Skip to content

Instantly share code, notes, and snippets.

@nknapp

nknapp/Dockerfile

Created October 30, 2016 20:15
Show Gist options
  • Star 42 You must be signed in to star a gist
  • Fork 9 You must be signed in to fork a gist
  • Save nknapp/20c7cd89f1f128b8425dd89cbad0b802 to your computer and use it in GitHub Desktop.
Save nknapp/20c7cd89f1f128b8425dd89cbad0b802 to your computer and use it in GitHub Desktop.
Download ZIP
Traefik setup as reverse-proxy with docker and letsencrypt
Raw
docker-compose.yml
version: '2'
services:
traefik:
build: .
# command: --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "127.0.0.1:8080:8080"
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- default
cap_drop:
- all
cap_add:
- net_bind_service
Raw
Dockerfile
FROM traefik:camembert
ADD traefik.toml .
EXPOSE 80
EXPOSE 8080
EXPOSE 443
Raw
traefik.toml
# defaultEntryPoints must be at the top because it should not be in any table below
defaultEntryPoints = ["http", "https"]
[web]
# Port for the status page
address = ":8080"
# Entrypoints, http and https
[entryPoints]
# http should be redirected to https
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
# https is the default
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Enable ACME (Let's Encrypt): automatic SSL
[acme]
# caServer = "https://acme-staging.api.letsencrypt.org/directory"
email = "letsencrypt@example.com"
storage = "acme.json" # or "traefik/acme/account" if using KV store
entryPoint = "https"
onDemand = false
OnHostRule = true
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
exposedbydefault = false
@nknapp
Copy link
Author

nknapp commented Oct 30, 2016
edited

Motivation

Docker-compose setup for starting Træfik as reverse-proxy, loadbalancer and SSL server with lets-encrypt certificates.

Usage

Put the files of this gist into a directory called reverse-proxy and run docker-compose -d up to startup the service.
After that, you can "up" docker-compose.yml-files like:

version: '2'

services:
  microbot:
    image: dontrebootme/microbot
    labels:
    - "traefik.enable=true"
    - "traefik.backend=microbot"
    - "traefik.frontend.rule=Host:microbot.example.com"
    - "traefik.docker.network=reverseproxy_default"
    networks:
    - "reverseproxy_default"
    restart: always
networks:
  reverseproxy_default:
    external:
      name: reverseproxy_default

and they will be served through the Træfik proxy.

  • Træfik will forward requests to https://microbot.example.com to the backend.
  • Træfik will order SSL certificates through letsencrypt.org
  • Træfik will balance the requests between multiple backends with the same name, which means
    additional instance created by docker-compose scale microbot=3 will automatically be used when
    available.
  • Requests to http://microbot.example.com will be redirected to https

Some details

  • The label traefik.frontend.rule=Host:microbot.example.com is used by Træfik to determine which container to use for which domain.
  • The option exposedbydefault = false tells Træfik to only include containers with the label traefik.enable=true.
  • Since the gist-files are inside the directory reverse-proxy, docker-compose will create a network reverseproxy_default for the container. The part
  networks:
    - "reverseproxy_default"

and

networks:
  reverseproxy_default:
    external:
      name: reverseproxy_default

of the microbot-file make sure that microbot is in the same network as Træfik.

If microbot were present in two networks, the label traefik.docker.network=reverseproxy_default will tell Træfik which IP to use to connect to the service.

@nknapp
Copy link
Author

nknapp commented Oct 31, 2016

I have moved this example into a real repository

@dcrystalj
Copy link

dcrystalj commented Apr 6, 2017
edited

for some this is not working for me. I am using swarm mode (so i used swarm mode settings). It redirects from http to https but after that i get Secure Connection Failed. I think it does not generate any certificate (ACME certs == []). Note I have set onDemand = true.

