create a proxy network:
docker network create proxy
create a traefik folder to keep the configuration
mkdir -p traefik/configurations
create a docker compose file
vi traefik/compose.yml
change YOUR_DOMAIN
with your actual domain for traefik like traefik.openimis.org
services: traefik: image: "traefik:latest" container_name: traefik restart: unless-stopped security_opt: - "no-new-privileges:true" networks: - proxy ports: - "80:80" - "443:443" volumes: - "/etc/localtime:/etc/localtime:ro" - "/var/run/docker.sock:/var/run/docker.sock:ro" - "/home/ubuntu/traefik/traefik.yml:/traefik.yml:ro" - "/home/ubuntu/traefik/acme.json:/acme.json" - "/home/ubuntu/traefik/configurations:/configurations" labels: - traefik.enable=true - traefik.docker.network=proxy - traefik.http.routers.traefik-secure.entrypoints=websecure - traefik.http.routers.traefik-secure.rule=Host(`YOUR_DOMAIN`) - traefik.http.routers.traefik-secure.service=api@internal - traefik.http.routers.traefik-secure.middlewares=user-auth@file networks: proxy: external: true
create an empty acme.json
touch acme.json
create traefik config file
vi traefik/traefik.yml
change contact@YOURDOMAIN
with your admin contact
/!\ the port configured here are 80 and 443. make sure they are free, 80 is mandatory for acme challenges (Let’s encrypt)
api: dashboard: true entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure websecure: address: ":443" http: middlewares: - secureHeaders@file tls: certResolver: letsencrypt providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: filename: /configurations/dynamic.yml certificatesResolvers: letsencrypt: acme: email: contact@YOURDOMAIN storage: acme.json keyType: EC384 httpChallenge: entryPoint: web
configure the dynamic configuration
To create a basic authentication key for Traefik, you can follow these steps:
Install apache2-utils:
sudo apt install apache2-utils
Generate the password hash using htpasswd:
htpasswd -nB username
Replace "username" with your desired username. You'll be prompted to enter and confirm a password.
The output will be in the format:
username:$2y$05$hashed_password
For use in Traefik configuration, replace single $ with double $$ to escape them:
username:$$2y$$05$$hashed_password
Replace that in the following file
vi traefik/configurations/dynamic.yml
# Dynamic configuration http: middlewares: secureHeaders: headers: sslRedirect: true forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000 user-auth: basicAuth: users: - "username:$$2y$$05$$hashed_password" # routers: # example: # rule: "Host(`example.YOURDOMAIN`)" # service: example-secured # entryPoints: websecure # tls: # certResolver: letsencrypt # services: # nazkaban-example: # loadBalancer: # servers: # - url: "http://YOURSTATIC_IP:YOURSTATIC_PORT" tls: options: default: cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 minVersion: VersionTLS12
In that file you can manually create routing as shown with example.YOURDOMAIN which is commented out(be careful of the associated service)