The premise condition
- VPS environment: overseas 😂
- Docker
- There is a domain name
example.com
- use
cloudflare
Manage DNS for domain names 80/443
Has been opened
chapter
- Traefik routes to the Docker container
- Traefik Routes to local IP addresses
- Traefik middleware
- Let’s Encrypt certificate HTTP Challenge
- Let’s Encrypt certificate DNS Challenge
- Forward HTTP traffic to HTTPS
Traefik routes to the Docker container
Create a new Docker network
docker network create traefik_net
Traefik and containers need to be on the same network. Compose creates one automatically, but the fact is hidden and confusion can occur later. It is best to just create your own network and set it as the default network in each compose file.
Additional information: Use docker Network inspect traefik_net to see containers connected to the network
Create traefik. Yml
This file contains what is called a static Traefik configuration.
In this basic example, there is very little explanation of Settings.
Because exposedByDefault is set to false, the label “traefik.enable=true” will need to be used for containers that should be routed by Traefik.
This file will be passed to the Docker container via bind mount, which will be done when we use docker-comemage.yml for Traefik.
traefik.yml
## STATIC CONFIGURATION
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ": 80"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
Copy the code
Later, when the traefik container is running, use the command docker logs Traefik to check for “Configuration loaded from file: /traefik.yml”. You don’t want to be the moron that makes a change to Traefik.yml, and it doesn’t do anything because the file isn’t actually used.
create.env
It contains some environment variables.
Domain name, API key, IP address, password… Whether it’s a specific case of one case, or a different case of another, all of this is ideally placed here. These variables are available for docker-compose when the docker-compose up command is run.
This allows authoring files to move more freely from one system to another, and changes can be made to.env files, so there is less chance of an error forgetting to change domain names in some host rules in large authoring files or similar files.
.env
MY_DOMAIN=example.com
DEFAULT_NETWORK=traefik_net
Copy the code
Additional information:
The docker-compose config command shows the compose state after the variable is populated.
These variables are filled in only during the initial build of the container. If an env variable should also be available in the running container, declare it in the Environment section of the compose file.
Create traefik docker – compose. Yml
This is a simple typical compose file.
Port 80 is mapped because we want Traefik to take care of the content on the port – to use it as an entrypoint. Port 8080 is used as a dashboard for traefik to display information. Docker.sock needs to be mounted, so it can actually do the job of interacting with docker. The mount of traefik.yml is the reason given for the static Traefik configuration. The default network is set to the network created in the first step, as it will be set in all the other compose files.
traefik-docker-compose.yml
version: "3.7"
services:
traefik:
image: "Traefik: v2.1"
container_name: "traefik"
hostname: "traefik"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
Run traefik docker – compose. Yml
Docker-compose -f traefik-docker-compose. Yml up -d will start the Traefik container.
Traefik is running and you can check it out at IP :8080, where you can get the dashboard.
You can also check the logs with Docker logs Traefik.
Additional information:
Usually you’ll see a guide with only one file called docker-comemage.yml. It contains multiple services/containers. Then just docker-compose up -D to get started. When everything is one compose, you don’t even need to bother to define the network. But this time, I prefer to take small, independent steps when learning something new. This is why the custom named Docker-compose file is used, as it allows for easier separation.
Additional information:
You can also see in the tutorial that traefik.yml is not mentioned and that things are simply passed from docker-compose using traefik commands or tags. Providers docker command: –api.insecure=true –providers.docker
But then the composite file looks even messier, you still can’t do anything from there, and sometimes you still need the damn traefik.yml.
So… Now, use the well-structured, readable traefik.yml
Add labels to containers that Traefik should route
Here are examples of whoami, Nginx, Apache, portainer.
– “traefik.enable=true”
Enable traefik
– “traefik.http.routers.whoami.entrypoints=web”
Define a route named whoami that listens at the entry point Web (port 80)
– “traefik.http.routers.whoami.rule=Host(
whoami.$MY_DOMAIN
)”
Defining this WHOAMI routing rule, especially when the URL is equal to whoami.example.com (the domain name is from the.env file), means that the route can do its job and route it to the service.
Nothing else is required, and Traefik can learn the rest from the context in which these tags come from the Docker container.
whoami-docker-compose.yml
version: "3.7"
services:
whoami:
image: "containous/whoami"
container_name: "whoami"
hostname: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.rule=Host(`whoami.$MY_DOMAIN`)"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
nginx-docker-compose.yml
version: "3.7"
services:
nginx:
image: nginx:latest
container_name: nginx
hostname: nginx
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=web"
- "traefik.http.routers.nginx.rule=Host(`nginx.$MY_DOMAIN`)"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
apache-docker-compose.yml
version: "3.7"
services:
apache:
image: httpd:latest
container_name: apache
hostname: apache
labels:
- "traefik.enable=true"
- "traefik.http.routers.apache.entrypoints=web"
- "traefik.http.routers.apache.rule=Host(`apache.$MY_DOMAIN`)"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
portainer-docker-compose.yml
version: "3.7"
services:
portainer:
image: portainer/portainer
container_name: portainer
hostname: portainer
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- portainer_data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=web"
- "traefik.http.routers.portainer.rule=Host(`portainer.$MY_DOMAIN`)"
networks:
default:
external:
name: $DEFAULT_NETWORK
volumes:
portainer_data:
Copy the code
Run the container
docker-compose -f whoami-docker-compose.yml up -d
docker-compose -f nginx-docker-compose.yml up -d
docker-compose -f apache-docker-compose.yml up -d
docker-compose -f portainer-docker-compose.yml up -d
Copy the code
Additional information:
Docker stop $(docker ps -q)
Traefik Routes to local IP addresses
When urls should be aimed at something other than the Docker container.
Define the file provider to add the required routes and services
All you need is a router that can capture certain urls and route them to certain IP addresses. The previous example showed how to capture any URL on port 80, but no one told it what to do if it followed the rules. Traefik just knows because it is done in the context of the container using tags, and because Docker is set up as a provider in Traefik.yml.
The traefik service is required for this “send traffic on some IP”, and to define the Traefik service, a new provider is required, namely file provider – just a (fucking stupid) file, Tell Traefik what to do.
A common practice is to set traefik.yml itself as a file provider for processing.
There is a new file section under the provider and the Traefik.yml itself is set.
Then add the dynamically configured stuff.
A router named Route-to-local-ip has a simple rule for subdomain host names. Content that meets this rule (in this case, the exact url test.example.com) is sent to the LoadBalancer service, which routes it to a specific IP address and a specific port.
traefik.yml
## STATIC CONFIGURATION log: level: INFO api: insecure: true dashboard: true entryPoints: web: address: ":80" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: filename: "traefik.yml" ## DYNAMIC CONFIGURATION http: routers: route-to-local-ip: rule: "Host(`test.example.com`)" service: route-to-local-ip-service priority: 1000 entryPoints: - web services: route-to-local-ip-service: loadBalancer: servers: - the url: "http://10.0.19.5:80"Copy the code
The priority of the route is set to 1000, which is a very high value, surpassing any other possible route.
Additional information:
Unfortunately, the.env variable doesn’t work here, otherwise the domain name and IP will be arguments in the host rules. So, look up and you’re sure to forget to change these.
Run traefik – docker – compose
Whether the test is valid
docker-compose -f traefik-docker-compose.yml up -d
Copy the code
Traefik middleware
An example of authentication middleware for any container.
Create a new file, users_credentials
Contains username: Passwords In the format of htpasswd
In the example below, the password Krakatoa is set to all three accounts below
users_credentials
Me: $$$Fr7c L0RIz/oA apr1. 2.6 R1JXIhCiUI1JF0 admin: $$$BFx7a9RIxh1Z0kiJG0juE ELgBQZx3 / apr1 bastard:$apr1$gvhkVK.x$5rxoW.wkw1inm9ZIfB0zs1Copy the code
Mount users_credentials
traefik-docker-compose.yml
version: "3.7"
services:
traefik:
image: "Traefik: v2.1"
container_name: "traefik"
hostname: "traefik"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
- "./users_credentials:/users_credentials:ro"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
Add two labels to any container that should be authenticated
- The first tag will be called
auth-middleware
New middleware attached to the existingwhoami
On the router. - The second tag provides the middleware with the Basicauth type and tells it where the file used to authenticate the user is.
