Traefik 2: Let's encrypt and redirect HTTPS
This article follows these articles:
The need
I need :
- to publish a HTTPS site
- to have a valid certificate
- to redirect the HTTP stream on the HTTPS.
Let's encrypt
So let's add Let's encrypt
ascertificatesResolvers
of Traefik.
For this, we need :
- a contact email address for
Let's encrypt
- to choose the format and file of the certificate storage
- to choose the challenge mode used by
Let's encrypt
for creation and renewal.
In my case, I use the same acme.json
file that I had for Traefik V1. You can create a blank if you start from scratch.
For challenge mode, I prefer HTTP because it allows me to do everything from Traefik.
Now I can add my block to the traefik.yaml
file
certificatesResolvers:
letsencrypt:
acme:
email: "jade.kharats@example.tld"
storage: acme.json
httpChallenge:
entryPoint: http
And to share this file between my Traefik instances, I need to add it in volume in stack-traefik.yml
services:
traefik:
volumes:
- /swarm/traefik2/acme.json:/acme.json
From now, Traefik will generate a certificate for the domains that are requested.
Let's go certificate our dashboard.
TLS
I will add a router
on the entryPoint
https. On this router
, I will enable TLS and tell it to use Let's encrypt
as resolver.
it's happening in stack-traefik.yml
services:
traefik:
deploy:
labels:
- "traefik.http.routers.traefik-router.entrypoints=https"
- "traefik.http.routers.traefik-router.rule=Host(`traefik.example.tld`)"
- "traefik.http.routers.traefik-router.tls=true"
- "traefik.http.routers.traefik-router.tls.certresolver=letsencrypt"
After a deployment of the new version, I have my domain served in https with a valid certificate. Simple, no?
HTTPS redirection
Why continue to allow access in HTTP while we have our HTTPS available? We will want to redirect the stream.
Traefik 2 provides a middleware for that.
Another label to put in our stack-traefik.yml
services:
traefik:
deploy:
labels:
- "traefik.http.routers.traefik-router0.entrypoints=http"
- "traefik.http.routers.traefik-router0.rule=Host(`traefik.example.tld`)"
- "traefik.http.routers.traefik-router0.middlewares=traefik-redirectscheme,auth"
- "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https"
So we added "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https"
to define the redirection.
I called this middleware traefik-redirectscheme
but I risk using it for other routers
than those of Traefik. I would change the name on this occasion.
I then add this middleware to the list of middleware of my router0
And voila.
Conclusion
It's easy to manage the HTTPS and TLS part with Traefik 2.
One of the great assets of this second version is the addition of TCP management.
In the following article, I will set up a GITEA server with an HTTPS router and a TCP router.
traefik.yaml
global:
checkNewVersion: true
sendAnonymousUsage: true
api:
dashboard: true
debug: true
entryPoints:
ssh:
address: ":22"
http:
address: ":80"
https:
address: ":443"
providers:
docker:
watch: true
swarmMode: true
useBindPortIP: true
endpoint: "unix:///var/run/docker.sock"
certificatesResolvers:
letsencrypt:
acme:
email: "jade.kharats@example.tld"
storage: acme.json
httpChallenge:
entryPoint: http
log:
filePath: "log/traefik.log"
level: WARN
accessLog:
filePath: "log/access.log"
bufferingSize: 100
stack-traefik.yml
version: "3.3"
networks:
traefik-net:
external: true
configs:
traefik.yaml:
file: ./traefik.yaml
services:
traefik:
image: traefik:v2.0
ports:
- 80:80
- 443:443
- 22:22
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /swarm/traefik2/acme.json:/acme.json
- /swarm/traefik2/log:/log
configs:
- source: traefik.yaml
target: /etc/traefik/traefik.yaml
networks:
- traefik-net
deploy:
mode: global
placement:
constraints: [node.role == manager]
labels:
- "traefik.docker.network=traefik-net"
- "traefik.http.routers.traefik-router0.entrypoints=http"
- "traefik.http.routers.traefik-router0.rule=Host(`traefik.example.tld`)"
- "traefik.http.routers.traefik-router0.middlewares=traefik-redirectscheme,auth"
- "traefik.http.routers.traefik-router.entrypoints=https"
- "traefik.http.routers.traefik-router.rule=Host(`traefik.example.tld`)"
- "traefik.http.routers.traefik-router.tls=true"
- "traefik.http.routers.traefik-router.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-router.middlewares=auth"
- "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https"
- "traefik.http.middlewares.auth.basicauth.users=jade:$$2y$$..."
- "traefik.http.services.traefik-service.loadbalancer.server.port=8080"
Top comments (1)
LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?
DevTo
[+] dev.to/dineshrathee12/letsencrypt-...
GitHub
[+] github.com/dineshrathee12/Let-s-En...
LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...