Home

Awesome

Traefik v2

guide by examples

logo

edit - discovered caddy, seems simpler, here is its guide.

requirements

chapters

  1. traefik routing to docker containers
  2. traefik routing to a local IP addresses
  3. middlewares
  4. let's encrypt certificate HTTP challenge
  5. let's encrypt certificate DNS challenge
  6. redirect HTTP traffic to HTTPS

#1 traefik routing to various docker containers

traefik-dashboard-pic

#2 traefik routing to a local IP addresses

When url should aim at something other than a docker container.

simple-network-diagram-pic

#3 middlewares

Example of an authentication middleware for any container.

logic-pic

#4 let's encrypt certificate, HTTP challenge

letsencrypt-http-challenge-pic

My understanding of the process, simplified.

LE - Let's Encrypt. A service that gives out free certificates</br> Certificate - a cryptographic key stored in a file on the server, allows encrypted communication and confirms the identity</br> ACME - a protocol(precisely agreed way of communication) to negotiate certificates from LE. It is part of traefik.</br> DNS - servers on the internet, translate domain names in to ip address</br>

Traefik uses ACME to ask LE for a certificate for a specific domain, like example.com. LE answers with some random generated text that traefik puts at a specific place on the server. LE then asks DNS internet servers for example.com and that points to some IP address. LE looks at that IP address through ports 80/443 for the file containing that random text.

If it's there then this proves that whoever asked for the certificate controls both the server and the domain, since it showed control over DNS records. Certificate is given and is valid for 3 months, traefik will automatically try to renew when less than 30 days is remaining.

Now how to actually get it done.

#5 let's encrypt certificate DNS challenge on cloudflare

letsencrypt-dns-challenge-pic

My understanding of the process, simplified.

LE - Let's Encrypt. A service that gives out free certificates</br> Certificate - a cryptographic key stored in a file on the server, allows encrypted communication and confirms the identity</br> ACME - a protocol(precisely agreed way of communication) to negotiate certificates from LE. It is part of traefik.</br> DNS - servers on the internet, translate domain names in to ip address</br>

Traefik uses ACME to ask LE for a certificate for a specific domain, like example.com. LE answers with some random generated text that traefik puts as a new DNS TXT record. LE then checks example.com DNS records to see if the text is there.

If it's there then this proves that whoever asked for the certificate controls the domain. Certificate is given and is valid for 3 months. Traefik will automatically try to renew when less than 30 days is remaining.

Benefit over httpChallenge is ability to have wild card certificates. These are certificates that validate all subdomains *.example.com</br> Also no ports are needed to be open.

But traefik needs to be able to make these automated changes to DNS records, so there needs to be support for this from whoever manages sites DNS. Thats why going with cloudflare.

Now how to actually get it done.

#6 redirect http traffic to https

padlocks-pic

http stops working with https setup, better to redirect http(80) to https(443).</br> Traefik has special type of middleware for this purpose - redirectscheme.

There are several places where this redirect can be declared, in traefik.yml, in the dynamic section when traefik.yml itself is set as a file provider.</br> Or using labels in any running container, this example does it in traefik compose.

stuff to checkout