Skip to content

Instantly share code, notes, and snippets.

@crazygit

crazygit/traefik-bare-secure-mode.yml

Last active May 8, 2022 14:38
Show Gist options
  • Save crazygit/3cc2ca496050e3005884218fee7f14b5 to your computer and use it in GitHub Desktop.
Save crazygit/3cc2ca496050e3005884218fee7f14b5 to your computer and use it in GitHub Desktop.
Download ZIP
Expose Traefik dashboard in secure mode
Raw
traefik-bare-secure-mode.yml
# bare secure mode: no https, no basic auth
version: '3.8'
services:
reverse_proxy:
image: traefik:v2.6
command:
# - "--log.level=DEBUG"
# Enable Docker in Traefik, so that it reads labels from Docker services
- "--providers.docker"
# Do not expose all Docker services, only the ones explicitly exposed
- "--providers.docker.exposedbydefault=false"
# Set default Docker network used
- "--providers.docker.network=traefik-public"
# Enable Docker Swarm mode
- "--providers.docker.swarmmode"
# Create an entrypoint "http" listening on port 80
- "--entrypoints.web.address=:80"
# Create an entrypoint "https" listening on port 443
- "--entrypoints.websecure.address=:443"
# Enable the access log, with HTTP requests
- "--accesslog"
# Enable the Traefik log, for configurations and errors
- "--log"
# Enable the Dashboard and API
- "--api.dashboard=true"
ports:
- "80:80"
- "443:443"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
# Since the Swarm API is only exposed on the manager nodes, these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":
deploy:
placement:
constraints:
- node.role == manager
labels:
# Enable Traefik for this service, to make it available in the public network
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.entrypoints=web"
- "traefik.http.routers.dashboard.service=api@internal"
# Dummy service for Swarm port detection. The port can be any valid integer value.
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- traefik-public
networks:
# services that need to be publicly available via this Traefik
traefik-public:
external: true
Raw
traefik-secure-mode-auth-https.yml
# secure mode with https and basic auth
version: '3.8'
services:
reverse_proxy:
image: traefik:v2.6
command:
# - "--log.level=DEBUG"
# Enable Docker in Traefik, so that it reads labels from Docker services
- "--providers.docker"
# Do not expose all Docker services, only the ones explicitly exposed
- "--providers.docker.exposedbydefault=false"
# Set default Docker network used
- "--providers.docker.network=traefik-public"
# Enable Docker Swarm mode
- "--providers.docker.swarmmode"
# Create an entrypoint "http" listening on port 80
- "--entrypoints.web.address=:80"
# Create an entrypoint "https" listening on port 443
- "--entrypoints.websecure.address=:443"
# Enable the access log, with HTTP requests
# - "--accesslog"
# Enable the Traefik log, for configurations and errors
- "--log"
# Enable the Dashboard and API
- "--api.dashboard=true"
# Use the Http Challenge for Let's Encrypt
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
# Use the HTTP Challenge
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
- "--certificatesresolvers.letsencryptresolver.acme.email=your_email@example.com"
# Store the Let's Encrypt certificates in the mounted volume
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
# If you uncommented the acme.caserver line, you will get an SSL error, but if you display the certificate and see it was emitted by Fake LE Intermediate X1 then it means all is good. (It is the staging environment intermediate certificate used by let's encrypt). You can now safely comment the acme.caserver line, remove the letsencrypt/acme.json file and restart Traefik to issue a valid certificate.
- "--certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
- "80:80"
- "443:443"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- certificates:/letsencrypt
# Since the Swarm API is only exposed on the manager nodes, these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":
deploy:
placement:
constraints:
- node.role == manager
labels:
# Enable Traefik for this service, to make it available in the public network
- "traefik.enable=true"
# Use the traefik-public network
- "traefik.docker.network=traefik-public"
# http
- "traefik.http.routers.dashboardhttp.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.dashboardhttp.entrypoints=web"
- "traefik.http.routers.dashboardhttp.service=api@internal"
# https
- "traefik.http.routers.dashboardhttps.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.dashboardhttps.entrypoints=websecure"
- "traefik.http.routers.dashboardhttps.service=api@internal"
- "traefik.http.routers.dashboardhttps.tls.certresolver=letsencryptresolver"
# Dummy service for Swarm port detection. The port can be any valid integer value.
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
# dashboard-auth middleware with HTTP Basic auth
- "traefik.http.middlewares.auth.basicauth.users=your_username:$$apr1$$MjQrynku$$iSdz67CS8wZvCaqm7qYBC/"
- "traefik.http.routers.dashboardhttp.middlewares=auth"
- "traefik.http.routers.dashboardhttps.middlewares=auth"
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- traefik-public
volumes:
# Create a volume to store the certificates, there is a constraint to make sure
# Traefik is always deployed to the same Docker node with the same volume containing
# the HTTPS certificates
certificates:
networks:
# services that need to be publicly available via this Traefik
traefik-public:
external: true
@crazygit
Copy link
Author

crazygit commented May 7, 2022
edited
Loading

Expose Traefik dashboard in secure mode with https and basic auth

ssh into docker swarm master node first

Step 1, create traefik-public network

$ docker network create --driver=overlay traefik-public

Step 2, Create Http Basic Auth User

$ sudo apt install apache2-utils
$ export USERNAME="your_username"
$ export PASSWORD="your_password"
$ echo $(htpasswd -nb $USERNAME $PASSWORD) | sed -e s/\\$/\\$\\$/g
your_username:$$apr1$$MjQrynku$$iSdz67CS8wZvCaqm7qYBC/

Note

when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
To create user:password pair, it's possible to use this command:
echo $(htpasswd -nB user) | sed -e s/\$/\$\$/g
Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).

Update the user info in traefik-secure-mode-auth-https.yml file with yours

Step 3, deploy traefik stack with traefik-secure-mode-auth-https.yml

$ docker stack deploy -c traefik-secure-mode-auth-https.yml traefik

Step 4, Check access

Use browser to access below link

you will get an SSL error, if you display the certificate and see it was emitted by Fake LE Intermediate X1 then it means all is good.

Note: The trailing slash / in /dashboard/ is mandatory

Step 5

Comment below line in traefik-bare-secure-mode.yml file when deploy to production

   - "--certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

More reffer

https://doc.traefik.io/traefik/operations/dashboard/#secure-mode

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment