Skip to content
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

README.md

Latest commit

 

History

History
93 lines (70 loc) · 3.79 KB

README.md

File metadata and controls

93 lines (70 loc) · 3.79 KB

Docker + Traefik + Let’s Encrypt

Requirements

Configuration

Traefik has a static configuration (provided by us) and a dynamic configuration (provided by Docker).

In this project the environment variable based static configuration is set within the environment section of the traefik service. The dynamic configuration is set within the labels section of services using the reverse proxy.

Setup

Staging

If DOMAIN and ACME_MAIL are set in the .env file, simply run:

docker-compose up -d

If you prefer to pass these values explicitely to the docker-compose command:

DOMAIN=<your_domain> ACME_MAIL=<admin_email> docker-compose up -d

The Traefik Dashboard can be accessed on its subdomain (e.g.: https://traefik.example.com). In staging, username and password are both set to "traefik".

Production

For production you must override docker-compose.yml with docker-compose.prod.yml in order to use production ready configurations.

When using docker-compose.prod.yml, credentials for the Traefik Dashboard must be set explicitly. The traefik service is configured with the DigestAuth middleware for authentification. The digest token can be generated using htdigest, using the realm traefik and must be passed to docker-compose via the DASHBOARD_DIGESTAUTH_TOKEN environment variable:

DASHBOARD_DIGESTAUTH_TOKEN=<digest_token> \
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

If DOMAIN and ACME_MAIL are not set in the .env file:

DOMAIN=<your_domain> ACME_MAIL=<admin_email>  DASHBOARD_DIGESTAUTH_TOKEN=<digest_token> \
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

Connect services

By default, containers running on the same Docker Engine are neither connected to the same docker network as the traefik service, nor are they discovered if they are. Containers must be connected to the reverse_proxy network and be labeled with traefik.enable=true and traefik.http.routers.<routername>.tls.certresolver=letsencrypt in order to be served trough the traefik service with a Let's Encrypt certificate.

Here is an example of docker-compose.yml for a very simple webserver being served trough traefik using the aforementioned labels and networks configuration:

services:
  static-webserver:
    image: python
    volumes:
      - ./static-webserver:/static-webserver:ro
    working_dir: /static-webserver
    command: python -m http.server 443
    expose: [443]
    labels:
      - traefik.enable=true
      - traefik.http.routers.static-webserver.tls.certresolver=letsencrypt
networks:
  default:
    external: true
    name: reverse_proxy

Traefik is preconfigured with a default rule that will use the application's service name to route the matching subdomain to the application. (e.g.: static-webserver is available at https://static-webserver.example.com). This behaviour can be changed by setting a custom rule in the application's labels.