Skip to content
/ dcc-traefik-https Public

Docker/Podman Compose Traefik HTTPS Proxy ( Cloudflare - SSL Let’s Encrypt) and ready for production

License

MIT license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

asapdotid/dcc-traefik-https

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

146 Commits
.data/traefik
.data/traefik
 
 
.github
.github
 
 
.logs/traefik
.logs/traefik
 
 
.make
.make
 
 
docs
docs
 
 
src
src
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.hadolint.yaml
.hadolint.yaml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Docker/Podman Compose Traefik - Proxy Container Service (Cloudflare)

This guide shows you how to deploy your containers behind Traefik reverse-proxy. It will obtain and refresh HTTPS certificates automatically and it comes with password-protected Traefik dashboard.

Docker Engine

Services Container

  • Docker Socket Proxy 1.11.2
  • Traefik 2.11.x, 3.1.x, 3.2.x, 3.3.x, 3.4.x & 3.5.x
  • Logger Alpine Linux 3.20 or 3.21

Traefik 3.5.x on going testing config with Docker version 28.x.x

References

  • Docker Socket Proxy (security) - Document
  • Traefik Document
  • Logger (logrotate & cron) Custom of Alpine

Podman Engine

Services Container

  • Traefik 2.11.x, 3.1.x, 3.2.x, 3.3.x, 3.4.x & 3.5.x
  • Logger Alpine Linux 3.20 or 3.21

Traefik 3.5.x on going testing config with *Podman version 5.7.1

References

  • Traefik Document
  • Logger (logrotate & cron) Custom of Alpine

Admin Actions (root privilege sudo)

For linux have selinux

Enabling unprivileged users to bind into port 80
echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf
sysctl -p

Allow HTTP and HTTPS connections

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --reload

Optional (development)

  • Whoami (prints OS information - local development) Document
  • Portainer (Optional) Document

Step 1: Make Sure You Have Required Dependencies

  • Git
  • Docker
  • Docker Compose
  • Podman
  • Podman Compose/Docker Compose

Docker Installation on The Systems:

Official documentation for install Docker doc

Podman Installation on The Systems:

Official documentation for install Podman doc

Step 2: Clone the Repository

git clone https://github.com/asapdotid/dcc-traefik-https.git
cd dcc-traefik-https

Make command help:

make help

Step 3: Make Initial Environment Variables

make init

Modified file in .make/.env for build image

...
# Container engine: docker or podman
CONTAINER_ENGINE=podman

# Project variables
DOCKER_REGISTRY=docker.io
DOCKER_NAMESPACE=asapdotid
DOCKER_PROJECT_NAME=tf-proxy

# Docker image version
DOCKER_SOCKET_VERSION=1.11.2
TRAEFIK_VERSION=3.5
ALPINE_VERSION=3.21

# Timezone for os and log level
TIMEZONE=Asia/Jakarta

Step 3: Make Compose Initial Environment Variables

make env

Modified file in src/.env for build image

The password is adminpass and you might want to change it before deploying to production.

Step 4: Set Your Own Password

Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.

Install Apache Tools package to using htpasswd To create a user:password pair, the following command can be used:

echo $(htpasswd -nb user)

# OR

echo $(htpasswd -nb user password)

Running script:

echo $(htpasswd -nb admin)

New password:
Re-type new password:

admin:$apr1$W3jHMbEG$TCzyOICAWv/6kkraCHKYC0

or

echo $(htpasswd -nb admin adminpass)

admin:$apr1$W3jHMbEG$TCzyOICAWv/6kkraCHKYC0

The output has the following format: username:password_hash. The username doesn't have to be admin, feel free to change it (in the first line).

Encode password hash with base64:

echo '$apr1$W3jHMbEG$TCzyOICAWv/6kkraCHKYC0' | openssl enc -e -base64
JGFwcjEkVzNqSE1iRUckVEN6eU9JQ0FXdi82a2tyYUNIS1lDMAo=

Check decode:

echo 'JGFwcjEkVzNqSE1iRUckVEN6eU9JQ0FXdi82a2tyYUNIS1lDMAo=' | openssl enc -d -base64

You can paste the username into the TRAEFIK_BASIC_AUTH_USERNAME environment variable. The other part, hashedPassword, should be assigned to TRAEFIK_BASIC_AUTH_PASSWORD_HASH. Now you have your own username:password pair.

Step 5: Launch Your Deployment

Optional create docker network proxy for external used with other docker containers:

docker network create proxy
make env

make build

Docker composer make commands:

make up
# or
make down

Step 6: Additional Services

  • Whoami
  • Portainer

Can remove or command.

Step 7: Test Your Deployment

curl -I https://{domain_name}/

You can also test it in the browser:

https://{domain_name}/

https://monitor.{domain_name}/

Deploying on a Public Server With Real Domain

Traefik requires you to define "Certificate Resolvers" in the static configuration, which are responsible for retrieving certificates from an ACME server.

