Configuring Traefik with Let's Encrypt on Docker
Traefik isn't just a reverse proxy; it's a powerful, dynamic edge router that makes managing your container-based infrastructure easier and more efficient. In this guide, we're going to install Traefik as a reverse proxy on a host running Docker, configure Let's Encrypt for automatic SSL certificates using DNS-01 validation with Transip, and configure Traefik in such a way that Prometheus can scrape the metrics.
Why Traefik?
Traefik is particularly great if you want simplicity and dynamic configuration. It works seamlessly with Docker, Kubernetes, Nomad, and many other orchestration tools, automatically detecting and routing to containers as they come online. With Let's Encrypt support built-in, Traefik takes the headache out of managing SSL certificates.
Prerequisites
- A server or VM running Docker and Docker Compose
- A domain registered through Transip
- Access to Transip API credentials
1. Directory Structure
mkdir traefik-docker && cd traefik-docker
mkdir config
2. Docker Compose File
Create docker-compose.yml:
version: '3.7'
services:
traefik:
image: traefik:v2.10
container_name: traefik
restart: always
ports:
- "80:80"
- "443:443"
environment:
- TRANSIP_ACCOUNT_NAME=your_transip_account_name
- TRANSIP_API_KEY=your_transip_api_key
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./config/traefik.yml:/traefik.yml:ro"
- "./config/acme.json:/acme.json"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$...$$...P/"
- "traefik.http.routers.dashboard.tls=true"
networks:
- traefik-network
networks:
traefik-network:
name: traefik-network
3. Traefik Configuration
Create config/traefik.yml:
api:
dashboard: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
transip:
acme:
email: "your_email@example.com"
storage: "acme.json"
dnsChallenge:
provider: "transip"
delayBeforeCheck: 0
log:
level: DEBUG
filePath: "/var/log/traefik/traefik.log"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
metrics:
prometheus:
entryPoint: web
addEntryPointsLabels: true
addServicesLabels: true
4. Securing the Dashboard with Basic Authentication
Generate a username and password hash:
htpasswd -nb admin securepassword
Replace securepassword with a strong password. Place the generated hash in the Docker Compose label.
5. Starting Traefik
docker-compose up -d
6. Verify Your Setup
- Access the Dashboard: Navigate to
https://traefik.yourdomain.com - Verify SSL: Check the logs to confirm certificate issuance:
docker logs traefik
Conclusion
You've successfully set up Traefik as a reverse proxy for Docker services with DNS-validated SSL certificates from Let's Encrypt, secure access to the Traefik dashboard, and monitoring via Prometheus. This setup is both powerful and flexible, designed to grow as your needs evolve.
Start deploying your Docker containers, and watch as Traefik picks them up and routes traffic automatically!
