This guide will show you how to configure traefik with the following features:
This guide uses example.com as an example domain, change it accordingly for your purposes.
Here is the full docker-compose.yml file to copy and past. Don't forget to insert your mail address and change the example domain to your own domain.
version: '3'
services:
traefik:
image: traefik
container_name: traefik
command:
- "--providers.docker"
- "--api.insecure=true"
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--certificatesResolvers.myresolver.acme.email=<your-mail-address>"
- "--certificatesResolvers.myresolver.acme.storage=/data/acme.json"
- "--certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./data/traefik/:/data"
labels:
- "traefik.http.middlewares.httpsonly.redirectscheme.scheme=https"
- "traefik.http.middlewares.httpsonly.redirectscheme.permanent=true"
- "traefik.http.routers.httpsonly.rule=HostRegexp(`{any:.*}`)"
- "traefik.http.routers.httpsonly.middlewares=httpsonly"
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.dashboard.service=dashboard@internal"
- "traefik.http.routers.api.rule=Host(`traefik.example.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.tls.certresolver=myresolver"
- "traefik.http.routers.api.tls=true"
- "traefik.http.routers.api.tls.certresolver=myresolver"
The following commands to the traefik container will configure acme to use Let's Encrypt:
#
command:
- "--certificatesResolvers.myresolver.acme.email=<your-mail-address>"
- "--certificatesResolvers.myresolver.acme.storage=/data/acme.json"
- "--certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
Make sure to insert your email address in the right place.
Add the following labels to redirect all http requests to https:
#
labels:
- "traefik.http.middlewares.httpsonly.redirectscheme.scheme=https"
- "traefik.http.middlewares.httpsonly.redirectscheme.permanent=true"
- "traefik.http.routers.httpsonly.rule=HostRegexp(`{any:.*}`)"
- "traefik.http.routers.httpsonly.middlewares=httpsonly"
A router with the name httpsonly is created. This router will listen to all requests (regular expression .*) and then forward the request to the middleware named 'httpsonly' as well. This middleware then will answer the request with a permanent redirect to https (http code 301).
By default the traefik dashboard can easily be made accessible at port 8080. That does not look to pretty and will be http by default. This section will allow you to configure any domain to show the dashboard with https enabled.
#
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.dashboard.service=dashboard@internal"
- "traefik.http.routers.api.rule=Host(`traefik.example.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.tls.certresolver=myresolver"
- "traefik.http.routers.api.tls=true"
- "traefik.http.routers.api.tls.certresolver=myresolver"
This may look confusing at the beginning, but can be broken down to a few simple steps.
The first two labels will make the service dashboard@internal available under the domain traefik.example.com. That is not enough, as the dashboard is a simple javascript application which gets all the data from a REST API. This API has to be available under the same URL as the dashboard itself, but appended with /api. By default the API is available under example.com:8080/api. The next two lines accomplish that the API service 'api@internal' is accessible at traefik.example.com/api just as the dashboard expects it to be.
This would be enough to access the dashboard with http://traefik.example.com, but if that would be redirected to https, you would receive a certificate error. The last 4 lines (6 to 9) will tell traefik to enable https for this sites (dashboard and api) and tell it to use the certificate resolver myresolver which is configured to use Let's Encrypt as described in a previous chapter.
For an example service we will add an unconfigured nginx webserver.
services:
myweb:
image: nginx
labels:
- "traefik.http.routers.myweb.rule=Host(`myweb.example.com`)"
- "traefik.http.routers.myweb.tls=true"
- "traefik.http.routers.myweb.tls.certresolver=myresolver"
We create a new router called myweb. If you reuse a router name, you will configure only one and get very unexpected results. Make sure to basically use unique router names in your labels. An easy way to do so is to use the service name, which has to be unique for docker already.
This router will be available at the configured domain (myweb.example.com) and will enable https with the certificate resolver myresolver (as configured earlier with Let's Encrypt).
Now you can access the nginx welcome page at myweb.example.com with https enabled.