Quick Start: Traefik with HTTPS

Posted on Edited on In Views: Word count in article: 2.8k Reading time ≈ 3 mins.
how to enable https for traefik and make browsers trust HTTPS

Quick Start: Traefik with SSL

Preparation

1
2
# create dirs and empty files
mkdir -p traefik/dynamic-conf traefik/certs && cd traefik && touch compose.yml traefik.yml dynamic-conf/self.yml

compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
version: Compose specification

services:
    traefik:
        image: traefik:3.0
        ports:
            - "80:80"
            - "443:443"
        environment:
            - TZ=Asia/Shanghai
        volumes:
            # /traefik.yml and /etc/traefik/traefik.yml are both available.
            - "./traefik.yml:/etc/traefik/traefik.yml"
            # dynamic-conf dir is self-defined
            - "./dynamic-conf:/etc/traefik/dynamic-conf"
            - "./certs:/certs"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        networks:
            - traefik-net

networks:
    traefik-net:
        name: traefik-net
        ipam:
            config:
                -   subnet: 172.16.238.0/24

traefik.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
### Static Configuration
log:
    level: INFO
api:
    dashboard: true
entryPoints:
    web:
        address: :80
        http:
            redirections:
                entryPoint:
                    to: websecure
                    scheme: https
                    permanent: true
    websecure:
        address: :443
providers:
    file:
        directory: /etc/traefik/dynamic-conf
        watch: true

self.yml in dir dynamic-conf

1
2
3
4
5
6
7
8
9
10
11
12
### Dynamic Configuration
tls:
    certificates:
        -   certFile: /certs/cert.pem
            keyFile: /certs/key.pem
http:
    routers:
        dashboard:
            rule: Host(`traefik.x.internal`)
            service: api@internal
            tls: { }

Config DNS domain parse

If you have DNS server, please reference the DNS server guide to config it

If not and using unix-like system, edit the /etc/hosts

if using windows, edit the C:\Windows\System32\drivers\etc\hosts

1
127.0.0.1 traefik.x.internal

Generate Self-Signed Certificates

Option-1: Using mkcert

mkcert installation is here: https://github.com/FiloSottile/mkcert

mkcert can solve the problem of browser distrust
If you want to solve this problem, then mkcert is the best choice.

1
2
3
4
5
6
# directly gen certs at the current dir
# mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

# specify the cert output dir
mkcert -key-file certs/key.pem -cert-file certs/cert.pem x.internal "*.x.internal"
mkcert -install

Option-2: Using openssl

  • option-a: configure with command line
1
2
3
4
openssl req -new -x509 -nodes -newkey rsa:4096 -days 365 \
    -subj "/C=CN/ST=SH/L=Shanghai/CN=*.x.internal" \
    -keyout certs/key.pem \
    -out certs/cert.pem
  • option-b: configure with a ssl.cnf
1
2
3
4
5
6
# When using -x509, default_days in config will be ignored, it is a bug
# using -days to workaround
openssl req -x509 -new -nodes -days 365 \
    -config ssl.cnf \
    -keyout certs/key.pem \
    -out certs/cert.pem

ssl.cnf like as follows:

Tips: DNS.1, DNS.2, IP.7, DNS.11, the numbers are only required to be unique, and can also be unordered.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
x509_extensions    = v3_req

[ req_distinguished_name ]
C  = CN
ST = SH
L  = Shanghai
O  = Individual
OU = MyStudio
CN = x.internal

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1  = x.internal
DNS.2  = *.x.internal
IP.7   = 127.0.0.1
DNS.11 = localhost

Run

1
2
3
docker compose up -d
# docker compose -p traefik up -d
# docker compose -f ./compose.yml -p traefik up -d

Access: https://traefik.x.internal