-
-
Save pyrou/4f555cd55677331c742742ee6007a73a to your computer and use it in GitHub Desktop.
| version: '3' | |
| services: | |
| traefik: | |
| restart: unless-stopped | |
| image: traefik:v2.0.2 | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| labels: | |
| - "traefik.http.services.traefik.loadbalancer.server.port=8080" | |
| volumes: | |
| - ./traefik.yml:/etc/traefik/traefik.yml | |
| - ./tls.yml:/etc/traefik/tls.yml | |
| - /var/run/docker.sock:/var/run/docker.sock | |
| - certs:/etc/ssl/traefik | |
| app1: | |
| image: containous/whoami | |
| labels: | |
| - "traefik.http.routers.app1.rule=Host(`app1.traefik.me`)" | |
| - "traefik.http.routers.app1-tls.tls.domains[0].main=app1.traefik.me" | |
| - "traefik.http.routers.app1-tls.tls.domains[0].sans=app1-*.traefik.me" | |
| app2: | |
| image: containous/whoami | |
| labels: | |
| - "traefik.http.routers.app2.rule=Host(`app2.traefik.me`)" | |
| - "traefik.http.routers.app2-tls.tls.domains[0].main=app2.traefik.me" | |
| - "traefik.http.routers.app2-tls.tls.domains[0].sans=app2-*.traefik.me" | |
| reverse-proxy-https-helper: | |
| image: alpine | |
| command: sh -c "cd /etc/ssl/traefik | |
| && wget traefik.me/cert.pem -O cert.pem | |
| && wget traefik.me/privkey.pem -O privkey.pem" | |
| volumes: | |
| - certs:/etc/ssl/traefik | |
| volumes: | |
| certs: |
| tls: | |
| stores: | |
| default: | |
| defaultCertificate: | |
| certFile: /etc/ssl/traefik/cert.pem | |
| keyFile: /etc/ssl/traefik/privkey.pem | |
| certificates: | |
| - certFile: /etc/ssl/traefik/cert.pem | |
| keyFile: /etc/ssl/traefik/privkey.pem |
| logLevel: INFO | |
| api: | |
| insecure: true | |
| dashboard: true | |
| entryPoints: | |
| http: | |
| address: ":80" | |
| https: | |
| address: ":443" | |
| providers: | |
| file: | |
| filename: /etc/traefik/tls.yml | |
| docker: | |
| endpoint: unix:///var/run/docker.sock | |
| watch: true | |
| exposedByDefault: true | |
| defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)" |
couldn't generate tls :( i'm getting 403 when trying https..
This is working like a charm! I'm just curious how people handle renewal of the certs when doing ssl. Do you have a cron job and a way to reload traefik with the new files or what?
If cronjob, then how is it scheduled? I'm not sure I understand during what window the new certs are available and the old are still working.
Thanks this is super helpful.
Thanks for this work !
Today, the traefik.me/cert.pem is no more valide :
Validity
Not Before: Nov 25 09:43:40 2022 GMT
Not After : Feb 23 09:43:39 2023 GMT
Can it be renewed ?
Thanks for this work ! Today, the traefik.me/cert.pem is no more valide :
Validity Not Before: Nov 25 09:43:40 2022 GMT Not After : Feb 23 09:43:39 2023 GMTCan it be renewed ?
I talked to the author of traefik.me and he said he'll do it later today.
Thanks a lot for your project which saves much time. However, the certificates traefik.me is expired. Could you renew thess certificates ? Thanks again for you work.
How can I open traefik dashboard with traefik.me ?
How can I open traefik dashboard with traefik.me ?
Hi,
Ok, it was very simple !
Just add :
- "traefik.http.routers.traefik.rule=Host(traefik.traefik.me)"
- "traefik.http.routers.traefik-tls.tls.domains[0].main=traefik.traefik.me"
- "traefik.http.routers.traefik-tls.tls.domains[0].sans=traefik-*.traefik.me"
to label of traefik.
Your dashboard is at this url : traefik.traefik.me
Enjoy !
It's incredible, thank you so much for your work.
I have a SaaS service that accepts several DNS ex: www.traefik.me & instance.traefik.me.
Do you know if it's possible to enter several domains on a single container?
At the moment, I'm using three different containers for the front end :
https://github.com/TiBillet/Functional-testing/blob/main/docker-compose.yml
Despite all that, many thanks for this. How can we help you?
This morning :
Code d’erreur : SEC_ERROR_REVOKED_CERTIFICATE
I'm also seeing the issue presented by Nasjoe.
My workaround using the mkcert tool as described on the Arch wiki
$ mkcert -install
$ mkcert traefik.me \*.traefik.me
And pointing at the generated certs
Same error as Nasjoe on Windows hosts.
It seems that also https://traefik.me/ website is affected.
> curl https://traefik.me/
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_REVOKED (0x80092010) - Le certificat est révoqué.
Qualys SSL labs reports with a F grade and also a REVOKED status (see https://www.ssllabs.com/ssltest/analyze.html?d=traefik.me&hideResults=on).
Maybe there was an issue when renewing certificates ?
@pyrou have you ever seen this behaviour ?
@pyrou I still have the "SEC_ERROR_REVOKED_CERTIFICATE" since august, do you know why it does that ?
Hi @pyrou, I just create a project from your code with some little mods: https://github.com/heralight/traefik-dyn-dev/
Best regards,
Thank you!
Alexandre
@pyrou - A couple weeks ago, I also created a project from this gist: https://github.com/edguy3/traefik.me
Minor tweaks to the original - a Makefile and a 'donotstart' profile for the wget helper.
Thanks!
Anyone had Traefik 3.0 version of config files ?
Anyone had Traefik 3.0 version of config files ?
it is working now with 3.0-RC3
Very convenient! It works perfectly !
I just have a problem with CURL inside a php container.
in app1 curl to app2
=> SSL certificate problem: unable to get local issuer certificate
adding curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
works but I would like to avoid having to modify the code inside my app.
I tried a lot of things without success. My knowledge of security certificates is poor...
Any ideas ?
Very convenient! It works perfectly !
I just have a problem with CURL inside a php container.
in app1 curl to app2 => SSL certificate problem: unable to get local issuer certificate
adding
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);works but I would like to avoid having to modify the code inside my app.I tried a lot of things without success. My knowledge of security certificates is poor... Any ideas ?
@scaudace download the fullchain.pem and use it as the certFile instead of the cert.pem
reverse-proxy-https-helper:
image: alpine
command: sh -c "cd /etc/ssl/traefik
&& wget traefik.me/fullchain.pem -O cert.pem
&& wget traefik.me/privkey.pem -O privkey.pem"
volumes:
- certs:/etc/ssl/traefik
For traefik v3.1.2:
- defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)"
+ defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}-.+.traefik.me`) || HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`)"
does this need port 80 or 443 to be open on my box?
and traefik.me could be anything i name since its for local lan use?
my goal is to have a https on lan and also have dns names for my docker services that expose web ui. thanks.