Created
October 30, 2016 20:15
-
-
Save nknapp/20c7cd89f1f128b8425dd89cbad0b802 to your computer and use it in GitHub Desktop.
Traefik setup as reverse-proxy with docker and letsencrypt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '2' | |
| services: | |
| traefik: | |
| build: . | |
| # command: --logLevel=DEBUG | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| - "127.0.0.1:8080:8080" | |
| restart: always | |
| volumes: | |
| - /var/run/docker.sock:/var/run/docker.sock | |
| networks: | |
| - default | |
| cap_drop: | |
| - all | |
| cap_add: | |
| - net_bind_service |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM traefik:camembert | |
| ADD traefik.toml . | |
| EXPOSE 80 | |
| EXPOSE 8080 | |
| EXPOSE 443 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # defaultEntryPoints must be at the top because it should not be in any table below | |
| defaultEntryPoints = ["http", "https"] | |
| [web] | |
| # Port for the status page | |
| address = ":8080" | |
| # Entrypoints, http and https | |
| [entryPoints] | |
| # http should be redirected to https | |
| [entryPoints.http] | |
| address = ":80" | |
| [entryPoints.http.redirect] | |
| entryPoint = "https" | |
| # https is the default | |
| [entryPoints.https] | |
| address = ":443" | |
| [entryPoints.https.tls] | |
| # Enable ACME (Let's Encrypt): automatic SSL | |
| [acme] | |
| # caServer = "https://acme-staging.api.letsencrypt.org/directory" | |
| email = "letsencrypt@example.com" | |
| storage = "acme.json" # or "traefik/acme/account" if using KV store | |
| entryPoint = "https" | |
| onDemand = false | |
| OnHostRule = true | |
| [docker] | |
| endpoint = "unix:///var/run/docker.sock" | |
| domain = "example.com" | |
| watch = true | |
| exposedbydefault = false | |
Author
Author
I have moved this example into a real repository
for some this is not working for me. I am using swarm mode (so i used swarm mode settings). It redirects from http to https but after that i get Secure Connection Failed. I think it does not generate any certificate (ACME certs == []). Note I have set onDemand = true.
root@swarm-02:/config# cat /config/acme/acme.json
{
"Email": "traefik@my-domain.pro",
"Registration": {
"body": {
"resource": "reg",
"id": 1788893,
"key": {
"kty": "RSA",
"n": "46uBWGY49i0ziDHLVdAWg1cDzdJlJADcjs9WH2Djo4kI4ZByJBZodj9Jc63rprm8jBhbryqOgnAi-XnOxE15uhyqOFCQIAcS8ikmZYZK5xM16m3WG6ZYTLsg6DagSSaI1R5fnP6I2kZoaDhyv46V3PNUmD4Ir3eVuiFQWpRFtEZRSyESQh-6V2Ki-1co-bgDylEO4rz6QRRHqlduiGfZ-CZG5TfcdivtOMBSjNyY4GcBnFyQH_qY09A49CDdyxweNT5QzTLo58aCvqCL2rbkP-VAub1MvZLRmqXhNbddgmEg0LZkCBE1qjViq8_siBpxCDj9l_qPEKIoiTnGZi20h_l6esIwFUHzJ-Wqlyx1OoNQ5dJFU9PDwsG4jBDdsdHI0p43FrqtWIBs5iBUjNttlOsNPS2RmGSSm9mvOgecPiiypUNJP6knwqHFAU97GUu_45y2ne8p7Sibxgwy_P3d98Bwv3AFdt2q5xYhdmUXH6ayfgr-GRvbAytG-nbSG33PZqmWk",
"e": "AQAB"
},
"contact": [
"mailto:traefik@my-domain.com"
],
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"uri": "https://acme-staging.api.letsencrypt.org/acme/reg/1788893",
"new_authzr_uri": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
"terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"PrivateKey": "MIIJKQIBAAKCAgEA46uBWGY49i0ziDHLVdAWg1cDzdJlJADcjs9WH2Djo4kI4ZByJBZodj9Jc63rprm8jBhbryqOgnAi+XnOxE15uhyqOFCQIAcS8ikmZYZK5xM16m3WG6ZYTlaBj6aEUP7IwORcUCq/xfrCEg0LZkCBE1qjViq8/siBpxCDj9l/qPEKIoiTnGZi20h/l6esIwFUHzJ+Wqlyx1OoNQ5dJFU9PDwsG4jBDdsdHI0p43FrqtWIBs5iBUjNttlOsNPS2RmGSSm9mvOgecPiiypUNJP6knwqHFAU97GUu/45y2ne8p7Sibxgwy/P3d98Bwv3AFdt2q5xYhdmUXH6ayfgr+GRvbAytG+nbSG33PZqmWkCAwEAAQKCAgEAvCPombKv88/au/vaOqnhUNxBin8Jkb0chu+UDg41T9lYe36wtF3IKZ+XBX9+M6Ndyq/+ZDzY07XzURJ16gbURxaVHECHOdBeubuDvXZCw74+WeI2g1bttUsWoI8z2f98KBIXlVdKpIZ2lVnAicg81ABJsh3hc49xLgWFr7TD/Xv2hg1oVzh89uXOJcIbXHHSwAhIMttUOx+VMZFbCGI54DVRdO66wvT97l4QWdOaiibVT++2MpcWYEO8LRJT9xrfY8SBZXFiwtZrCTkHGdD1wk+jM1rZ5fdEO3ZFK+zB25sHlU0zXcvFPqx4oGyEmAzXWGgnTz1rLobLKZnyF3JAgy80xM8MVP20O33h3k5oLfQ+fPoiQIiZw8/hQ9h1Q6JCHHJluDekVWNQfUEoYRRfz36AexJ/wdcfWaSGYYxfz3qMKN1NBTixdOsvzvjOxkgjrKl164DH5TexspVM3brI1cwc4Yodd4JFkrLi+CZHdN90fS/h6sVdznoC40SU+k97vXzAR6z1ckSFsCiGJEnLcRUFtCWtavY5whJpvkWIqBBoCJ7Iy0sajIwl+R1JPTKu7AKvzgxwSM08LUvgHPUqbudEb2gzorSPcUZmW+9BhRbRpnqc1g2WSz85kIihfP9dXdQPQESCufFa9RbDeZEWzgfBokSBXrfQo4fM++nhF+ECggEBAPaFzVkCCzeGnSJZJx4jYe6c2gbu0uY9Tmp8XpxSAHGzDnmRnmUxIf8LysFwVRnhfB2AipzEJermKS+/Rx4lc4X1CklljAKcKFyJMN7wzL/EC06cPyKDdqLEp6FJ00o8Nb7t1D/rd9MbFqFH4/ZEcQIPL9eTtZoFJrH6hNIxkg/3rJ08rHK9Z1xV11sDoBXgE5nOTv21zo9RrW5vVjJjriZ/bEWJqhhPbmkL79qITDUz4qiJKCGBT9VzK0O9etESZ0kl0qlmXaKAD6wFUQ90l6S5jxlkPh5CU42YejE2I9rID6UmPY1ICUDb6ajNjQSWcNGvsTU7t7CFsb6hE7G2qD0CggEBAOxsKR1fRSX8Ri3H48vDneg5aLjn5PKmO8U3FtAGBrbHsVl8GiE8hFnQ+1iknZg4iex8JEAyiHEkv7tAWIz3n6+5v2ta7tWmX2/SKcZOuw9RTxbgndKB7mqmnnaDssU8feZs4nFZKXRDURkQvLJGesQlqXQ5N+ilJlJks5DcASqA7NN8r+s5/ca1Uf82PhchMGGgtHx2WrjOKzBzC2FeXotLHjn+tinrpCmu8Hj+BsgHMnwDR62g55JIv6JZ+383jbxWNOy9IeBFuM9h0gJv1SUsqXzZmkClt18b++B7bRwgw2fmxG4hO8bQj2OjeUqRouRImB8+2+EouxxfO3Al3J0CggEAT2B55EUCM5jGk769F7kw2VHr6fuQMM5gp2zwUckdl36eFIrMw6x0U9kKKgrve+vcuOsgtqV5yA7gCB3A2nYYonNqIoPt9xEs9c6+y6ohY0XOljs9IPHPi01i5E4PGIIWlCmkBAjfhjvcp4WsYylacd1N/E31VWh/MyOFDOElNLr8+4wDwtY1p8eEFiwuqZyC8y04xfx6TC9ydnKnAIaUFpVE2YcgG7/Hv082pdjpIOBaBQZUw6UNfZ8duSwTlaolU6o4EI+DasVtRmhX13AlO8b7yqM6VSfqG1eTULEsDlAIqZaMjyc4w4eLzuyQkX+XSA0YNBnMZaxGtSjMXJaByQKCAQEAibUyeY5Ne6OmyPG+SKinaGVQDyvbWk7jT6sX2ZE5Bevo7ENyANv8B0jHrkksFkcQZzOj9dS5TpXmK85+BZYSaEucKI7twHpI6pwSgxTGtlRY6e1pXYZFdOE9KQn6jpbtWu0yyA4NaNm3+Rt+EjpU36ukk3AtocVLQHsv2rGMlK1e9vX6xnnKX27pBCSoW7t5Hpm399APJrQKCAQALwLCdZaUNNHCDfm6cvNgU+d+6uAvDgpJeQVvXlmpBgLruoO6zOUIgTAK84TPHE22W3ctDYsYJ69kWiNgp6F7c0YqcRMH1T+8m2xH86I0U8RhvZjKxLVn0uqq5/qkol/1piNs49U5zudGXC03D1A+m9GJBzIxTsoljBFigSEIbc9kD0SoRQEgUQJi55h2/JiXqSEj2f3TNQmDtB6YRE4HeuKDYYP25rf6qtNa65U7F5EHDSgc8yhhsQyXrNBJiU5gYbD5iUake3Jmk+VX0Ayrbw",
"DomainsCertificate": {
"Certs": []
},
"ChallengeCerts": {}
Any idea?
@dcrystalj, hope those are not your real PK's....
SUPER HELPFUL. Thank you!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Motivation
Docker-compose setup for starting Træfik as reverse-proxy, loadbalancer and SSL server with lets-encrypt certificates.
Usage
Put the files of this gist into a directory called
reverse-proxyand rundocker-compose -d upto startup the service.After that, you can "up"
docker-compose.yml-files like:and they will be served through the Træfik proxy.
https://microbot.example.comto the backend.additional instance created by
docker-compose scale microbot=3will automatically be used whenavailable.
http://microbot.example.comwill be redirected to httpsSome details
traefik.frontend.rule=Host:microbot.example.comis used by Træfik to determine which container to use for which domain.exposedbydefault = falsetells Træfik to only include containers with the labeltraefik.enable=true.reverse-proxy, docker-compose will create a networkreverseproxy_defaultfor the container. The partand
of the microbot-file make sure that microbot is in the same network as Træfik.
If microbot were present in two networks, the label
traefik.docker.network=reverseproxy_defaultwill tell Træfik which IP to use to connect to the service.