This project serves as a template to run Træfik v3.2 in a docker container using docker compose.
The goal is to set up a TLS termination proxy for all Docker containers providing web services on a single host.
Features:
- Automatic creation/renewal of Let's Encrypt certificates (HTTP challenge).
- Provision of the following basic Middlewares:
- RedirectScheme: Redirect from HTTP to HTTPS
- RateLimit: Limit to a fair amount of requests
- average: 100 requests per second
- burst: 50 requests (per second)
- Headers: HTTP Strict Transport Security with long duration
- Provision of three configurations (modern, intermediate [default], old) for
TLS.
→ See Mozilla SSL Configuration Generator for more information. - Use of an .env file for variable substitution in the Compose file.
About træfik:
- Homepage: https://traefik.io/traefik/
- Documentation: https://doc.traefik.io/traefik/
For the HTTP challenge you require:
- A publicly accessible host allowing connections on port 80 & 443.
- A DNS record for the domain you want to expose pointing to this host.
To install docker and docker compose, follow the instructions for your platform:
- Install Docker Engine | Docker Documentation > Supported platforms
- Includes Docker Compose V2
- Post-installation steps for Linux
-
Create an external docker network named "webproxy":
docker network create webproxy
-
Change file mode of
config/acme
:chmod go+w config/acme
-
Make a copy of all
sample.
files:for file in sample.*; do cp "$file" "${file#sample.}"; done;
-
Update environment variables
TF_ACME_EMAIL
andTF_CERTRESOLVER_NAME1
in '.env':- Replace
postmaster@mydomain.com
with a valid email address of yours. - Replace
mydomain-com
with a suitable name to identify this certificate resolvers configuration.
→ Dots (.
) in the name are not allowed!
- Replace
-
Start the container in detached mode:
docker compose up -d
docker compose
commands must be run in the root directory of the project, i.e.
where 'docker-compose.yml' is located!
-
Uncomment lines 43 to 55 in 'docker-compose.yml' to enable service "whoami" and configure as follows:
- Replace
whoami.mydomain.com
with the intended domain from Prerequisites. - Replace
mydomain-com
with the value set forTF_CERTRESOLVER_NAME1
in '.env'.
- Replace
-
Start the container in detached mode:
docker compose up -d
-
Wait a bit and visit http://whoami.mydomain.com to confirm everything went fine.
Use docker logs to see the output of the container:
docker logs webproxy-traefik-1
PRs accepted. Please submit to the GitLab repository.
This project follows the Contributor Covenant Code of Conduct.
Community support: Open a new discussion here.
Commercial support: Contact b-data by email.
Copyright © 2019 b-data GmbH
Distributed under the terms of the MIT License.