My Traefik template

• 🗺️ Traefik as ingress for Docker containers with auto discovery.
• ➰ Public loopback hostname for easy development.
• 🔒 HTTPS with Let's Encrypt or self-signed certificates.

Getting started

Important

You'll need Docker and Docker Compose installed.

Here's what we'll do:

1. Clone the repository.
2. Create the configuration file.
3. Create a new bridged network in Docker.
4. Start Traefik.

Start by cloning this repository somewhere on your machine:

git clone https://github.com/haggen/traefik.git

Next, choose a hostname.

For testing or development, you can use a loopback hostname like localhost, but I prefer using subdomains to route to my containers, which localhost can't do.

I've created my own public hostname that resolves to 127.0.0.1 or ::1 (for IPv6): *.local.crz.li. You can use it, but creating your own is the safest option. Alternatively, here are some public loopback hostnames you can use:

• *.vcap.me
• *.localho.st — Also works with IPv6.
• *.local.gd
• *.7f000001.nip.io
• *.localhost.direct — They provide certificate files.

Important

You should always verify that your chosen hostname actually resolves to your local machine and isn't just a proxy, which could be a security risk. For example, run host <hostname> and make sure it resolves to 127.0.0.1 and/or ::1 (for IPv6).

Once you've decided on the hostname, copy compose.override.yml.example to compose.override.yml:

cp compose.override.yml.example compose.override.yml

Open it in your editor and update the rule that matches Traefik's router:

-      - "traefik.http.routers.traefik.rule=Host(`traefik.local.crz.li`)"
+      - "traefik.http.routers.traefik.rule=Host(`...`) || Path(`/traefik`)"

You must also copy ./config/traefik.yml.example to ./config/traefik.yml and change your Let's Encrypt email address:

sed 's/me@example.com/.../' config/traefik.yml.example >config/traefik.yml

Now, create a bridged network to connect the containers that Traefik will route:

docker network create traefik

Finally, start Traefik:

docker compose up -d

Tip

In your application's compose.yml (or docker-compose.yml), you'll need to connect to the new Traefik network and add the required labels. See example/compose.yml for reference.

Providing your own certificate

Traefik comes with a default certificate, but you can provide your own if you prefer.

If you don't want to deal with the details, 📝 mkcert is a handy tool that generates self-signed certificates with good defaults and automatically configures a CA on your system.

Tip

A CA is important so your browser trusts the certificate. See Trusting your own certificate for more information.

You can also use OpenSSL. For example:

mkdir -p config/certs
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout config/certs/key.pem -out config/certs/cert.pem -days 365 -addext "subjectAltName = DNS:*.local.crz.li"

Just remember to change the hostname to match the one you configured Traefik with.

Trusting your own certificate

If you didn't use mkcert or you're working on a different system, like WSL, your browser will show a "Not secure" warning. That's because the certificate isn't signed by a trusted CA.

You can fix this by adding your custom certificate to your browser's trusted list. Be aware that this comes with its own risks.

(🚧 Work in progress…)

License

Apache-2.0 © 2022 Arthur Corenzan