Since I will initially run the whole collection of containers locally, including the traefik reverse proxy, everything will have to listen on a local ip-address.
This means I cannot use a LetsEncrypt certificate I think or I may have misunderstood. Anyway it might be a good exercise to configure traefik to use a self signed certificate.
Generating a certificate
I could generate the certificate outside my docker environment but to make the whole repository easier to clone (and not dependent on local tools but only on stuff we run inside an image while building) I opted to generate a certificate inside the traefik image as part of the build process.
This means that the steps to get the whole setup running are
- Create a local dns entry for the server that resolves to a local ip-address
I used server.michelanders.nl but you can use anything you like (that looks like a valid servername and it is and it is hosted on an external dns server but it still resolves to an internal non-routable address. Saves me from changing /etc/hosts on every machine i want to play).
- Change the dockerfile FQDN ARG or better yet, override this build arg in the args: section for the reverse-proxy in the docker-compose.yml and point it to the exact same servername.
- docker-compose up -d
- Browse to https://server.michelanders.nl (or your servername of course) et voila.
Dockerfile
The comments in the Dockerfile should be clear enough to explain how we generate the certificate files so i just reproduce it here
ARG TRAEFIKVERSION=latest
FROM traefik:$TRAEFIKVERSION
# provide the servername as a configurable option
# note that this is self signed so you should still add it to your
# trusted certificates every time you rebuild this images.
# For Chrome: click on the lock icon and export it
# then browse to chrome://settings/certificates and add it. Then restart
ARG FQDN=server.michelanders.nl
# add a self signed certificate
# note: it might be a good thing to remove the openssl package again to
# reduce the attack surface.
RUN apk add --no-cache openssl
WORKDIR /opt/traefik/certs
RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -subj "/CN=$FQDN" -addext "subjectAltName = DNS:$FQDN"
RUN chmod 644 server.crt
RUN chmod 600 server.key
# add a tls certificate configuration that uses the self signed cert
COPY reverse-proxy/certs-traefik.yml .
Docker-compose.yml
The relevant part of the docker compose file is show below. we basicaly tell traefik to accept only https (on port 443 with the websecure entrypoint) and we tell it where it can find the certificate configuration.
services:
reverse-proxy:
# Based on the official v2 Traefik docker image
image: reverse-proxy
# Enables the web UI and tells Traefik to listen to docker
command:
- --api.insecure=true
- --providers.docker
- --log.level=INFO
- --entryPoints.websecure.address=:443
- --providers.file.directory=/opt/traefik/certs
networks:
- appnetwork
ports:
# The HTTP port
- "443:443"
labels:
- "traefik.enable=true"
- "traefik.http.routers.objectstore.entrypoints=websecure"
- "traefik.http.routers.objectstore.tls=true"
No comments:
Post a Comment