A reverse proxy / load balancer that’s easy, dynamic, automatic, fast, full-featured, open source, production proven, provides metrics, and integrates with every major cluster technology.
DNS-01 challenge
It’s possible to enable SSL/TLS for a domain on your local network via a so called DNS-01 challenge. For that you need a purchased domain. My domain is provided by Namecheap. In the domain settings, you need to add an A record for routing the domain or subdomains to the IP of your local subnet. In the example below, I’ll assume that traefik is running on 192.168.1.1. With the asterisk, you can supply an infinite number of subdomains without having to manually add a record for each one.
| DNS Record Type | Host | Address |
|---|---|---|
| A Record | @ | 192.168.1.1 |
| A Record | some-subdomain | 192.168.1.1 |
| A Record | * | 192.168.1.1 |
Example docker-compose.yml
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
ports:
- "8080:8080"
- "80:80"
- "443:443"
labels:
- "traefik.enable=true"
- "traefik.http.routers.treafik-local.tls=true"
- "traefik.http.routers.traefik-local.entrypoints=websecure"
- "traefik.http.routers.traefik-local.tls.certresolver=namecheap"
- "traefik.http.routers.traefik-local.tls.domains[0].main=DOMAIN"
- "traefik.http.routers.traefik-local.tls.domains[0].sans=*.DOMAIN"
- "traefik.http.services.traefik-local.loadbalancer.server.port=8080"
# Auth
- "traefik.http.middlewares.dashboard-auth.basicauth.users=CREDENTIALS"
- "traefik.http.routers.traefik-local.middlewares=dashboard-auth"
# Dashboard
- "traefik.http.routers.traefik-local.rule=Host(`DOMAIN`)"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.yml:/etc/traefik/traefik.yml
- ./data/acme.json:/acme.json
environment:
NAMECHEAP_API_USER: "USER"
NAMECHEAP_API_KEY: "KEY"
networks:
- traefik
networks:
traefik:
external: true
Services can connect with traefik via labels. Here’s an example of what those labels can look like for AdguardHome:
labels:
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`DOMAIN`)"
- "traefik.http.routers.adguard.entrypoints=websecure"
- "traefik.http.routers.adguard.tls=true"
- "traefik.http.services.adguard.loadbalancer.server.port=80"
The services have to also be on the same network as traefik, so the following is required in each service for Traefik to correctly proxy requests to them:
networks:
- traefik
networks:
traefik:
external: true