In this episode, we’re deploying Traefik proxy with a Let’s Encrypt wildcard SSL certificate. We’re using DNS validation, so Traefik doesn’t need to be externally accessible either! Check out the video, and below is example code as well! Don’t forget to use your DNS provider (my example code is geared towards AWS Route53), and your actual domain. Enjoy!
First, we need that “proxy” attachable overlay network deployed to our swarm, so run this first:
UPDATE! I learned we can define the attachable overlay network within our docker-compose.yml now, which is the more correct way to do this!
docker network create -d overlay –attachable proxy
Then just populate your docker-compose.yml with the example code below, and edit to fit your environment.
version: '3.6'
networks:
proxy:
driver: overlay
attachable: true
name: proxy
services:
traefik:
image: traefik:v2.4
ports:
- "80:80"
- "443:443"
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt:/letsencrypt
command:
- --api.insecure=true
- --api.dashboard=true
- --serversTransport.insecureSkipVerify=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.swarmMode=true
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=true
- "--providers.docker.defaultRule=Host(`{{ normalize .Name }}.dmz.yourdomain.com`)"
- --entrypoints.web.address=:80
- --entrypoints.websecured.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecured
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- "--certificatesresolvers.le.acme.dnschallenge=true"
- "--certificatesresolvers.le.acme.httpChallenge=false"
- "--certificatesresolvers.le.acme.tlsChallenge=false"
- "--certificatesresolvers.le.acme.dnschallenge.provider=route53"
- "--certificatesresolvers.le.acme.email=info@yourdomain.com"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.le.acme.httpChallenge.entryPoint=web"
environment:
- "AWS_ACCESS_KEY_ID=yourKeyGoesHere"
- "AWS_SECRET_ACCESS_KEY=yourSecretGoesHere"
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
delay: 5s
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.traefik.rule=Host(`traefik.dmz.yourdomain.com`)'
- 'traefik.http.routers.traefik.tls=true'
- 'traefik.http.routers.traefik.tls.certresolver=le'
- 'traefik.http.routers.traefik.service=api@internal'
- 'traefik.http.services.api.loadbalancer.server.port=8080'
- 'traefik.http.routers.traefik.tls.domains[0].main=dmz.yourdomain.com'
- 'traefik.http.routers.traefik.tls.domains[0].sans=*.dmz.yourdomain.com'
You said in the video that in Part two we would spin up a service with this set up. Did you ever get part 2, I can’t find it.
Hi there, I do offer support via private access to my Discord Server. Check my Patreon site for details on how to gain access. Thanks!
https://www.patreon.com/omgthecloud
Thanks for your really great guides. I am learning a lot from this.
A question: I have dns server which is called zxcs. How do I setup this docker compose script with that dns provider? And where do I get the access key Id and secret access key from?
Thanks!
Unfortunately you may not be able to use the automated SSL issuing mechanism with DNS Challenge, as DNS provider zxcs is not on the supported list: https://doc.traefik.io/traefik/https/acme/#providers Usually this just means they do not have an API they allow access to. However! You may be able to do it if your Traefik server is public-facing to the Internet, by using HTTP Challenge: https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/
We need to talk in discord as it’s a little confusing . Could you kindly email me your contact details so we communicate .
Hi, I would be happy to help! Give me 1 week to get back to you, I am very busy with work!