Then, each "router" is configured to enable TLS, and is associated to a certificate resolver through the tls.certresolver configuration option.

Read Traefik Let's Encrypt

Here is a list of supported providers, on this project:

  • Cloudflare

Let's say you have a domain example.com and it's DNS records point to your production server. Just repeat the local deployment steps, but don't forget to update TRAEFIK_DOMAIN_NAME, TRAEFIK_ACME_DNS_CHALLENGE_PROVIDER_EMAIL & TRAEFIK_ACME_DNS_CHALLENGE_PROVIDER_TOKEN environment variables. In case of example.com, your src/.env file should have the following lines:

TRAEFIK_DOMAIN_NAME=example.com
TRAEFIK_ACME_DNS_CHALLENGE_PROVIDER_EMAIL=email@mail.com
TRAEFIK_ACME_DNS_CHALLENGE_PROVIDER_TOKEN=coudflare-access-token-123ABC

Setting correct email is important because it allows Let’s Encrypt to contact you in case there are any present and future issues with your certificates.

Redirect WWW to NON WWW external services (other docker compose file)

Example labels redirect www to npn www:

labels:
    - traefik.enable=true
    - traefil.docker.network=proxy
    - traefik.http.routers.whoami.entrypoints=https
    - traefik.http.routers.whoami.rule=Host(`jogjascript.com`)||Host(`www.jogjascript.com`)
    # Add redirect middlewares for http and https
    - traefik.http.routers.whoami.middlewares=redirect-http-www@file,redirect-https-www@file

Example Docker Compose

File: src/compose/docker-compose.local.yml

Whoami

whoami:
    image: traefik/whoami:latest
    container_name: whoami
    networks:
        - proxy
    depends_on:
        - traefik
    labels:
        - traefik.enable=true
        - traefik.http.routers.whoami.entrypoints=https
        - traefik.http.routers.whoami.rule=Host(`jogjascript.com`)||Host(`www.jogjascript.com`)
        # Add redirect middlewares for http and https
        - traefik.http.routers.whoami.middlewares=redirect-http-www@file,redirect-https-www@file

Portainer

portainer:
    image: portainer/portainer-ce:latest
    restart: unless-stopped
    security_opt:
        - no-new-privileges:true
    networks:
        - proxy
    volumes:
        - /etc/localtime:/etc/localtime:ro
        - ../../.data/portainer:/data
    labels:
        - traefik.enable=true
        - traefik.http.routers.portainer.entrypoints=https
        - traefik.http.routers.portainer.rule=Host(`portainer.${TRAEFIK_DOMAIN_NAME}`)
        - traefik.http.services.portainer.loadbalancer.server.port=9000
    depends_on:
        - traefik

External Docker Compose Service Integrate with Traefik (Labels)

Sample:

---
labels:
    - traefik.enable=true
    - traefil.docker.network=proxy
    - traefik.http.routers.portainer.entrypoints=https
    - traefik.http.routers.portainer.rule=Host(`app.${TRAEFIK_DOMAIN_NAME}`)

Path prefix with loadbalancer:

---
labels:
    - traefik.enable=true
    - traefik.docker.network=proxy
    - traefik.http.routers.backend-v1.entrypoints=https
    - traefik.http.routers.backend-v1.rule=Host(`api.domain_name.com`) && PathPrefix(`/v1`)
    - traefik.http.services.backend-v1.loadbalancer.server.port=3000
    - traefik.http.routers.backend-v1.middlewares=api-strip
    - traefik.http.middlewares.api-strip.stripprefix.prefixes=/v1

Sample nginx service:

---
nginx:
    image: nginx:stable
    networks:
        - proxy
    labels:
        - traefik.enable=true
        - traefil.docker.network=proxy
        - traefik.http.routers.portainer.entrypoints=https
        - traefik.http.routers.portainer.rule=Host(`app.${TRAEFIK_DOMAIN_NAME}`)

Also included is an option that allows only TLS v1.3. This option must be manually configured. There is an example below on how to do this with a docker label.

---
nginx:
    image: nginx:stable
    networks:
        - proxy
    labels:
        - traefik.enable=true
        - traefil.docker.network=proxy
        # only TLS v1.3
        - traefik.http.routers.project-app.tls.options=tlsv13only@file
        - traefik.http.routers.portainer.entrypoints=https
        - traefik.http.routers.portainer.rule=Host(`app.${TRAEFIK_DOMAIN_NAME}`)

Read instruction after container up instruction

License

MIT / BSD

Author Information

This Docker Compose Traefik HTTPS was created in 2022 by Asapdotid 🚀

About

Docker/Podman Compose Traefik HTTPS Proxy ( Cloudflare - SSL Let’s Encrypt) and ready for production

Topics

letsencrypt docker ssl docker-compose https proxy proxy-server cloudflare traefik podman traefik-v2 podman-compose traefik-docker podman-container

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

16 tags

Sponsor this project

Packages

No packages published

Languages