Quick Start: Traefik with HTTP/3

Quick Start: Traefik with HTTP/3

Preparation

Create the necessary directories and files:

1
mkdir -p traefik/dynamic-conf traefik/certs && cd traefik && touch compose.yml traefik.yml dynamic-conf/self.yml

Configuration Files

compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
services:
traefik:
image: traefik:3.1
ports:
- "80:80"
- "443:443/tcp"
- "443:443/udp" # Required for HTTP/3
environment:
- TZ=Asia/Shanghai
volumes:
- "./traefik.yml:/etc/traefik/traefik.yml"
- "./dynamic-conf:/etc/traefik/dynamic-conf"
- "./certs:/certs"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik-net

networks:
traefik-net:
name: traefik-net
ipam:
config:
- subnet: 172.16.238.0/24

Security Note: Mounting the Docker socket (/var/run/docker.sock) can pose security risks. Consider using more secure alternatives in production environments.

traefik.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Static Configuration
log:
level: INFO
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
http3: {} # Enables HTTP/3 support
providers:
file:
directory: /etc/traefik/dynamic-conf
watch: true

self.yml in dir dynamic-conf

1
2
3
4
5
6
7
8
9
10
11
# Dynamic Configuration
tls:
certificates:
- certFile: /certs/cert.pem
keyFile: /certs/key.pem
http:
routers:
dashboard:
rule: Host(`traefik.x.internal`)
service: api@internal
tls: {}

DNS Configuration

Configure your DNS or modify your hosts file:

  • For Unix-like systems: Edit /etc/hosts
  • For Windows: Edit C:\Windows\System32\drivers\etc\hosts

Add the following line:

1
127.0.0.1 traefik.x.internal

Generate Self-Signed Certificates

Choose one of the following options:

mkcert can solve browser trust issues. Install mkcert, then run:

1
2
3
4
5
6
# directly gen certs at the current dir
# mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

# specify the cert output dir
mkcert -key-file certs/key.pem -cert-file certs/cert.pem x.internal "*.x.internal"
mkcert -install

Option 2: Using openssl

a. Command line configuration:

1
2
3
4
openssl req -new -x509 -nodes -newkey rsa:4096 -days 365 \
-subj "/C=CN/ST=SH/L=Shanghai/CN=*.x.internal" \
-keyout certs/key.pem \
-out certs/cert.pem

b. Configuration file (ssl.cnf):

1
2
3
4
5
6
# When using -x509, default_days in config will be ignored, it is a bug
# using -days to workaround
openssl req -x509 -new -nodes -days 365 \
-config ssl.cnf \
-keyout certs/key.pem \
-out certs/cert.pem

ssl.cnf like as follows:

Tips: DNS.1, DNS.2, IP.7, DNS.11, the numbers are only required to be unique, and can also be unordered.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_req

[ req_distinguished_name ]
C = CN
ST = SH
L = Shanghai
O = Individual
OU = MyStudio
CN = x.internal

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = x.internal
DNS.2 = *.x.internal
IP.7 = 127.0.0.1
DNS.11 = localhost

Run

1
2
3
4
docker compose up -d
# Alternative commands:
# docker compose -p traefik up -d
# docker compose -f ./compose.yml -p traefik up -d

Access: https://traefik.x.internal