Last active
May 21, 2024 04:37
-
-
Save natcl/ed8253a34e7b87d879baabeba82cb846 to your computer and use it in GitHub Desktop.
traefik: node-red + mosquitto using letsencrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.3" | |
services: | |
traefik: | |
image: "traefik:v2.2" | |
container_name: "traefik" | |
command: | |
- "--api=true" | |
- "--api.dashboard=true" | |
- "--providers.docker=true" | |
- "--providers.docker.exposedbydefault=false" | |
# Entrypoints | |
- "--entrypoints.web.address=:80" | |
- "--entrypoints.websecure.address=:443" | |
- "--entrypoints.mqtt.address=:8883" | |
# Redirect http to https | |
- "--entrypoints.web.http.redirections.entrypoint.to=websecure" | |
- "--entrypoints.web.http.redirections.entrypoint.scheme=https" | |
# Let's encrypt configuration | |
- "--certificatesresolvers.myresolver.acme.tlschallenge=true" | |
- "[email protected]" | |
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" | |
ports: | |
- "80:80" | |
- "443:443" | |
- "8883:8883" | |
volumes: | |
- "./letsencrypt:/letsencrypt" | |
- "/var/run/docker.sock:/var/run/docker.sock:ro" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.dashboard.rule=Host(`traefik.zoo.ocean.mofa.studio`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" | |
- "traefik.http.routers.dashboard.entrypoints=websecure" | |
- "traefik.http.routers.dashboard.service=api@internal" | |
- "traefik.http.routers.dashboard.tls.certresolver=myresolver" | |
- "traefik.http.routers.dashboard.middlewares=auth" | |
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0" | |
whoami: | |
image: "containous/whoami" | |
container_name: "simple-service" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.whoami.rule=Host(`whoami.zoo.ocean.mofa.studio`)" | |
- "traefik.http.routers.whoami.entrypoints=websecure" | |
- "traefik.http.routers.whoami.tls.certresolver=myresolver" | |
mqtt: | |
image: "eclipse-mosquitto" | |
container_name: "mosquitto" | |
expose: | |
- "8883" | |
- "9001" | |
volumes: | |
- "./mosquitto.conf:/mosquitto/config/mosquitto.conf" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.mqtt.rule=Host(`mqtt.zoo.ocean.mofa.studio`)" | |
- "traefik.http.routers.mqtt.entrypoints=websecure" | |
- "traefik.http.routers.mqtt.tls.certresolver=myresolver" | |
- "traefik.tcp.routers.mqtt.rule=HostSNI(`*`)" | |
- "traefik.tcp.routers.mqtt.tls.certresolver=myresolver" | |
- "traefik.tcp.services.mqtt.loadbalancer.server.port=8883" | |
- "traefik.tcp.routers.mqtt.entrypoints=mqtt" | |
- "traefik.http.services.mqtt.loadbalancer.server.port=9001" | |
nodered: | |
image: "nodered/node-red" | |
container_name: "nodered" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.nodered.rule=Host(`nodered.zoo.ocean.mofa.studio`)" | |
- "traefik.http.routers.nodered.entrypoints=websecure" | |
- "traefik.http.routers.nodered.tls.certresolver=myresolver" | |
- "traefik.http.services.nodered.loadbalancer.server.port=1880" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
port 8883 | |
listener 9001 | |
protocol websockets |
Yes, without reverse proxy, client cert authentication works perfect with own ca. but behind traefik it doesn’t work,,
Thank you
Hi, a doubt..in your docker-compose file why are you using the entrypoint for 8883 if you are using the websecure entrypoint in the mqtt section config?
@iboluda The 8883 entry point is for TCP connections while the 443 is for web sockets, does that answer your question ?
Thanks for clarify me that point. Yes that answer my question
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I believe this could work but I doubt you'll be able to make it work using let's encrypt, you'll probably need you own certificates.