Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Docker + Traefik v1.7 and 2.0 + Let's Encrypt + Github Repository
Docker + Traefik + Let's Encrypt + Github Repository
Using:
- Ubuntu 19.04
- Docker Engine 19.03
- Docker Compose 1.25.0-rc2
- Traefik v1.7.18 with dnsChallenge
- Traefik v2.0.1 with httpChallenge
--
- Github Registry
- Let's Encrypt
1. Create a Ubuntu Droplet
1.1. You can create a Docker pre-installed Ubuntu too
2. Add domain to the Droplet -> yourdomain.com
2.1 Create A record for the Droplet -> @ for Droplet IP OR Change DNS on your domain provider
3. Connect to Ubuntu CLI
4. Install Docker
4.1. curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
4.2. sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable edge"
4.3. sudo apt-get update
4.4 apt-cache policy docker-ce
4.5 sudo apt-get install -y docker-ce
4.6 sudo systemctl status docker
5. Run your first image -> docker run doxalabs/hello-world
6. Install docker-compose
6.1. sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0-rc2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
6.2. sudo chmod +x /usr/local/bin/docker-compose
6.3. sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
6.3. docker-compose --version
7. Go to /etc Folder
8. Create a folder -> mkdir traefik && cd traefik
9. Create traefik files
9.1. sudo touch /opt/traefik/docker-compose.yml
9.2. sudo touch /opt/traefik/acme.json
9.3. sudo chmod 600 /opt/traefik/acme.json
9.4. sudo touch /opt/traefik/traefik.toml
10. Update your docker-compose.yml file
10.1. nano docker-compose.yml
10.2. I am using dnsChallenge to create SSL. My domain provider is GoDaddy. Create a production API KEY and update environment parameters.
10.3 Update yourdomain.com on labes.
[Traefik v1.7] - docker-compose.yml with dnsChallenge
version: '3.7'
services:
reverse-proxy:
image: traefik:v1.7
restart: always
container_name: traefik
ports:
- 80:80
- 443:443
expose:
- 8080
networks:
- external
- internal
environment:
- GODADDY_API_KEY=...
- GODADDY_API_SECRET=...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=external"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.yourdomain.com"
- "traefik.port=8080"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
networks:
external:
external: true
internal:
11. Update traefik.toml file
11.1. Update users on entryPoints.traefik with -> echo $(htpasswd -nb username password) | sed -e s/\\$/\\$\\$/g
11.2. Update your-domain and your-email fields
11.3. Update your domain provider on acme.dnsChallenge
[Traefik v1.7] - traefik.toml with dnsChallenge
debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["username:hashed-password"]
[api]
entryPoint = "traefik"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domain.com"
watch = true
exposedByDefault = false
[acme]
email = "your-email.com"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.your-domain.com"
sans = ["your-domain.com"]
12. Create a network -> docker network create external
13. Run traefik
13.1. docker-compose up -d
13.2. docker ps
13.3. If you don't see traefik running then chek the logs -> docker logs containerId
13.4. If it's running then create a CNAME for traefik -> @ then visit traefik.your-domain.com
13.5. Enter your username and non-hashed password to see the dashboard
14. Run your own image from Github Registry / Others
14.1. Create a folder -> mkdir opt/my-container
14.2 Create docker-compose -> nano docker-compose.yml
[Traefik 1.7] - docker-compose.yml
version: "3.7"
services:
your-container-name:
image: docker.pkg.github.com/github-username/repo-name/tag-name:latest
restart: always
container_name: your-container-name
networks:
- web
labels:
- traefik.docker.network=external
- traefik.backend=your-container-name
- traefik.frontend.rule=Host:your-container-name.your-domain.com
- traefik.enable=true
- traefik.port=80
networks:
web:
name: external
15. Docker login.
15.1. If you are using Ubuntu 19 then run -> apt install pass
15.2. docker login docker.pkg.github.com --username "github-username"
15.3. Create a Github Access Token with repo, package write and read permission and enter this token as a password
16. Run your container
16.1. docker-compose up -d
16.2. docker ps
16.3. Create a CNAME for your-container-name -> @ then visit your-container-name.your-domain.com
These are for traefik v2.0
[Traefik v2.0] - docker-compose.yml with httpChallenge
version: '3.7'
services:
traefik:
image: traefik:v2.0.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=username:hashed-password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.your-domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
proxy:
external: true
[Traefik v2.0] - traefik.yml with httpChallenge
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: your-email.com
storage: acme.json
httpChallenge:
entryPoint: http
[Traefik v2.0] - your-container docker-compose.yml
version: '3.7'
services:
your-container-name:
image: docker.pkg.github.com/username/repo-name/image-name:latest
container_name: your-container-name
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.your-container-name.entrypoints=http"
- "traefik.http.routers.your-container-name.rule=Host(`your-container-name.your-domain.com`, `www.your-container-name.your-domain.com`)"
- "traefik.http.middlewares.your-container-name-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.your-container-name.middlewares=your-container-name-https-redirect"
- "traefik.http.routers.your-container-name-secure.entrypoints=https"
- "traefik.http.routers.your-container-name-secure.rule=Host(`your-container-name.your-domain.com`, `www.your-container-name.your-domain.com`)"
- "traefik.http.routers.your-container-name-secure.tls=true"
- "traefik.http.routers.your-container-name-secure.tls.certresolver=http"
- "traefik.http.routers.your-container-name-secure.service=your-container-name"
- "traefik.http.services.your-container-name.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
@dmpe

This comment has been minimized.

Copy link

@dmpe dmpe commented Oct 3, 2019

Thank you @fatihyildizhan . it has helped me a lot with the traefik upgrade

@HristoA

This comment has been minimized.

Copy link

@HristoA HristoA commented Oct 4, 2019

Thanks man. This is so beautiful

@robobario

This comment has been minimized.

Copy link

@robobario robobario commented Nov 25, 2019

Thank you

@naugustijr

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.