I am new to working with Traefik and proxys in general. So it's likely that I use incorrect terminology and/or am more confused than I think I am. Corrections are gratefully accepted.
My question is conceptual. I have a host server, where a SSL certificate is terminated
(my host provider is issueing this certificate and terminating it on my server so I dont have to worry about that).
After installing Traefik (Docker Compose) I noticed that I see the valid certificate from my host provider on every page that I expose with Traefik (i.e. Flask API, Vue App, Keycloak, ...).
By "seeing" I mean that my browser shows the valid certificate.
So my question:
is Traefik really that awesome?
Does this mean that my entire internal Traefik communication is now encrpyted with TLS (by some fanxy internal Traefik TLS forwarding protocol) and I don't have to worry about installing a certificate by myself?
As you are writing, your host is terminating (decrypting) the TLS/SSL connection and then probably forwarding the http requests in plain-text to your Treafik. Responses from Traefik are going the return path and are encrypted.
thank you for your reply. this pretty much is what I needed to hear. One more comment if I may: in my current production setup I use the docker lable "traefik.http.routers.service.tls=true". WIthout it my page returns 404. Could this mean that internal SSL/TLS is running?
Yes, if it's correctly configured it would probably create a custom internal Traefik TLS/SSL certificate, used for a dedicated entrypoint. Check Traefik debug log if a cert is created.
Your host receives the TLS/SSL connection (https), decrypts the requests, then forwards those to your Traefik. If your host is smart it will automatically determine if it needs to use http or https for the internal forwarding. Traefik can use it's custom certificate for https, as long as your host does not "verify" the certificate.
(You can only verify a certificate if it's created by a certification authority, so you purchased it or used a free service like LetsEncrypt or others to generate one. Or you create you own internal certificate and import it on both sides, sender and receiver.)
Traefik itself has a an insecureskipverify option to forward requests via https to another service, that only supports https with a custom internal certificate, so can not be verified.