I’ve been setting up Traefik as my reverse proxy and from the entrypoint docs it seems you can specify tls and certResolver there and omit it for router, turned out, it’s not the case, or I am missing something here
compose.yaml
services:
traefik:
container_name: traefik
image: docker.io/library/traefik:v3.5
restart: unless-stopped
ports:
- 80:80
- 443:443
- 443:443/udp
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/etc/traefik/traefik.yml:ro
- ./dynamic:/etc/traefik/dynamic:ro
networks:
default:
external: true
name: proxy
traefik.yaml
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
http3: {}
websecure:
address: :443
asDefault: true
http:
tls:
certResolver: letsencrypt
http3: {}
api:
dashboard: true
insecure: true
certificatesResolvers:
letsencrypt:
acme:
email: admin@example.com
# caServer: https://acme-v02.api.letsencrypt.org/directory # production letsencrypt
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging letsencrypt
httpChallenge:
entryPoint: web
storage: acme.json
providers:
docker:
exposedByDefault: false
network: proxy
file:
directory: /etc/traefik/dynamic
log:
level: DEBUG
accessLog: {}
whoami.yaml
services:
whoami:
image: docker.io/traefik/whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.tls=true" # doesnt work without this
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt" # and this
networks:
default:
external: true
name: proxy
UPD: also, chatgpt suggested that the problem might be that I have both websecure and web asDefault: true, but I changed it and problem didn’t go away, even though I now don’t see a point in them both being default entrypoints, is that right?