create a proxy network:
docker network create proxy
create a traefik folder to keep the configuration
mkdir -p traefik/configurations
create a docker compose file
vi traefik/compose.yml
change YOUR_DOMAIN with your actual domain for traefik like traefik.openimis.org
services:
traefik:
image: "traefik:latest"
container_name: traefik
restart: unless-stopped
security_opt:
- "no-new-privileges:true"
networks:
- proxy
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/home/ubuntu/traefik/traefik.yml:/traefik.yml:ro"
- "/home/ubuntu/traefik/acme.json:/acme.json"
- "/home/ubuntu/traefik/configurations:/configurations"
labels:
- traefik.enable=true
- traefik.docker.network=proxy
- traefik.http.routers.traefik-secure.entrypoints=websecure
- traefik.http.routers.traefik-secure.rule=Host(`YOUR_DOMAIN`)
- traefik.http.routers.traefik-secure.service=api@internal
- traefik.http.routers.traefik-secure.middlewares=user-auth@file
networks:
proxy:
external: true
create an empty acme.json
touch acme.json
create traefik config file
vi traefik/traefik.yml
change contact@YOURDOMAIN with your admin contact
/!\ the port configured here are 80 and 443. make sure they are free, 80 is mandatory for acme challenges (Let’s encrypt)
api:
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"
http:
middlewares:
- secureHeaders@file
tls:
certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
certificatesResolvers:
letsencrypt:
acme:
email: contact@YOURDOMAIN
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: web
configure the dynamic configuration
To create a basic authentication key for Traefik, you can follow these steps:
Install apache2-utils:
sudo apt install apache2-utils
Generate the password hash using htpasswd:
htpasswd -nB username
Replace "username" with your desired username. You'll be prompted to enter and confirm a password.
The output will be in the format:
username:$2y$05$hashed_password
For use in Traefik configuration, replace single $ with double $$ to escape them:
username:$$2y$$05$$hashed_password
Replace that in the following file
vi traefik/configurations/dynamic.yml
# Dynamic configuration
http:
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
user-auth:
basicAuth:
users:
- "username:$$2y$$05$$hashed_password"
# routers:
# example:
# rule: "Host(`example.YOURDOMAIN`)"
# service: example-secured
# entryPoints: websecure
# tls:
# certResolver: letsencrypt
# services:
# nazkaban-example:
# loadBalancer:
# servers:
# - url: "http://YOURSTATIC_IP:YOURSTATIC_PORT"
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
In that file you can manually create routing as shown with example.YOURDOMAIN which is commented out(be careful of the associated service)
Start treafik:
docker compose up -d