Using Traefik + Docker + HTTPS in a local network

Traefik Traefik v2
,
1

I'm trying to use Traefik with Docker in a local network. Moreover, I need HTTPS, therefore the server is expected to provide some kind of certificate.

The VM hosting Traefik and my applications can reach the internet but it can't be reached from the internet. In this situation, none of the automated certificate management machineries are an option (e.g., ACME-based challenges). This is not a major issue in my case, since I just need to enforce HTTPS encryption. Even and untrusted cert can be fine.

Since Traefik can automatically serve a default, self-signed, certificate, here there is how I'm trying to deal with my problem:

my docker-compose.yml 
version: '3.8'

services:
  traefik:
    image: traefik:v2.5
    container_name: traefik
    security_opt:
      - no-new-privileges:true
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 80:80
      - 443:443
    command:
      ###########################################
      #   Static Configuration harnessing CLI   #
      ###########################################

      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --entrypoints.webinsecure.address=:80
      - --entrypoints.webinsecure.http.redirections.entrypoint.to=websecure
      - --entrypoints.webinsecure.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
    networks:
      - proxy

    labels:
      ########################################################
      #   Dynamic configuration with Docker Label for APPs   #
      ########################################################

      traefik.enable: true
      traefik.http.routers.traefik.rule: Host(`traefik.myhost.local`)
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.tls: true
      traefik.http.routers.traefik.entrypoints: websecure
      
  my-test-app:
    image: containous/whoami
    networks:
      - proxy
    labels:
      ########################################################
      #   Dynamic configuration with Docker Label for APPs   #
      ########################################################
      traefik.enable: true
      traefik.http.routers.whoami.rule: Host(`whoami.myhost.local`)
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.entrypoints: websecure

networks:
  proxy:
    external: true

It seems working, however, I'm wondering whether this is a good approach or there's some best practice out there to handle my scenario. Moreover, I need a couple of pieces of information about the default cert:

  • I see that the default cert expires after 1 year. Will Traefik take care of its renewal upon expiration?
  • A more general question: how can the default cert enable HTTPS for any host regardless of its domain name? I'm wondering that, since the default cert do not carry info about the domain name of each application. Maybe it's just another factor concurring to its untrustness, beyond the self-signature. But encryption works.
2

Hi,
for local HTTPS stuff I'm using "mkcert" GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.. It is working flawless, and you will not be having trouble with annoying browsers and their cert warnings. Your scenario sounds like a bit similar to this one here Routing to multiple docker-compose setups | Holger Woltersdorf
For 1. The renewal of the SSL certs, I guess you need to make it manual or create one with more than 1 year validity.
For 2. I'm using a wild card certificate. Means I can use anything I want/need before my domain "local.test". It has been configured as "*.local.test".

3

Hi! Thank you very much for your pointers. I’ll check them out as soon as I can.

I had seen mkcert, but it looks like you still need to manage certs locally in some custom way.

Using the defaul cert automatically generated by Traefik can be an option in a local env? It’s self-signed, and it expires after 1 year. But it should work also after that expiration date.