How to properly secure Traefik with an SSL certificate behind a domain name?

Hi there,

I have been asked to get Traefik to be accessible under a domain, for example, traefik.domain.com. Plus it also needs to be secured with an SSL certificate, so ideally, we want to be able to access it by going to https://traefik.domain.com:8080 for the dashboard. I haven't been able to find a lot of helpful articles, but this is what I have so far in the docker-compose.yml file. Is there anything else I need to configure/change/remove? I added a volume that will contain the .key and .crt files for the domain it needs to use.

version: "3.3"

networks:
traefik-proxy:
external: true

services:
traefik:
image: "traefik:v2.8.3"
container_name: "traefik"
command:

  • "--log.level=DEBUG"
  • "--log.filePath=/configuration/traefik.log"
  • "--api.dashboard=true"
  • "--api.insecure=true"
  • "--providers.docker=true"
  • "--providers.docker.exposedbydefault=false"
  • "--entrypoints.web.address=:80"
  • "--entrypoints.websecure.address=:443"
  • "--providers.file.directory=/configuration/"
  • "--providers.file.watch=true"
  • "--routers.rule.host='traefik.domain.com'"
  • "--routers.tls=true"
    networks:
  • traefik-proxy
    ports:
  • "80:80"
  • "8080:8080"
  • "443:443"
    volumes:
  • "/var/run/docker.sock:/var/run/docker.sock:ro"
  • "/edata/certs/traefik.domain.com_2022/:/configuration/"

Basic Traefik with LetsEncrypt and dashboard on port 443 example: link. Instead of port 8080 just use a different domain name.

To use own certificates, just check the docs and add them to your dynamic config (via labels or provider.file), then enable TLS on entrypoint or on container with label traefik.http.routers.mydashboard.tls=true.

Hi there,

Thank you, I think I'm getting closer! By adding the following below, I am now able to see the dashboard under the domain, but I can't under https, only through http.

labels:

  • "traefik.http.routers.mydashboard.rule=Host(traefik.domain.com)"
  • "traefik.http.routers.mydashboard.entrypoints=websecure"
  • "traefik.http.routers.mydashboard.tls=true"

Do I need to set up this path so that it points to the .crt file for the domain? If so, is this the right format or is this only going to work for Let's Ignore?
--certificatesResolvers.myresolver.acme.storage=/traefik-certificates/acme.json

Thanks!
-Christian

Hi Christian,
maybe this sample repository could help you with this use case:

It's a sample configuration with encrypted dashboard with basic auth password protection.

Best,
Wolfgang

Hi there,

Thanks wollomatic for the suggestion. It sounds like the dashboard will not be used in production, so for right now, we are OK having it come up just under http. When I browse the https site, such as https://traefik.domain.com, I get an error that says "404 not found". Does that mean https isn't working or that just isn't anything there to show? Should Traefik show something under https and http? I'm not clear on that.

Thanks,
-Christian

Do you still have dashboard set to insecure?

I do yes, I have these still in the docker-compose.yml file.

  • "--api.dashboard=true"
  • "--api.insecure=true"

I think the insecure does some special setup, try removing it. Make sure you have a valid dynamic Traefik config in /configuration/, which includes TLS.

Go into the traefik container and check that the file in /configuration/ exists and is readable. You have debug already enabled, check the logs for "error".

Here is my working docker-compose.yml example (link), you can compare it with yours.