- 🗺️ Traefik as ingestion for Docker containers with auto discovery.
- ➰ Public loopback hostname for easy development.
- 🔒 HTTPS with Let's Encrypt ot self-signed certificates.
Important
You'll need at least Docker and Docker Compose installed.
Here's what we're going to do:
- Clone the repository.
- Create configuration file.
- Create a new bridged network in Docker.
- Start Traefik.
Start by cloning this repository somewhere on your machine.
git clone https://github.com/haggen/traefik.git
Now we'll need to decide on a hostname.
For testing or development you can use a loopback, like localhost
, but I like to use sub-domains to route to my containers and localhost
can't do that.
So I've created my own public domain that loops back — *.local.crz.li
— and I encourage you to do the same. But if you don't, there are other options:
*.vcap.me
*.localho.st
— Also works with IPv6.*.local.gd
*.7f000001.nip.io
*.localhost.direct
— Already has the certificate files.
Important
You can, and should, verify that your selected hostname does indeed loops back and isn't just a proxy, which could pose a security breach. e.g. Run host <hostname>
and make sure 127.0.0.1
or ::1
(in casse IPv6) is printed on screen.
Once you've decided on the hostname, copy compose.override.yml.example
to compose.override.yml
.
cp compose.override.yml.example compose.override.yml
Open it in your editor and change the rule that matches the Traefik's router.
- - "traefik.http.routers.traefik.rule=Host(`traefik.local.crz.li`)"
+ - "traefik.http.routers.traefik.rule=Host(`...`) || Path(`/traefik`)"
You must also copy ./config/traefik.yml.example
to ./config/traefik.yml
and, at least, change your let's encrypt email.
cp config/traefik.yml.example config/traefik.yml
Now we have to create a bridged network to connect the containers that are going to be routed by Traefik.
docker network create traefik
Finally, we start Traefik.
docker compose up -d
Tip
In the compose.yml
— or docker-compose.yml
— of your application you'll need to connect to the new network and add the required labels. See example/compose.yml for reference.
Traefik has a default certificate but you can provide your own, if you want.
If you don't want to bother, 📝 mkcert is a nice little tool that generates self-signed certificates with good defaults and automatically configure a CA on your system.
Tip
A CA is important so your browser trusts the certificate. See Trusting your own certificate for more information.
But you can also do it with OpenSSL, for example:
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout config/certs/key.pem -out config/certs/cert.pem -days 365 -addext "subjectAltName = DNS:*.local.crz.li"
Just remember to change the hostname to the one you chose.
If you didn't use mkcert or you're working in a foreign system, like WSL, your browser will be showing the "Not secure" alert to you. That's because the certificate isn't signed by a CA.
You can sort this out by adding your custom certificate to your browser trusted list. This comes with its own set of risks, so beware.
(🚧 Work in progress…)
Apache-2.0 © 2022 Arthur Corenzan