Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
docker compose with traefik and certs
#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'
DOMAIN_NAME=$1
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout "$DOMAIN_NAME.key" \
-new \
-out "$DOMAIN_NAME.crt" \
-subj "/CN=*.$DOMAIN_NAME" \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.%s, DNS:%s" "$DOMAIN_NAME" "$DOMAIN_NAME")) \
-sha256 \
-days 3650
cat "$DOMAIN_NAME.crt" "$DOMAIN_NAME.key" \
| tee "$DOMAIN_NAME.pem"
version: "2.4"
services:
nginx:
image: nginx
labels:
traefik.enable: true
traefik.http.routers.nginx.rule: Host(`nginx.bret.lol`)
traefik.http.routers.nginx.entrypoints: websecure
traefik.http.routers.nginx.tls: true
depends_on:
traefik:
condition: service_healthy
traefik:
image: "traefik:v2.2"
healthcheck:
test:
- CMD
- traefik
- healthcheck
interval: 10s
timeout: 5s
retries: 3
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- ./traefik.yaml:/etc/traefik/traefik.yaml
- ~/.certs/:/certs/
- /var/run/docker.sock:/var/run/docker.sock
## STATIC CONFIG (restart traefik to update)
# shows you a log msg if a newer image tag can be used
global:
checkNewVersion: true
# log default is ERROR, but WARN is more helpful
log:
level: WARN
# level: INFO
# enable dashboard on 8080 with auth
api:
insecure: true
dashboard: true
# enable ping so the `traefik healthcheck` works
ping: {}
# auto-proxy containers if they have proper labels
# and also use this file for dynamic config (tls)
providers:
docker:
exposedByDefault: false
watch: true
file:
fileName: /etc/traefik/traefik.yaml
watch: true
# listen on 80/443, and redirect all 80 to 443 via 301
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
## DYNAMIC CONFIG
tls:
certificates:
- certFile: /certs/bret.lol.crt
keyFile: /certs/bret.lol.key
# when testing certs, enable this so traefik doesn't use
# it's own self signed. By default if it can't find a matching
# cert, it'll just create it's own which will cause cert warnings
# in browser
# options:
# default:
# sniStrict: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment