loading...

Traefik 2 : Let's encrypt and HTTPS redirection

jadekharats profile image David YOTEAU ・3 min read

Traefik 2: Let's encrypt and redirect HTTPS

This article follows these articles:

The need

I need :

  • to publish a HTTPS site
  • to have a valid certificate
  • to redirect the HTTP stream on the HTTPS.

Let's encrypt

So let's add Let's encrypt ascertificatesResolvers of Traefik.
For this, we need :

  • a contact email address for Let's encrypt
  • to choose the format and file of the certificate storage
  • to choose the challenge mode used byLet's encrypt for creation and renewal.

In my case, I use the same acme.json file that I had for Traefik V1. You can create a blank if you start from scratch.
For challenge mode, I prefer HTTP because it allows me to do everything from Traefik.

Now I can add my block to the traefik.yaml file

certificatesResolvers:
  letsencrypt:
    acme:
      email: "jade.kharats@example.tld"
      storage: acme.json
      httpChallenge:
        entryPoint: http

And to share this file between my Traefik instances, I need to add it in volume in stack-traefik.yml

services:
  traefik:
    volumes:
      - /swarm/traefik2/acme.json:/acme.json

From now, Traefik will generate a certificate for the domains that are requested.
Let's go certificate our dashboard.

TLS

I will add a router on the entryPoint https. On this router, I will enable TLS and tell it to use Let's encrypt as resolver.

it's happening in stack-traefik.yml

services:
  traefik:
    deploy:
      labels:
        - "traefik.http.routers.traefik-router.entrypoints=https"
        - "traefik.http.routers.traefik-router.rule=Host(`traefik.example.tld`)"
        - "traefik.http.routers.traefik-router.tls=true"
        - "traefik.http.routers.traefik-router.tls.certresolver=letsencrypt"

After a deployment of the new version, I have my domain served in https with a valid certificate. Simple, no?

HTTPS redirection

Why continue to allow access in HTTP while we have our HTTPS available? We will want to redirect the stream.
Traefik 2 provides a middleware for that.

Another label to put in our stack-traefik.yml

services:
  traefik:
    deploy:
      labels:
        - "traefik.http.routers.traefik-router0.entrypoints=http"
        - "traefik.http.routers.traefik-router0.rule=Host(`traefik.example.tld`)"
        - "traefik.http.routers.traefik-router0.middlewares=traefik-redirectscheme,auth"
        - "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https"

So we added "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https" to define the redirection.
I called this middleware traefik-redirectscheme but I risk using it for other routers than those of Traefik. I would change the name on this occasion.
I then add this middleware to the list of middleware of my router0
And voila.

Conclusion

It's easy to manage the HTTPS and TLS part with Traefik 2.

One of the great assets of this second version is the addition of TCP management.
In the following article, I will set up a GITEA server with an HTTPS router and a TCP router.

traefik.yaml

global:
  checkNewVersion: true
  sendAnonymousUsage: true
api:
  dashboard: true
  debug: true
entryPoints:
  ssh:
    address: ":22"
  http:
    address: ":80"
  https:
    address: ":443"
providers:
  docker:
    watch: true
    swarmMode: true
    useBindPortIP: true
    endpoint: "unix:///var/run/docker.sock"
certificatesResolvers:
  letsencrypt:
    acme:
      email: "jade.kharats@example.tld"
      storage: acme.json
      httpChallenge:
        entryPoint: http
log:
  filePath: "log/traefik.log"
  level: WARN
accessLog:
  filePath: "log/access.log"
  bufferingSize: 100

stack-traefik.yml

version: "3.3"

networks:
  traefik-net:
    external: true

configs:
  traefik.yaml:
    file: ./traefik.yaml


services:
  traefik:
    image: traefik:v2.0
    ports:
      - 80:80
      - 443:443
      - 22:22
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /swarm/traefik2/acme.json:/acme.json
      - /swarm/traefik2/log:/log
    configs:
      - source: traefik.yaml
        target: /etc/traefik/traefik.yaml

    networks:
      - traefik-net
    deploy:
      mode: global
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.docker.network=traefik-net"
        - "traefik.http.routers.traefik-router0.entrypoints=http"
        - "traefik.http.routers.traefik-router0.rule=Host(`traefik.example.tld`)"
        - "traefik.http.routers.traefik-router0.middlewares=traefik-redirectscheme,auth"
        - "traefik.http.routers.traefik-router.entrypoints=https"
        - "traefik.http.routers.traefik-router.rule=Host(`traefik.example.tld`)"
        - "traefik.http.routers.traefik-router.tls=true"
        - "traefik.http.routers.traefik-router.tls.certresolver=letsencrypt"
        - "traefik.http.routers.traefik-router.middlewares=auth"
        - "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https"
        - "traefik.http.middlewares.auth.basicauth.users=jade:$$2y$$..."
        - "traefik.http.services.traefik-service.loadbalancer.server.port=8080"

Posted on by:

jadekharats profile

David YOTEAU

@jadekharats

Software craftman. Ruby jedi master. Crystal padawan.

Discussion

markdown guide
 

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...