my case, I cant just use docker detail because I have multiple dockers running on multiple servers. Furthermore for apps that are not docker is even more confusing. Again thanks for the help.
traefik-dynamic.yml:
## Dynamic configuration
http:
routers:
my-router:
rule: "Host(`www2.example.com`)"
service: my-service
services:
my-service:
loadBalancer:
servers:
- url: "http://private-ip-server-1/"
Needs to be loaded with providers.file (file only or whole directory) in static configuration. This loadbalancer.servers.url can not be set directly via Docker labels.
Full example in doc.
Hi again,
Anyway, I got traefik working now with 2 certificates being created 1 for local.example.com and 1 SANS for *.local.example.com which is great and I believe I can run anything on the subdomain.local.example.com.
Now a new problem arises when I want to add sub.example2.com in which I add the config on my config.yml which is detected and forwarded correctly, however, the SSL is not being saved/created. So unsure of how to solve this.
My traefik.yml
api:
dashboard: true
insecure: true
debug: true
entryPoints:
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: :443
certificatesResolvers:
cloudflare:
acme:
email: my@email.com
storage: /ssl-certs/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 5
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
providers:
docker:
# -- (Optional) Enable this, if you want to expose all containers automatically
exposedByDefault: false
file:
directory: /etc/traefik
watch: true
My docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.10.4
container_name: traefik
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=${CFEMAIL}
- CF_API_KEY=${CFAPIKEY}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/etc/traefik
- ./data/ssl:/ssl-certs
#- ./data/config.yml:/config.yml:ro
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http,https"
- "traefik.http.routers.traefik.rule=Host(`traefik.local.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik.tls.domains[0].main=local.example.com"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.local.example.com"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
- proxy
networks:
proxy:
external: true
name: proxy
My config.yml
http:
routers:
homeassistant:
entryPoints:
- "https"
rule: "Host(`main.example2.com`)"
tls: {}
service: homeassistant
services:
homeassistant:
loadBalancer:
servers:
- url: "http://192.168.8.15:10000"
passHostHeader: true
P.S. How do you obtain the real certification when using traefik?
You could place all the TLS settings on entrypoint, to not repeat yourself. Then you only need Host() on the router. See simple Traefik example.
tls: {} just enables TLS for custom certs, which are created by Traefik or loaded with TLS (doc) from a dynamic configuration file. If you want to use LE, then you need to assign the certresolver (on entrypoint or router).
Hi @bluepuma77, again thank you for all the help. I managed to have it all up and running. Quick question Is there any example of best practice implementation for security setup including TLS?