root@swarm-02:/config# cat /config/acme/acme.json 
{
  "Email": "traefik@my-domain.pro",
  "Registration": {
    "body": {
      "resource": "reg",
      "id": 1788893,
      "key": {
        "kty": "RSA",
        "n": "46uBWGY49i0ziDHLVdAWg1cDzdJlJADcjs9WH2Djo4kI4ZByJBZodj9Jc63rprm8jBhbryqOgnAi-XnOxE15uhyqOFCQIAcS8ikmZYZK5xM16m3WG6ZYTLsg6DagSSaI1R5fnP6I2kZoaDhyv46V3PNUmD4Ir3eVuiFQWpRFtEZRSyESQh-6V2Ki-1co-bgDylEO4rz6QRRHqlduiGfZ-CZG5TfcdivtOMBSjNyY4GcBnFyQH_qY09A49CDdyxweNT5QzTLo58aCvqCL2rbkP-VAub1MvZLRmqXhNbddgmEg0LZkCBE1qjViq8_siBpxCDj9l_qPEKIoiTnGZi20h_l6esIwFUHzJ-Wqlyx1OoNQ5dJFU9PDwsG4jBDdsdHI0p43FrqtWIBs5iBUjNttlOsNPS2RmGSSm9mvOgecPiiypUNJP6knwqHFAU97GUu_45y2ne8p7Sibxgwy_P3d98Bwv3AFdt2q5xYhdmUXH6ayfgr-GRvbAytG-nbSG33PZqmWk",
        "e": "AQAB"
      },
      "contact": [
        "mailto:traefik@my-domain.com"
      ],
      "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
    },
    "uri": "https://acme-staging.api.letsencrypt.org/acme/reg/1788893",
    "new_authzr_uri": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
    "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  },
  "PrivateKey": "MIIJKQIBAAKCAgEA46uBWGY49i0ziDHLVdAWg1cDzdJlJADcjs9WH2Djo4kI4ZByJBZodj9Jc63rprm8jBhbryqOgnAi+XnOxE15uhyqOFCQIAcS8ikmZYZK5xM16m3WG6ZYTlaBj6aEUP7IwORcUCq/xfrCEg0LZkCBE1qjViq8/siBpxCDj9l/qPEKIoiTnGZi20h/l6esIwFUHzJ+Wqlyx1OoNQ5dJFU9PDwsG4jBDdsdHI0p43FrqtWIBs5iBUjNttlOsNPS2RmGSSm9mvOgecPiiypUNJP6knwqHFAU97GUu/45y2ne8p7Sibxgwy/P3d98Bwv3AFdt2q5xYhdmUXH6ayfgr+GRvbAytG+nbSG33PZqmWkCAwEAAQKCAgEAvCPombKv88/au/vaOqnhUNxBin8Jkb0chu+UDg41T9lYe36wtF3IKZ+XBX9+M6Ndyq/+ZDzY07XzURJ16gbURxaVHECHOdBeubuDvXZCw74+WeI2g1bttUsWoI8z2f98KBIXlVdKpIZ2lVnAicg81ABJsh3hc49xLgWFr7TD/Xv2hg1oVzh89uXOJcIbXHHSwAhIMttUOx+VMZFbCGI54DVRdO66wvT97l4QWdOaiibVT++2MpcWYEO8LRJT9xrfY8SBZXFiwtZrCTkHGdD1wk+jM1rZ5fdEO3ZFK+zB25sHlU0zXcvFPqx4oGyEmAzXWGgnTz1rLobLKZnyF3JAgy80xM8MVP20O33h3k5oLfQ+fPoiQIiZw8/hQ9h1Q6JCHHJluDekVWNQfUEoYRRfz36AexJ/wdcfWaSGYYxfz3qMKN1NBTixdOsvzvjOxkgjrKl164DH5TexspVM3brI1cwc4Yodd4JFkrLi+CZHdN90fS/h6sVdznoC40SU+k97vXzAR6z1ckSFsCiGJEnLcRUFtCWtavY5whJpvkWIqBBoCJ7Iy0sajIwl+R1JPTKu7AKvzgxwSM08LUvgHPUqbudEb2gzorSPcUZmW+9BhRbRpnqc1g2WSz85kIihfP9dXdQPQESCufFa9RbDeZEWzgfBokSBXrfQo4fM++nhF+ECggEBAPaFzVkCCzeGnSJZJx4jYe6c2gbu0uY9Tmp8XpxSAHGzDnmRnmUxIf8LysFwVRnhfB2AipzEJermKS+/Rx4lc4X1CklljAKcKFyJMN7wzL/EC06cPyKDdqLEp6FJ00o8Nb7t1D/rd9MbFqFH4/ZEcQIPL9eTtZoFJrH6hNIxkg/3rJ08rHK9Z1xV11sDoBXgE5nOTv21zo9RrW5vVjJjriZ/bEWJqhhPbmkL79qITDUz4qiJKCGBT9VzK0O9etESZ0kl0qlmXaKAD6wFUQ90l6S5jxlkPh5CU42YejE2I9rID6UmPY1ICUDb6ajNjQSWcNGvsTU7t7CFsb6hE7G2qD0CggEBAOxsKR1fRSX8Ri3H48vDneg5aLjn5PKmO8U3FtAGBrbHsVl8GiE8hFnQ+1iknZg4iex8JEAyiHEkv7tAWIz3n6+5v2ta7tWmX2/SKcZOuw9RTxbgndKB7mqmnnaDssU8feZs4nFZKXRDURkQvLJGesQlqXQ5N+ilJlJks5DcASqA7NN8r+s5/ca1Uf82PhchMGGgtHx2WrjOKzBzC2FeXotLHjn+tinrpCmu8Hj+BsgHMnwDR62g55JIv6JZ+383jbxWNOy9IeBFuM9h0gJv1SUsqXzZmkClt18b++B7bRwgw2fmxG4hO8bQj2OjeUqRouRImB8+2+EouxxfO3Al3J0CggEAT2B55EUCM5jGk769F7kw2VHr6fuQMM5gp2zwUckdl36eFIrMw6x0U9kKKgrve+vcuOsgtqV5yA7gCB3A2nYYonNqIoPt9xEs9c6+y6ohY0XOljs9IPHPi01i5E4PGIIWlCmkBAjfhjvcp4WsYylacd1N/E31VWh/MyOFDOElNLr8+4wDwtY1p8eEFiwuqZyC8y04xfx6TC9ydnKnAIaUFpVE2YcgG7/Hv082pdjpIOBaBQZUw6UNfZ8duSwTlaolU6o4EI+DasVtRmhX13AlO8b7yqM6VSfqG1eTULEsDlAIqZaMjyc4w4eLzuyQkX+XSA0YNBnMZaxGtSjMXJaByQKCAQEAibUyeY5Ne6OmyPG+SKinaGVQDyvbWk7jT6sX2ZE5Bevo7ENyANv8B0jHrkksFkcQZzOj9dS5TpXmK85+BZYSaEucKI7twHpI6pwSgxTGtlRY6e1pXYZFdOE9KQn6jpbtWu0yyA4NaNm3+Rt+EjpU36ukk3AtocVLQHsv2rGMlK1e9vX6xnnKX27pBCSoW7t5Hpm399APJrQKCAQALwLCdZaUNNHCDfm6cvNgU+d+6uAvDgpJeQVvXlmpBgLruoO6zOUIgTAK84TPHE22W3ctDYsYJ69kWiNgp6F7c0YqcRMH1T+8m2xH86I0U8RhvZjKxLVn0uqq5/qkol/1piNs49U5zudGXC03D1A+m9GJBzIxTsoljBFigSEIbc9kD0SoRQEgUQJi55h2/JiXqSEj2f3TNQmDtB6YRE4HeuKDYYP25rf6qtNa65U7F5EHDSgc8yhhsQyXrNBJiU5gYbD5iUake3Jmk+VX0Ayrbw",
  "DomainsCertificate": {
    "Certs": []
  },
  "ChallengeCerts": {}

Any idea?

@snapo
Copy link

snapo commented Aug 24, 2017

@dcrystalj, hope those are not your real PK's....

@kgodard
Copy link

kgodard commented Aug 31, 2017

SUPER HELPFUL. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment