traefik-proxy-boilerplate
No more messing around with nginx, apache config or certbot etc. This repository contains code to help quickly set up traefik as reverse proxy using docker compose or kubernetes cluster to host a website with SSL certificates using letsencrypt that auto renew. Hit letsencrypt api limits no problem this works with zerossl.
Traefik + Docker compose
Directory structure
The project is divided into 2 main sections, first section contains code for docker compose config the second section contains code for kubernetes config yaml files.
.
├── LICENSE
├── README.md
├── docker # Docker Compose config
│ ├── docker-compose.yml
│ └── traefik.yml
└── kubernetes # Kubernetes config
├── kind
│ └── kind.config.yaml # Kind cluster config
├── metal-lb
│ └── metallb-configmap.yaml # metallb config (optional)
├── traefik
│ ├── helm
│ │ └── traefik.values.yaml # Values to initialise helm chart
│ ├── TLSoptions.yaml # Traefik CRD TLSoptions config
│ ├── middleware.yaml # Traefik CRD middleware config
│ └── traefik
└── web-deployment
├── nginx-deployment.yaml # Sample web deployment
├── nginx-service.yaml # Sample web service
└── traefik-ingress-route.yaml # Traefik ingress route to webservice
Steps to get Started
It is assumed that you have created a cloud instance and installed docker and docker compose.
Installation instructions for Docker and Docker compose can be found here:
Next you will need to set DNS A records that point to the Public IP of your instance that you will be using to host the website.
Assuming that you have a working docker image for the website, update the docker compose file.
- Update the image in the website section
website:
image: example-image
- Update the domain name at
traefik.http.routers.blog.rule=Host(example.com)
labels:
- traefik.enable=true
- traefik.http.routers.blog.rule=Host(`example.com`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=myresolver
Now it is time to update the traefik.yml:
- Update the certificatesResolvers section with a valid email address
certificatesResolvers:
myresolver:
acme:
email: email@example.com
storage: acme.json
# Uncomment the caServer to use the staging server to avoid hitting letsencrypt api limits
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
- Update the rule in router section with the correct domain name.
http:
routers:
Router-1:
service: "service-1"
middlewares:
- "secure-headers"
rule: "Host(`example.com`)"
tls:
options: foo
Start the containers using the below command.
docker-compose up -d
Change acme to zero ssl
Signup for the free plan and generate the kid and hmacEncoded values in the developer section at https://app.zerossl.com/developer
certificatesResolvers:
myresolver:
acme:
email: email@example.com
storage: acme.json
caServer: "https://acme.zerossl.com/v2/DV90"
eab:
kid: jerlkqwejrlkjoij
hmacEncoded: hqwkjeqkwejr
Traefik + kind Kubernetes cluster
This guide assumes that you have limited computing resources and therefore we use kind to deploy a kubernetes cluster. If you have access to a fully functional kubernetes cluster, skip the kind installation and bootstrapping steps.
Helm installation
The installation instructions can be found at https://helm.sh/docs/intro/install/ — below is a handy script from the helm official docs:
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
Now let’s install traefik using helm:
helm install traefik traefik/traefik -n traefik --create-namespace -f kubernetes/traefik/helm/traefik.values.yaml
Next step is to configure traefik TLS Options and middleware:
kubectl apply -f kubernetes/traefik/
Now let’s create a sample kubernetes deployment and create an ingress route for it:
kubectl apply -f kubernetes/web-deployment/
