Traefik Essentials Reverse Proxy with Docker & Let’s Encrypt

Traefik Essentials Reverse Proxy with Docker & Let’s Encrypt

6 minute
1077 words
Categories:
Networking Reverse Proxy
Tags:
#traefik #cloudflare #lets encrypt

What is Traefik

Traefik is an open-source reverse proxy and load balancer, perfect for managing containerized applications in your homelab or home server. It integrates seamlessly with Docker, automatically detecting services, configuring routing, and securing connections with SSL. Designed for dynamic, self-hosted environments, Traefik adapts to changes in real-time, making it ideal for scaling and simplifying your setup.

In this guide, we will set up the Traefik Docker container, configure Let’s Encrypt for obtaining SSL certificates.

Let’s get started!

Setup Traefik with Docker

Docker

Create the directory and docker-compose.yml

BASH
1mkdir traefik
2nano traefik/docker-compose.yml
Click to expand and view more

Add the following configuration to the file:

docker-compose.yml
 1services:
 2  traefik:
 3    image: traefik
 4    container_name: traefik
 5    restart: unless-stopped
 6    security_opt:
 7      - no-new-privileges:true
 8    environment:
 9      - TZ=Europe/Amsterdam
10      - CF_API_EMAIL=${CF_API_EMAIL}
11      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
12    networks:
13      - frontend
14    ports:
15      - 80:80 # HTTP entryPoints
16      - 443:443 # HTTPS entryPoints
17      - 8080:8080 # Dashbaord WebGui 
18    volumes:
19      - /var/run/docker.sock:/var/run/docker.sock:ro
20      - ./traefik.yml:/traefik.yml:ro
21      - traefik:/certs
22
23volumes:
24  traefik:
25    name: traefik
26
27networks:
28  frontend:
29    name: frontend
Click to expand and view more

Traefik configuration

Create a traefik.yml file to define Traefik’s configuration settings. This file specifies key elements like entry points and providers, enabling Traefik to manage traffic routing, load balancing, and security effectively.

BASH
1nano traefik/traefik.yml
Click to expand and view more

Add the following configuration to the file:

traefik.yml
 1api:
 2  dashboard: true
 3  insecure: true
 4  debug: false
 5entryPoints:
 6  web:
 7    address: ":80"
 8    http:
 9      redirections:
10        entryPoint:
11          to: websecure
12          scheme: https
13  websecure:
14    address: ":443"
15serversTransport:
16  insecureSkipVerify: true
17providers:
18  docker:
19    endpoint: "unix:///var/run/docker.sock"
20    exposedByDefault: false
21certificatesResolvers:
22  letencrypt:
23    acme:
24      email: [youremail@email.com]
25      storage: /certs/acme.json
26      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
27      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
28      # Use **one** of the following challenge types:
29      # --- DNS Challenge (example: Cloudflare) ---
30      dnsChallenge:
31        provider: cloudflare
32        delayBeforeCheck: 10
33
34      # --- HTTP Challenge ---
35      httpChallenge:
36        entryPoint: web
Click to expand and view more

Change [youremail@email.com] to your mail address

Cloudflare API

This part is only needed when you choose for the DNS challenge

In this guide we use Cloudflare as DNS provider. You can follow the same steps for other DNS providers. Support list can be found here.

To use the DNS-01 Challenge with Cloudflare, you need to create an API token that Traefik will use to authenticate with Cloudflare for automatic SSL certificate management.

  1. Go to the Cloudflare API page and log in with your Cloudflare account.
  2. Create API Key:
  1. Review the token summary and make any necessary adjustments by selecting Edit token. Note that you can also edit the token after creation if needed.
  2. Click on Create Token to generate the token’s secret.
  3. Make sure to save this API key securely, as you will need it later for configuring Traefik.

In the same directory as your docker-compose.yml, create a .env file to securely store your Cloudflare credentials:

BASH
1nano .env
Click to expand and view more

Add the following content to the .env file, replacing the placeholders with your actual Cloudflare email and API token:

.env
1CF_API_EMAIL=<Your cloudflare email>
2CF_DNS_API_TOKEN=<Your API Token>
Click to expand and view more

Start Traefik

Run the command below to start the container.

BASH
1docker compose -f traefik/docker-compose.yml up -d
Click to expand and view more

Then you can access the dashboard at http://serverip:8080.

Add service

To verify Traefik is working correctly, we’ll set up a simple service using Traefik’s whoami application. This service provides basic HTTP responses displaying browser and OS information, which makes it ideal for testing.

Make a new directory called whoami to organize the service files.

BASH
1mkdir whoami
2nano whoami/docker-compose.yml
Click to expand and view more

Add the following configuration to the file:

docker-compose.yml
 1services:
 2  whoami:
 3    container_name: simple-service
 4    image: traefik/whoami
 5    labels:
 6        - "traefik.enable=true"
 7        - "traefik.http.routers.whoami.rule=Host(`test.example.com`)"
 8        - "traefik.http.routers.whoami.entrypoints=websecure"
 9        - "traefik.http.routers.whoami.tls=true"
10        - "traefik.http.routers.whoami.tls.certresolver=letencrypt"
11        - "traefik.http.services.whoami.loadbalancer.server.port=80"
Click to expand and view more

Setting Up DNS and Starting the Service

Update your domain’s DNS settings to point test.example.com (replace this with your actual domain) to your server’s IP address. Verify that the changes have propagated and the domain resolves to your IP using tools like nslookup or online DNS checkers.

Open your browser and navigate to your domain to check if a certificate from the Let’s Encrypt Staging server is being used. You should see a certificate warning, as staging certificates are not trusted by browsers. This confirms that the staging configuration is working as expected.

Production Certificates

Now that everything is functioning correctly, it’s time to switch the caServer to the production version to obtain trusted certificates. Additionally, we need to remove the staging certificates; otherwise, Traefik will not request new ones.  Stop the running Traefik container and remove the volume used.

BASH
1docker compose -f traefik/docker-compose.yml down
2docker volume rm traefik
Click to expand and view more

Open your traefik.yml file and modify the caServer setting to point to the production Let’s Encrypt server. Comment out the staging line and ensure the production line is active, as shown below:

traefik.yml
1caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
2# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
Click to expand and view more

After updating the configuration and clearing the staging certificates, restart Traefik to request production certificates.

BASH
1docker compose -f traefik/docker-compose.yml up -d
Click to expand and view more

You can use the same test service we made before the check if you now get the trusted certificates.

Some browsers keep a hold on the previous served certificates for some time. If you still get the staging certificate, try another browser or incognito window

Great! Now that everything is confirmed to be working in production, you can clean up by removing the test whoami service. Simply stop and remove the whoami container, and delete its configuration from your Docker Compose file. This cleanup will leave your setup streamlined, retaining only the essential configuration and services for your production environment.

Copyright Notice

Author: Sven van Ginkel

Link: https://svenvg.com/posts/traefik-essentials-reverse-proxy-with-docker-lets-encrypt/

License: CC BY-NC-SA 4.0

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please attribute the source, use non-commercially, and maintain the same license.

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut