Categories
ACME Encryption

Traefik – template collection

Basic configuration

While I had a hard time setting up traefik for the first time, once you got a hang to it, it really does a nice job.

To save you some time, I recommend to understand the difference between the traefik.yml and config.yml file. As I found out (too) late, this is described here:

Configuration in Traefik can refer to two different things:

The install (startup) configuration (formerly known as the static configuration)
The routing configuration (formerly known as the dynamic configuration)

So “install (startup) configuration / static configuration” will go to traefik.yml, while “routing configuration / dynamic configuration” will go to config.yml.

Preparations

For the coming templates I assume that traefik is configured and up and running.

Templates

HTTP

ACME – SSL certificates

One of the main selling points for traefik is the built-in ACME support.

My setup however does not use HTTP-01 but RFC 2136 DNS-based validation that requires some extra setup. Setting up your DNS server accordingly however is out of scope for this article. So I’ll assume you already got this up and running for your former ACME service like letsencrypt. If that’s the case you should also know about TSIG keys, algorithms and secrets (or should be able to copy them from your former setup).

Here’s my traefik.conf:

# See https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
certificatesResolvers:
  letsEncrypt:
    acme:
      # Default letsencrypt servers:
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      # Staging servers:
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      email: "letsEncrypt@mydomain.de"
      storage: "/etc/traefik/acme/acme.json"
      dnsChallenge:
        provider: rfc2136
        resolvers:
          # use external ANS servers/IPs
          - ext-ns.mydomain.de
        propagation:
          delayBeforeChecks: 10
          disableANSChecks: true
          requireAllRNS: true

However that’s not all: For RFC 2136 based validation traefik is using LEGO, that requires some more settings using environment variables (s. documentation). As I am running traefik using docker compose, those settings will go into my .env file:

# Letsencrypt - RFC 2136
RFC2136_NAMESERVER=192.168.1.2
RFC2136_TSIG_SECRET=xYzMySuPeRsEcRetTs1GSeCretAndSomeMoreCharacters==
# algorithm needs to be lower case!
RFC2136_TSIG_ALGORITHM=hmac-sha512
RFC2136_TSIG_KEY=certbot-update-key.
RFC2136_PROPAGATION_TIMEOUT=10

So you can automatically create SSL certificates when starting up a docker container.

services:
  traefik:
    image: traefik:v3
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=t3_proxy"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.de`)"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.options=modern@file"
      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"

And just to save you some time: I just spent an hour trying to figure why traefik refused to create a certificate for a new service (configured like 50 others). In the end the cause turned out to be the “not healthy” state of that container. So just in case you hit this: either disable the healthcheck (or fix it).

Authentication – OpenID

While traefik supports OpenID this feature is only available in the paid version. However there are other plugins that do a very good job at replacing the built-in modules.

For OpenID Connect (OIDC) I went for traefikoidc (github page with even more available config options).

So in order to protect my traefik dashboard itself, I added this labels to my docker-compose.yml:

services:
  traefik:
    image: traefik:v3
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.middlewares=traefik-oidc@docker"
      - "traefik.http.middlewares.traefik-oidc.plugin.traefikoidc.clientID=my-oidc-clientid"
      - "traefik.http.middlewares.traefik-oidc.plugin.traefikoidc.clientSecret=my-oidc-clientsecret"
      - "traefik.http.middlewares.traefik-oidc.plugin.traefikoidc.providerURL=https://keycloak.mydomain.de/realms/MYDOMAIN"
      - "traefik.http.middlewares.traefik-oidc.plugin.traefikoidc.callbackURL=/oauth2/callback"
      - "traefik.http.middlewares.traefik-oidc.plugin.traefikoidc.sessionEncryptionKey="32-byte-encryption-key"
      # Optional: Limit access to certain users:
      - "traefik.http.middlewares.rspamd-oidc.plugin.traefikoidc.allowedUsers=superadmin@madomain.de,traefik-admin@mydomain.de"

UDP/TCP

Leave a Reply

Your email address will not be published. Required fields are marked *