Skip to content

Instantly share code, notes, and snippets.

@abenevaut

abenevaut/# Traefik with SSL on localhost.md

Last active February 12, 2025 20:53
Show Gist options
  • Save abenevaut/c6b3883a0986f26ffc9347fc96ecddac to your computer and use it in GitHub Desktop.
Save abenevaut/c6b3883a0986f26ffc9347fc96ecddac to your computer and use it in GitHub Desktop.
Download ZIP
use traefik as local load balancer with SSL
Raw
# Traefik with SSL on localhost.md

Root certificat generation

docker run --rm -it -w /app -v .:/app alpine/openssl genrsa -des3 -out rootCA.key 4096
docker run --rm -it -w /app -v .:/app alpine/openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Project directory

  • .env (edit and add the root certificate passpharse)
  • www/
  • traefik-local/
    • rootCA.key (do not commit)
    • rootCA.crt (do not commit)
    • Dockerfile (describe as traefik.abenevaut.local - generate a SSL certificate for *.abenevaut.local used by traefik)
    • traefik.yaml
    • traefik-dynamic.yaml
  • docker-compose.yml

Setup domain

  • edit /etc/hosts
127.0.0.1 traefik.abenevaut.local www.abenevaut.local

Run

docker-compose up -d www traefik
Raw
.env
ROOT_CA_PASSPHRASE=
Raw
docker-compose.yml
#
# docker-compose up -d
# docker-compose up -d www traefik
# docker-compose up -d --build
# docker-compose up -d --build www traefik
# docker-compose up -d --force-recreate --remove-orphans
#
services:
www:
image: ghcr.io/abenevaut/vapor-nginx:php83
volumes:
- ./www:/var/task
labels:
- traefik.enable=true
- traefik.http.routers.www.entrypoints=websecure
- traefik.http.routers.www.tls=true
- traefik.http.routers.www.tls.certresolver=default
- traefik.http.routers.www.rule=Host(`www.abenevaut.local`)
- traefik.http.routers.www.service=www
- traefik.http.services.www.loadbalancer.server.port=8080
traefik:
image: abenevaut/traefik-local:latest
build:
context: ./traefik-local
args:
- ROOT_CA_PASSPHRASE=${ROOT_CA_PASSPHRASE}
environment:
- TZ=Europe/Paris
ports:
- 80:80
- 443:443
volumes:
- //var/run/docker.sock:/var/run/docker.sock:ro
labels:
- traefik.enable=true
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.rule=Host(`traefik.abenevaut.local`)
- traefik.http.routers.api.service=api@internal
Raw
Dockerfile
FROM alpine/openssl:latest AS certgen
ARG ROOT_CA_PASSPHRASE=yourPassPhrase
RUN mkdir -p /etc/certs
WORKDIR /etc/certs
COPY rootCA.crt rootCA.key /etc/certs/
COPY <<EOF /etc/certs/openssl.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = FR
ST = Ile-de-France
L = Paris
O = abenevaut.dev
OU = IT
CN = *.abenevaut.local
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.abenevaut.local
DNS.2 = abenevaut.local
EOF
COPY <<EOF /etc/certs/traefik.ext
[req]
prompt=no
distinguished_name=dn
req_extensions=req_ext
[dn]
CN=abenevaut.local
[email protected]
O=abenevaut.dev
OU=IT
L=Paris
ST=Ile-de-France
C=FR
[req_ext]
subjectAltName=DNS:traefik.abenevaut.local,DNS:www.abenevaut.local
EOF
RUN openssl genrsa -out traefik.key 2048 \
&& openssl req -new -key traefik.key -out traefik.csr -config openssl.cnf
RUN echo $ROOT_CA_PASSPHRASE | openssl x509 \
-passin stdin \
-req \
-in /etc/certs/traefik.csr \
-CA /etc/certs/rootCA.crt \
-CAkey /etc/certs/rootCA.key \
-CAcreateserial \
-out /etc/certs/traefik.crt \
-days 10000 \
-sha256 \
-extensions req_ext \
-extfile /etc/certs/traefik.ext
FROM traefik:v3.3
LABEL maintainer="Antoine Benevaut <[email protected]>"
COPY traefik.yaml /etc/traefik/traefik.yml
COPY traefik-dynamic.yaml /etc/traefik/dynamic/traefik-dynamic.yaml
COPY --from=certgen /etc/certs/traefik.crt /etc/certs/traefik.key /etc/ssl/certs/
Raw
traefik-dynamic.yaml
tls:
certificates:
- certFile: /etc/ssl/certs/traefik.crt
keyFile: /etc/ssl/certs/traefik.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /etc/ssl/certs/traefik.crt
keyFile: /etc/ssl/certs/traefik.key
Raw
traefik.yaml
log:
level: INFO
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
file:
directory: /etc/traefik/dynamic
watch: true
@abenevaut
Copy link
Author

abenevaut commented Feb 11, 2025
edited
Loading

An error on docker-compose.yml

services:

  www:
    ...
    labels:
      - ...
      - traefik.http.routers.www.tls.certresolver=default # <- traefik start with an error

time="2025-00-00T00:00:00+42:00" level=error msg="the router www@docker uses a non-existent resolver: default"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment