Wednesday, 14 October 2020

Configuring traefik with a self signed certificate

Since I will initially run the whole collection of containers locally, including the traefik reverse proxy, everything will have to listen on a local ip-address.

This means I cannot use a LetsEncrypt certificate I think or I may have misunderstood. Anyway it might be a good exercise to configure traefik to use a self signed certificate.

Generating a certificate

I could generate the certificate outside my docker environment but to make the whole repository easier to clone (and not dependent on local tools but only on stuff we run inside an image while building) I opted to generate a certificate inside the traefik image as part of the build process.

This means that the steps to get the whole setup running are

  • Create a local dns entry for the server that resolves to a local ip-address
I used server.michelanders.nl but you can use anything you like (that looks like a valid servername and it is and it is hosted on an external dns server but it still resolves to an internal non-routable address. Saves me from changing /etc/hosts on every machine i want to play).

  • Change the dockerfile FQDN ARG or better yet, override this build arg in the args: section for the reverse-proxy in the docker-compose.yml and point it to the exact same servername.
  • docker-compose up -d
  • Browse to https://server.michelanders.nl (or your servername of course) et voila.

Dockerfile


The comments in the Dockerfile should be clear enough to explain how we generate the certificate files so i just reproduce it here



ARG TRAEFIKVERSION=latest

FROM traefik:$TRAEFIKVERSION

# provide the servername as a configurable option
# note that this is self signed so you should still add it to your
# trusted certificates every time you rebuild this images.
# For Chrome: click on the lock icon and export it
# then browse to chrome://settings/certificates and add it. Then restart

ARG FQDN=server.michelanders.nl

# add a self signed certificate
# note: it might be a good thing to remove the openssl package again to
# reduce the attack surface.

RUN apk add --no-cache openssl

WORKDIR /opt/traefik/certs

RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -subj "/CN=$FQDN" -addext "subjectAltName = DNS:$FQDN"

RUN chmod 644 server.crt

RUN chmod 600 server.key

# add a tls certificate configuration that uses the self signed cert

COPY reverse-proxy/certs-traefik.yml .

Docker-compose.yml

The relevant part of the docker compose file is show below. we basicaly tell traefik to accept only https (on port 443 with the websecure entrypoint) and we tell it where it can find the certificate configuration.

services:

  reverse-proxy:
    # Based on the official v2 Traefik docker image
    image: reverse-proxy
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - --api.insecure=true
      - --providers.docker
      - --log.level=INFO
      - --entryPoints.websecure.address=:443
      - --providers.file.directory=/opt/traefik/certs
    networks:
      - appnetwork
    ports:
      # The HTTP port
      - "443:443"

With this information in place all we have to do is to add/change two traefik labels to every service that was exposed before. For example, for the objectstore service those labels are

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.objectstore.entrypoints=websecure"
      - "traefik.http.routers.objectstore.tls=true"
This means we change the entrypoint to websecure and set tls to true.

No comments:

Post a comment