Home Local traefik with Docker and SSL
Post
Cancel

Local traefik with Docker and SSL

Posted Nov 18, 2022 Updated Nov 18, 2022
By Joshua Schraven
2 min read

Deploy Docker container with traefik

Target

We like to deploy some services as Docker container and use traefik as reverse proxy for them. Additionally, we will use SSL.

Prerequisites

  • install Docker on your machine

Setup

  • create traefik config
    • the endpoint is our passed-through Docker socket
    • we are using nip.io in our default rule because it will resolve *.127.0.0.1.nip.io to 127.0.0.1
    • maybe you have to deactivate DNS rebind protection in your router
    • only containers with a traefik.enable=true label will be exposed
1
2
3
4
5
6
7
8
9
10
11
12
13
14

---
entryPoints:
  web:
    address: ":80"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    defaultRule: 'Host(`.127.0.0.1.nip.io`)'
    exposedByDefault: false

api:
  dashboard: true
  insecure: true
  • create your docker-compose.yml file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

---
version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik:latest
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $PWD/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
    ports:
      - "80:80"
      - "8080:8080"
    
  whoami:
    container_name: whoami
    image: containous/whoami
    restart: always
    labels:
      - "traefik.enable=true"
  • start your containers with docker compose up -d
  • checkout the traefik dashboard at http://127.0.0.1:8080/dashboard/
  • verify traefik routing
    • there should an entry like this: Host: whoami.127.0.0.1.nip.io
1

curl --header 'Host:whoami.127.0.0.1.nip.io' http://localhost
  • generate a certificate and key with OpenSSL
    • answer the prompts
    • common name should be web.127.0.0.1.nip.io
1
2
3
4

mkdir certs
cd certs
openssl req -x509 -newkey rsa:4096 -keyout test.key -out test.crt -sha256 -days 365 -nodes
cd ..
  • rewrite your docker-compose.yml file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

---
version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik:latest
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $PWD/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - $PWD/traefik/traefik_dynamic.yml:/etc/traefik/conf.d/traefik_dynamic.yml:ro
      - $PWD/certs:/etc/traefik/certs:ro
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    
  whoami:
    container_name: whoami
    image: containous/whoami
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=web"
  
  test:
    container_name: test
    image: nginx:latest
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.test.entrypoints=websecure"
      - "traefik.http.routers.test.tls=true"
  • rewrite your traefik.yml file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

---
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  file:
    directory: /etc/traefik/conf.d
  docker:
    endpoint: "unix:///var/run/docker.sock"
    defaultRule: 'Host(`.127.0.0.1.nip.io`)'
    exposedByDefault: false

api:
  dashboard: true
  insecure: true
  • create a dynamic traefik configuration traefik_dynamic.yml
1
2
3
4

tls:
  certificates:
    - certFile: /etc/traefik/certs/test.crt
      keyFile: /etc/traefik/certs/test.key
  • restart your containers with docker compose down && docker compose up -d

Do not expose services to the internet unless you know what you are doing. This is just a local setup for testing purposes. The traefik dashboard is not secured and the certificate is self-signed.

References

Docker, Reverse Proxy
docker reverse proxy traefik openssl https
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents