Docker · April 5, 2021

Traefik v2 with Lets Encrypt SSL

In this episode, we’re deploying Traefik proxy with a Let’s Encrypt wildcard SSL certificate. We’re using DNS validation, so Traefik doesn’t need to be externally accessible either! Check out the video, and below is example code as well! Don’t forget to use your DNS provider (my example code is geared towards AWS Route53), and your actual domain. Enjoy!

YouTube player

First, we need that “proxy” attachable overlay network deployed to our swarm, so run this first:

UPDATE! I learned we can define the attachable overlay network within our docker-compose.yml now, which is the more correct way to do this!

docker network create -d overlay –attachable proxy

Then just populate your docker-compose.yml with the example code below, and edit to fit your environment.

version: '3.6'

networks:
  proxy:
    driver: overlay
    attachable: true
    name: proxy

services:
  traefik:
    image: traefik:v2.4
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./letsencrypt:/letsencrypt
    command:
      - --api.insecure=true
      - --api.dashboard=true
      - --serversTransport.insecureSkipVerify=true
      - --api.debug=true
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=true
      - "--providers.docker.defaultRule=Host(`{{ normalize .Name }}.dmz.yourdomain.com`)"
      - --entrypoints.web.address=:80
      - --entrypoints.websecured.address=:443
      - --entrypoints.web.http.redirections.entryPoint.to=websecured
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.httpChallenge=false"
      - "--certificatesresolvers.le.acme.tlsChallenge=false"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=route53"
      - "--certificatesresolvers.le.acme.email=info@yourdomain.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.le.acme.httpChallenge.entryPoint=web"

    environment:
      - "AWS_ACCESS_KEY_ID=yourKeyGoesHere"
      - "AWS_SECRET_ACCESS_KEY=yourSecretGoesHere"

    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      restart_policy:
        condition: on-failure
        delay: 5s
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.traefik.rule=Host(`traefik.dmz.yourdomain.com`)'
        - 'traefik.http.routers.traefik.tls=true'
        - 'traefik.http.routers.traefik.tls.certresolver=le'
        - 'traefik.http.routers.traefik.service=api@internal'
        - 'traefik.http.services.api.loadbalancer.server.port=8080'
        - 'traefik.http.routers.traefik.tls.domains[0].main=dmz.yourdomain.com'
        - 'traefik.http.routers.traefik.tls.domains[0].sans=*.dmz.yourdomain.com'