There is no need to install users_credentials here; these are the files traefik requires, and these labels are a way of passing information to Traefik, which should operate in the context of the container.
whoami-docker-compose.yml
version: "3.7"
services:
whoami:
image: "containous/whoami"
container_name: "whoami"
hostname: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.rule=Host(`whoami.$MY_DOMAIN`)"
- "traefik.http.routers.whoami.middlewares=auth-middleware"
- "traefik.http.middlewares.auth-middleware.basicauth.usersfile=/users_credentials"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
nginx-docker-compose.yml
version: "3.7"
services:
nginx:
image: nginx:latest
container_name: nginx
hostname: nginx
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=web"
- "traefik.http.routers.nginx.rule=Host(`nginx.$MY_DOMAIN`)"
- "traefik.http.routers.nginx.middlewares=auth-middleware"
- "traefik.http.middlewares.auth-middleware.basicauth.usersfile=/users_credentials"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
To run the container, you now need a login and password
docker-compose -f traefik-docker-compose.yml up -d
docker-compose -f whoami-docker-compose.yml up -d
docker-compose -f nginx-docker-compose.yml up -d
Copy the code
Let’s Encrypt certificate, HTTP Challenge
My understanding of the process has been simplified.
LE
– Let’s Encrypt. Provides the free certificate serviceCertificate
– An encryption key stored in a server file, allowing encrypted communication and identificationACME
– a protocol (precisely agreed communication mode) to negotiate certificates from LE. It is part of Traefik.DNS
– A server on the Internet that converts domain names to IP addresses
Traefik uses ACME to request domain-specific certificates from LE, such as example.com. LE responds with some randomly generated text, which Traefik then places in a specific location on the server. LE then asks the DNS Internet server for example.com, which points to an IP address. LE looks for the IP address through port 80/443 to find the file that contains the random text.
If present, then this proves that the person requesting the certificate is in control of both the server and the domain, because it shows control over the DNS records. A certificate has been issued and is valid for 3 months, traefik will automatically attempt renewal in less than 30 days.
Now let’s see what we can do.
Create an empty acme.json file with 600 permissions
This file stores the certificate and all information about the certificate.
touch acme.json && chmod 600 acme.json
Copy the code
Add 443 entry points and a certificate resolver to traefik.yml
In the EntryPoint section, the new EntryPoint is added as WebSecure, port 443
CertificatesResolvers is a configuration part that tells Traefik how to get certificates using Acme Resolver.
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: acme.json
email: [email protected]
httpChallenge:
entryPoint: web
Copy the code
- The name of the parser is
lets-encr
And use Acme - Commenting out the staging caServer causes LE to issue a staging certificate. This is an invalid certificate that doesn’t give a green lock, but has no restrictions, so it’s good for testing. If it’s working, it says, we encrypt.
- Storage tells where to store a given certificate
acme.json
- Mail is where LE sends certificate expiration notifications
- HttpChallenge has an entry point, so ACme performs HTTP challenge on port 80
That’s all Acme needs
traefik.yml
## STATIC CONFIGURATION
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ": 80"
websecure:
address: ": 443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: acme.json
email: [email protected]
httpChallenge:
entryPoint: web
Copy the code
Expose/map port 443 and mount acme.json in traefik-docker-comedy.yml
Note: acme.json is not :ro – read only
traefik-docker-compose.yml
version: "3.7"
services:
traefik:
image: "Traefik: v2.1"
container_name: "traefik"
hostname: "traefik"
env_file:
- .env
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
- "./acme.json:/acme.json"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
Add the required labels to the container
Compared to pure HTTP in Chapter 1, it simply changes the router’s entry point from Web to WebSecure and assigns a certificate parser called lets-encr to an existing router
whoami-docker-compose.yml
version: "3.7"
services:
whoami:
image: "containous/whoami"
container_name: "whoami"
hostname: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.rule=Host(`whoami.$MY_DOMAIN`)"
- "traefik.http.routers.whoami.tls.certresolver=lets-encr"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
nginx-docker-compose.yml
version: "3.7"
services:
nginx:
image: nginx:latest
container_name: nginx
hostname: nginx
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.rule=Host(`nginx.$MY_DOMAIN`)"
- "traefik.http.routers.nginx.tls.certresolver=lets-encr"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
Run the container
Wait a moment
Containers now work only over HTTPS and have greenlock
Additional information:
Check the contents of acme.json
If you want to start over, delete acme.json
Let’s Encrypt certificate DNS challenge on Cloudflare
My understanding of the process has been simplified.
