Quick Start: Traefik with SSL Preparation 1 2 # create dirs and empty files mkdir -p traefik/dynamic-conf traefik/certs && cd traefik && touch compose.yml traefik.yml dynamic-conf/self.yml
compose.yml 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 version: Compose specification services: traefik: image: traefik:3.0 ports: - "80:80" - "443:443" environment: - TZ=Asia/Shanghai volumes: - "./traefik.yml:/etc/traefik/traefik.yml" - "./dynamic-conf:/etc/traefik/dynamic-conf" - "./certs:/certs" - "/var/run/docker.sock:/var/run/docker.sock:ro" networks: - traefik-net networks: traefik-net: name: traefik-net ipam: config: - subnet: 172.16 .238 .0 /24
traefik.yml 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 log: level: INFO api: dashboard: true entryPoints: web: address: :80 http: redirections: entryPoint: to: websecure scheme: https permanent: true websecure: address: :443 providers: file: directory: /etc/traefik/dynamic-conf watch: true
self.yml in dir dynamic-conf 1 2 3 4 5 6 7 8 9 10 11 12 tls: certificates: - certFile: /certs/cert.pem keyFile: /certs/key.pem http: routers: dashboard: rule: Host(`traefik.x.internal`) service: api@internal tls: { }
Config DNS domain parse If you have DNS server, please reference the DNS server guide to config it
If not and using unix-like system, edit the /etc/hosts
if using windows, edit the C:\Windows\System32\drivers\etc\hosts
1 127.0.0.1 traefik.x.internal
Generate Self-Signed Certificates Option-1: Using mkcert mkcert
installation is here: https://github.com/FiloSottile/mkcert
mkcert
can solve the problem of browser distrust If you want to solve this problem, then mkcert
is the best choice.
1 2 3 4 5 6 # directly gen certs at the current dir # mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1 # specify the cert output dir mkcert -key-file certs/key.pem -cert-file certs/cert.pem x.internal "*.x.internal" mkcert -install
Option-2: Using openssl
option-a : configure with command line
1 2 3 4 openssl req -new -x509 -nodes -newkey rsa:4096 -days 365 \ -subj "/C=CN/ST=SH/L=Shanghai/CN=*.x.internal" \ -keyout certs/key.pem \ -out certs/cert.pem
option-b : configure with a ssl.cnf
1 2 3 4 5 6 # When using -x509, default_days in config will be ignored, it is a bug # using -days to workaround openssl req -x509 -new -nodes -days 365 \ -config ssl.cnf \ -keyout certs/key.pem \ -out certs/cert.pem
ssl.cnf
like as follows:
Tips: DNS.1
, DNS.2
, IP.7
, DNS.11
, the numbers are only required to be unique, and can also be unordered.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 [ req ] default_bits = 4096 distinguished_name = req_distinguished_name x509_extensions = v3_req [ req_distinguished_name ] C = CN ST = SH L = Shanghai O = Individual OU = MyStudio CN = x.internal [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = x.internal DNS.2 = *.x.internal IP.7 = 127.0.0.1 DNS.11 = localhost
Run 1 2 3 docker compose up -d # docker compose -p traefik up -d # docker compose -f ./compose.yml -p traefik up -d
Access: https://traefik.x.internal