Skip to content
/ docker-traefik-letsencrypt Public

An opinionated Traefik configuration with automatic Let's Encrypt certificate management and password protected dashboard.

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

conscribtor/docker-traefik-letsencrypt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.env
.env
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.prod.yml
docker-compose.prod.yml
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Docker + Traefik + Let’s Encrypt

Requirements

Configuration

Traefik has a static configuration (provided by us) and a dynamic configuration (provided by Docker).

In this project the environment variable based static configuration is set within the environment section of the traefik service. The dynamic configuration is set within the labels section of services using the reverse proxy.

Setup

Staging

If DOMAIN and ACME_MAIL are set in the .env file, simply run:

docker-compose up -d

If you prefer to pass these values explicitely to the docker-compose command:

DOMAIN=<your_domain> ACME_MAIL=<admin_email> docker-compose up -d

The Traefik Dashboard can be accessed on its subdomain (e.g.: https://traefik.example.com). In staging, username and password are both set to "traefik".

Production

For production you must override docker-compose.yml with docker-compose.prod.yml in order to use production ready configurations.

When using docker-compose.prod.yml, credentials for the Traefik Dashboard must be set explicitly. The traefik service is configured with the DigestAuth middleware for authentification. The digest token can be generated using htdigest, using the realm traefik and must be passed to docker-compose via the DASHBOARD_DIGESTAUTH_TOKEN environment variable:

DASHBOARD_DIGESTAUTH_TOKEN=<digest_token> \
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

If DOMAIN and ACME_MAIL are not set in the .env file:

DOMAIN=<your_domain> ACME_MAIL=<admin_email>  DASHBOARD_DIGESTAUTH_TOKEN=<digest_token> \
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

Connect services

By default, containers running on the same Docker Engine are neither connected to the same docker network as the traefik service, nor are they discovered if they are. Containers must be connected to the reverse_proxy network and be labeled with traefik.enable=true and traefik.http.routers.<routername>.tls.certresolver=letsencrypt in order to be served trough the traefik service with a Let's Encrypt certificate.

Here is an example of docker-compose.yml for a very simple webserver being served trough traefik using the aforementioned labels and networks configuration:

services:
  static-webserver:
    image: python
    volumes:
      - ./static-webserver:/static-webserver:ro
    working_dir: /static-webserver
    command: python -m http.server 443
    expose: [443]
    labels:
      - traefik.enable=true
      - traefik.http.routers.static-webserver.tls.certresolver=letsencrypt
networks:
  default:
    external: true
    name: reverse_proxy

Traefik is preconfigured with a default rule that will use the application's service name to route the matching subdomain to the application. (e.g.: static-webserver is available at https://static-webserver.example.com). This behaviour can be changed by setting a custom rule in the application's labels.

About

An opinionated Traefik configuration with automatic Let's Encrypt certificate management and password protected dashboard.

Topics

letsencrypt docker docker-compose reverse-proxy traefik

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages