Since I've got a domain which DNS is managed by cloudflare, I wanted to use the wildcard certificates for all my services behind traefik. That includes my local services like Portainer, Uptime Kuma and als the Traefik dashboard. I've got the following files
# docker-compose.yml
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
- 53:53/udp
- 53:53/tcp
- 8080:8080
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-data/traefik.yml:/traefik.yml:ro
- ./traefik-data/acme.json:/acme.json
- ./traefik-data/configurations:/configurations
environment:
- CF_DNS_API_TOKEN=<MY_CLOUDFLARE_API_KEY>
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file,safe-ipwhitelist@file"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./portainer-data:/data
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.portainer-secure.entrypoints=websecure"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.mydomain.com`)"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.routers.portainer-secure.middlewares=safe-ipwhitelist@file"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
networks:
proxy:
external: true
# traefik.yml
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
middlewares:
- secureHeaders@file
tls:
certResolver: cloudflare
dns:
address: :53
dns-udp:
address: :53/udp
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
certificatesResolvers:
cloudflare:
acme:
email: <MY_EMAIL>
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
# dynamic.yml
http:
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
customFrameOptionsValue: "SAMEORIGIN"
user-auth:
basicAuth:
users: <MY_BASIC_AUTH>
safe-ipwhitelist:
ipWhiteList:
sourceRange: <MY_IP_WHITELIST>
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
minVersion: VersionTLS12
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
Everything works as expected. My services, which are exposed to the internet, get a valid certificate and my local services get certificates too. The only exception being the traefik dashboard. And if I check the TLS rules for the routes in traefik, the one for Portainer has cloudflare listed as the certificate resolver:
While this block is missing for the Traefik dashboard :
Anyone got an idea on how to fix this/what the problem is?
Thanks!
