I've a docker-compose setup for Traefik v2. It's running fine on my server, got HTTP to HTTPS, HSTS & so on. I'ld like to work on this locally, but the SSL is in the way.
My first though was, how can I disable all the SSL stuff at once so it's working as usual, without the whole redirection stuff ? Maybe a docker-compose.localhost.yml override ?
I also saw an example of someone using mkcert to deal with this, providing a valid localhost certificate instead of disabling SSL. Interesting, but I don't feel like shipping my setup to production with this loophole that could be dangerous. Any opinion on the matter ?
I went down the 2nd possibility : relying on mkcert to have locahost valid certificates.
So I have a tls.yml conf
---
tls:
stores:
default:
defaultCertificate:
certFile: /etc/certs/localhost.crt.pem
keyFile: /etc/certs/localhost.key.pem
options:
mintls:
minVersion: "VersionTLS12"
sniStrict: false # set to true for production
cipherSuites:
...
The only annoying point in the setup is that I'll have to enable / disable sniStrict depending on the situation. Still thinking about how to do this cleanly.
The certs are generated with
#!/usr/bin/env bash
set -euo pipefail
if [ ! -f contrib/certs/localhost.key.pem ]; then
./mkcert \
-cert-file contrib/certs/localhost.crt.pem \
-key-file contrib/certs/localhost.key.pem \
localhost \
app.localhost \
traefik.localhost \
127.0.0.1 \
::1
chmod 0600 contrib/certs/*.pem
fi
I know it doesn't match the question title, but this is the solution to my real interrogation, how to work with traefik locally when you have TLS configured