LE
– Let’s Encrypt. Provides the free certificate serviceCertificate
– An encryption key stored in a server file, allowing encrypted communication and identificationACME
– a protocol (precisely agreed communication mode) to negotiate certificates from LE. It is part of Traefik.DNS
– A server on the Internet that converts domain names to IP addresses
Traefik uses ACME to request domain-specific certificates from LE, such as example.com. LE responds with some randomly generated text, which Traefik then places in a specific location on the server. LE then asks the DNS Internet server for example.com, which points to an IP address. LE looks for the IP address through port 80/443 to find the file that contains the random text.
If present, then this proves that the person requesting the certificate is in control of both the server and the domain, because it shows control over the DNS records. A certificate has been issued and is valid for 3 months, traefik will automatically attempt renewal in less than 30 days.
The advantage over httpChallenge is the ability to use wildcard certificates. These are the certificates that validate all subdomains *.example.com and there is no need to open any ports.
But Traefik needs to be able to make automatic changes to DNS records, so it needs the support of someone who manages your site’s DNS. That’s why CloudFlare was chosen.
Now let’s see what we can do.
Add type A DNS records for all planned subdomains
[whoami, nginx, *] is the example subdomain, and each subdomain should have an A record pointing to traefik IP.
Create an empty acme.json file with 600 permissions
touch acme.json && chmod 600 acme.json
Copy the code
Add 443 entry points and a certificate resolver to Traefik.yml
In the EntryPoint section, the new EntryPoint is added as WebSecure, port 443
CertificatesResolvers is a configuration part that tells Traefik how to get certificates using Acme Resolver.
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
Copy the code
- The name of the parser is
lets-encr
And use Acme - Commenting out the staging caServer causes LE to issue a staging certificate. This is an invalid certificate that doesn’t give a green lock, but has no restrictions, so it’s good for testing. If it’s working, it says, we encrypt.
- Storage tells where to store a given certificate
acme.json
- Mail is where LE sends certificate expiration notifications
- DnsChallenge is specified by a provider,
In this case, Cloudflare. Each provider needs an environment variable with a different name in the.env file, but that comes later; only the provider name is needed here
- The resolver is the IP of the well-known DNS server used during the challenge
traefik.yml
## STATIC CONFIGURATION
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
Copy the code
in.env
Add the required variables to the file
We know which variables to add based on the list of supported providers
For cloudflare variables are
CF_API_EMAIL
– cloudflare loginCF_API_KEY
– global api key
.env
MY_DOMAIN=example.com
DEFAULT_NETWORK=traefik_net
[email protected]
CF_API_KEY=8d08c87dadb0f8f0e63efe84fb115b62e1abc
Copy the code
Expose/map port 443 and mount acme.json in traefik-docker-comedy.yml
Note: acme.json is not :ro – read only
traefik-docker-compose.yml
version: "3.7"
services:
traefik:
image: "Traefik: v2.1"
container_name: "traefik"
hostname: "traefik"
env_file:
- .env
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
- "./acme.json:/acme.json"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
Add the desired labels to the container
Compare this to the simple HTTP in Chapter 1
- Router entry point from
web
Switch to thewebsecure
- The name assigned to the router
lets-encr
Certificate resolver - The label that defines the primary domain from which the certificate will be obtained, in this case whoami.example.com, the domain name is from
.env
Extracted from the file
whoami-docker-compose.yml
version: "3.7"
services:
whoami:
image: "containous/whoami"
container_name: "whoami"
hostname: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.rule=Host(`whoami.$MY_DOMAIN`)"
- "traefik.http.routers.whoami.tls.certresolver=lets-encr"
- "traefik.http.routers.whoami.tls.domains[0].main=whoami.$MY_DOMAIN"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
nginx-docker-compose.yml
version: "3.7"
services:
nginx:
image: nginx:latest
container_name: nginx
hostname: nginx
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.rule=Host(`nginx.$MY_DOMAIN`)"
- "traefik.http.routers.nginx.tls.certresolver=lets-encr"
- "traefik.http.routers.nginx.tls.domains[0].main=nginx.$MY_DOMAIN"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
Run the container
docker-compose -f traefik-docker-compose.yml up -d
docker-compose -f whoami-docker-compose.yml up -d
docker-compose -f nginx-docker-compose.yml up -d
Copy the code
The whole point of the DNS challenge is to get wildcards!
