Hi!
I used TechnoTim's guide as a base, and it's working. Mostly.
Here's the docker-compose
:
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
environment:
#- CF_API_EMAIL=example
- CF_DNS_API_TOKEN= thought you'd get this, eh?
# If you choose to use an API Key instead of a Token, specify your email as well
# - CF_API_EMAIL=user@example.com
# - CF_API_KEY=YOUR_API_KEY
command:
- "--providers.docker"
- "--log.level=DEBUG"
- "--log.filePath=/logs/traefik.log"
- "--api"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/keiro/traefik/data/traefik.yml:/traefik.yml:ro
- /home/keiro/traefik/data/acme.json:/acme.json
- /home/keiro/traefik/data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=blap:blap"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=server.example.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
Interestingly I'm seeing some differences from his config and mine and I'm not entirely sure why... but there you go. That's the current config for docker-compose.
Now, for the config,yml
:
http:
#region routers
routers:
proxmox:
entryPoints:
- "https"
rule: "Host(`box.example.com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: proxmox
pihole:
entryPoints:
- "https"
rule: "Host(`pihole.example.com`)"
middlewares:
- redirectregex-pihole
- default-headers
- addprefix-pihole
- https-redirectscheme
tls: {}
service: pihole
homeassistant:
# For Homeassistant config, check: https://www.home-assistant.io/integrations/http/#reverse-proxies
# This relies on Homeassistant using http. No certs are needed in the Homeassistant config.
entryPoints:
- "https"
rule: "Host(`homeassistant.example.com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: homeassistant
# idrac:
# entryPoints:
# - "https"
# rule: "Host(`idrac.example.com:5900/tcp`)"
# middlewares:
# - idrac
# - https-redirectscheme
# tls: {}
# service: idrac
# idrac-console:
# entryPoints:
# - "idrac" # REQUIRED for iDRAC virtual console: Create a new TCP entry point in traefik on port 5900
# rule: "Host(`idrac.example.com:5900/tcp`)"
# middlewares:
# - idrac
# - https-redirectscheme
# tls: {}
# service: idrac-console
opnsense:
entryPoints:
- "https"
rule: "Host(`router.example.com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: opnsense
#nextcloud:
#rule: "Host(`nc.example.com`)"
#entryPoints:
#- "https"
#service: nextcloud
#middlewares:
#- https-redirectscheme
#tls: {}
#endregion
#region services
services:
proxmox:
loadBalancer:
servers:
- url: "https://192.168.0.2:8006"
passHostHeader: true
pihole:
loadBalancer:
servers:
- url: "http://192.168.0.3:80"
passHostHeader: true
homeassistant:
loadBalancer:
servers:
- url: "http://192.168.0.17:8123"
passHostHeader: true
truenas:
loadBalancer:
servers:
- url: "https://192.168.0.104"
passHostHeader: true
# idrac:
# loadBalancer:
# servers:
# - url: "https://192.168.0.121"
# passHostHeader: true
# idrac-console:
# loadBalancer:
# servers:
# - url: "https://192.168.0.121:5900"
# passHostHeader: true
opnsense:
loadBalancer:
servers:
- url: "https://192.168.0.1"
passHostHeader: true
#nextcloud:
#loadBalancer:
#servers:
#- url: "https://192.168.0.70:11000"
#passHostHeader: true
#endregion
middlewares:
addprefix-pihole:
addPrefix:
prefix: "/admin"
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
redirectregex-pihole:
redirectRegex:
regex: "/admin/(.*)"
replacement: /
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
idrac:
headers:
frameDeny: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
default-whitelist:
ipAllowList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
secured:
chain:
middlewares:
- default-whitelist
- default-headers
Some of this is commented out because I'm having trouble understanding why they're not working. For example, traefik-dashboard.example.com is working... except for the SSL insecure issue, but homeassistant.example.com is working and shows "Is functioning normally." along with a valid SSL certificate, but is not showing my homeassistant dashboard. This is confusing.
I've also noticed that for some reason acme.json gets created as a folder and not as a file, forcing me to recreate it as a file and setting the correct permissions. Then once that's done, I get this in the traefik error:
traefik | 2025-03-21T05:10:42Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [*.example.com *.server.example.com]: error: one or more domains had a problem:\n[*.example.com] [*.example.com] acme: error presenting token: cloudflare: failed to find zone box.ca.: zone could not be found\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["*.example.com","*.server.example.com"] providerName=cloudflare.acme routerName=traefik-secure@docker rule=Host(`traefik-dashboard.example.com`)
It seems to be picking up the wildcard SSL certificates correctly for at least one service, if the dashboard screenshot is anything to go by, as I see green shields besides most of the services listed here, but the dashboard itself is not using the valid ssl certificate from Let's Encrypt.
Also... WHERE is box.ca
coming from? I cannot find it anywhere and it's driving me up the wall.
As far as I can tell, everything seems to be working okay... except some hostnames also occasionally do not use the valid ssl certificates and the error logs are not helpful because the one I provided above is all I get.