KB Let`s encrypt on traefik with docker-compose
I had to dockerize an application to make it very easy to deploy and for the ingress solution I had used Trafik with let's encrypt , below are the needed parts in order to add Traefik to your app and let it handle the let's encrypt certificate issue and automation. In order to generate the authentication password for user admin (if you have some monitoring or admin dashboard you can add an extra protection layer), read this doc Traefik BasicAuth
🔗docker-compose.yml
version: '3.8'
services:
---
Other apps dockerized
---
traefik:
image: traefik
restart: always
#env_file: .env
ports:
- 80
- 443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.toml:/traefik.toml
- ./traefik_dynamic.toml:/traefik_dynamic.toml
- traefik-data:/traefik-data
container_name: traefik
volumes:
traefik-data:
🔗/traefik.toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "lets-encrypt"
[api]
dashboard = true
[certificatesResolvers.lets-encrypt.acme]
email = "<your email address>"
storage = "/traefik-data/acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
[providers.file]
filename = "traefik_dynamic.toml"
[retry]
🔗traefik_dynamic.toml
[http.middlewares.simpleAuth.basicAuth]
users = [
"admin:<generated password>"
]
[http.routers]
[http.routers.mainapp]
entryPoints = ["websecure"]
rule = "Host(`www.yourwebsite.com`)"
service = "app"
#higher priority in order to protect /admin
priority = 1
[http.routers.mainapp.tls]
certResolver = "lets-encrypt"
[http.middlewares]
[http.middlewares.dashboard-secured.chain]
middlewares = ["admin-ipwhitelist","simpleAuth"]
[http.middlewares.admin-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "10.147.17.0/24"] #limit ip access
[http.services]
# app service, the URL will be never called
[http.services.app.loadBalancer]
[[http.services.app.loadBalancer.servers]]
url = "http://<your docker app image name>:8000"