Very fair
Therefore, for wildcards, these tags will be added to traefik compose.
- Use the same as before
lets-encr
Certificate resolver, which is defined in traefik.yml - The wildcard for the subdomain (*.example.com) is set to the primary domain from which the certificate is to be obtained
- The bare field (simply example.com) is set to SANS (subject alternate name)
Again, you do need *.example.com and example.com
Set it to A record in DNS Control panel, pointing to Traefik’s IP
traefik-docker-compose.yml
Version: "3.7" services: traefik: image: "traefik:v2.1" container_name: "traefik" hostname: "traefik" env_file: - .env ports: - "80:80" - "443:443" - "8080:8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./traefik.yml:/traefik.yml:ro" - "./acme.json:/acme.json" labels: - "traefik.enable=true" - "traefik.http.routers.traefik.tls.certresolver=lets-encr" - "traefik.http.routers.traefik.tls.domains[0].main=*.$MY_DOMAIN" - "traefik.http.routers.traefik.tls.domains[0].sans=$MY_DOMAIN" networks: default: external: name: $DEFAULT_NETWORKCopy the code
Now, if the container wants access as a subdomain, all you need is a regular router with URL rules at the port 443 entry point and the same lets-encr certificate parser
whoami-docker-compose.yml
version: "3.7"
services:
whoami:
image: "containous/whoami"
container_name: "whoami"
hostname: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.rule=Host(`whoami.$MY_DOMAIN`)"
- "traefik.http.routers.whoami.tls.certresolver=lets-encr"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
nginx-docker-compose.yml
version: "3.7"
services:
nginx:
image: nginx:latest
container_name: nginx
hostname: nginx
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.rule=Host(`nginx.$MY_DOMAIN`)"
- "traefik.http.routers.nginx.tls.certresolver=lets-encr"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
This is Apache, but this time running on the bare domain example.com
apache-docker-compose.yml
Version: "3.7" services: apache: image: latest container_name: apache hostname: Apache Labels: - "traefik.enable=true" - "traefik.http.routers.apache.entrypoints=websecure" - "traefik.http.routers.apache.rule=Host(`$MY_DOMAIN`)" - "traefik.http.routers.apache.tls.certresolver=lets-encr" networks: default: external: name: $DEFAULT_NETWORKCopy the code
Forward HTTP traffic to HTTPS
HTTP Stops using HTTPS Settings, and it is best to redirect HTTP (80) to HTTPS (443).
Traefik has a special middleware – RedirectScheme.
When traefik.yml itself is set as a file provider, this redirection can be declared at multiple locations in traefik.yml in the dynamic part.
Or use tags in any running container, as this example operates in Traefik Compose.
Add new routing and redirection schemes using tags in Traefik
– “traefik.enable=true”
Enabling Traefik on the Traefik container does not mean that a typical route to the service is required, but that the other tags will not work without it
– “traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https”
Create a new middleware called redirect-to-https, enter “redirectScheme” and assign scheme HTTPS to it.
– “traefik.http.routers.redirect-https.rule=hostregexp(`{host:.+}`)”
Create a new route called redirect-https and use a regular expression rule to catch all incoming requests
– “traefik.http.routers.redirect-https.entrypoints=web”
State at which entry point this router listens – Web (port 80)
– “traefik.http.routers.redirect-https.middlewares=redirect-to-https”
Assign the newly created RedirectScheme middleware to this newly created route.
traefik-docker-compose.yml
version: "3.7"
services:
traefik:
image: "Traefik: v2.1"
container_name: "traefik"
hostname: "traefik"
env_file:
- .env
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
- "./acme.json:/acme.json"
labels:
- "traefik.enable=true"
## DNS CHALLENGE
- "traefik.http.routers.traefik.tls.certresolver=lets-encr"
- "traefik.http.routers.traefik.tls.domains[0].main=*.$MY_DOMAIN"
- "traefik.http.routers.traefik.tls.domains[0].sans=$MY_DOMAIN"
## HTTP REDIRECT
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.redirect-https.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirect-https.entrypoints=web"
- "traefik.http.routers.redirect-https.middlewares=redirect-to-https"
networks:
default:
external:
name: $DEFAULT_NETWORK
Copy the code
I am for less.
Wechat: uuhells123.
Public account: Hacker afternoon tea.
Thank you for your support 👍👍👍!