@zaggash as was mentioned before the answer is:
Here is an example. In order to demostrate a service with self-signed cert, we need an image that exposes one. I could not think of a better example than traefik dashboard itself, but any other image with self-signed cert would do. In the example below we have two traefik instances, one is main instance and the other just an example of a service with a self signed cert.
docker-compose.yaml:
version: "3"
services:
# This is second traefik instance, that we use as an example
# of site that serves a self-signed certificate
# In theory any site that serves a self-signed certificate would do
dashboard:
image: traefik:v2.0.1
# This is so we can validate externally (in browser or with curl
# & openssl) that the site is up and that the cert is self-signed
# This is not required for example to run
ports:
- "8443:443"
command:
# listen on 443
- --entryPoints.websecure.address=:443
# serve dashboard
- --api
# load dynamic config from a file
- --providers.file.filename=/dashboard.toml
# note, docker provider is not enabled for this one, since the purpose
# of this container to to be traefik but just a random web site with
# a self signed cert
volumes:
- "./dashboard.toml:/dashboard.toml"
# These labels are read by the _main_ traefik instance, not this one
labels:
# expose this via main traefik instance
- "traefik.enable=true"
# all requests should match
- "traefik.http.routers.dashboard.rule=PathPrefix(`/`)"
# web is the only entry point main traefik instance defines
- "traefik.http.routers.dashboard.entrypoints=web"
# We need to let traefik know port and url scheme
# we are doing that via service
- "traefik.http.routers.dashboard.service=dashboard"
# This is the port traefik will forward requests to
- "traefik.http.services.dashboard.loadbalancer.server.port=443"
# And this is so it knows that the requests will be TLS
- "traefik.http.services.dashboard.loadbalancer.server.scheme=https"
# And this is the main traefik instance
traefik:
image: traefik:v2.0.1
ports:
# Let's keep it simple, no TLS
- "80:80"
command:
- --entryPoints.web.address=:80
# this is so that traefik does not try to expose itself
- --providers.docker.exposedByDefault=false
- --log.level=DEBUG
# if you omit this you will get the "Internal Server Error" due to
# the self-signed certificate
- --serverstransport.insecureskipverify=true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
and dashboard.toml:
[http.routers.dashboard]
entryPoints = ["websecure"]
service = "api@internal"
rule = "PathPrefix(`/`)"
[http.routers.dashboard.tls]
Without - --serverstransport.insecureskipverify=true you will get Internal Server Error on the page and
level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 192.168.48.3 because it doesn't contain any IP SANs"
In the debug log.
With - --serverstransport.insecureskipverify=true it works.
At https://host:8443 you can see the internal website with self signed cert, and at http://host it's explosed via traefik.