Docker image for running Traefik as an HTTPS proxy for up to three other containers by just providing a few environment variables for configuration
Sometimes you need HTTPS for local development, for example when implementing FIDO U2F 2-Step Verification / Two-Factor Authentication. The FIDO U2F spec strictly requires HTTPS in the browser.
This container runs Traefik using a local configuration file. The entrypoint script updates the configuration based on environment variables to keep it as simple as possible to use.
Let's Encrypt can either verify your SSL certificate request by making an HTTP call to your server or verifying a DNS record. Since we're talking about local development the HTTP challenge will not work, but DNS can so long as your DNS is managed by a compatible provider. A list of compatible providers is available at https://docs.traefik.io/https/acme/#providers.
Create A records in your DNS provider for the local development domains you want, something like dev1.domain.com or app1.domain.com and have them point to 127.0.0.1
so that when requested in your browser you'll just be directed to your own machine. When Traefik calls Let's Encrypt to provision certificates it will receive a challenge and create
a TXT record on your DNS provider for Let's Encrypt to verify before it receives your certificate.
In your docker-compose.yml
, include a service like:
proxy:
image: silintl/traefik-https-proxy
ports:
- "80:80"
- "443:443"
volumes:
#- ./traefik.toml:/etc/traefik/traefik.toml
- ./cert/:/cert/
env_file:
- ./local.env
Copy the local.env.example
file to local.env
and update it with appropriate values. Using a separate file
for environment configuration helps prevent commiting it to version control with credentials in it.
Required env vars:
DNS_PROVIDER
- A valid value from https://docs.traefik.io/https/acme/#providers. Each provider will also required additional env vars for authentication. For examplecloudflare
requiresCLOUDFLARE_EMAIL
andCLOUDFLARE_API_KEY
.LETS_ENCRYPT_EMAIL
- An email address to use with Lets Encrypt, does not need to be previously "registered"LETS_ENCRYPT_CA
- Eitherstaging
orproduction
. Traefik does not appear to respect the staging caServer at the moment though.TLD
- Used as the main domain on Lets Encrypt certificate, something likedomain.com
SANS
- Comma separated list of domains to include on cert, something likeapp1.domain.com,app2.domain.com
BACKEND1_URL
- Url to backend #1, usually the name of the docker service in url form, example:http://app1:80
FRONTEND1_DOMAIN
- The domain name that should be routed toBACKEND1_URL
, example:app1.domain.com
Optional env vars:
BACKEND2_URL
- If you need to route a second domain to a different container, define backend url here, example:http://app2:80
FRONTEND2_DOMAIN
- The domain name that should be routed toBACKEND2_URL
, example:app2.domain.com
BACKEND3_URL
- If you need to route a third domain to a different container, define backend url here, example:http://app3:80
FRONTEND3_DOMAIN
- The domain name that should be routed toBACKEND3_URL
, example:app3.domain.com
You'll notice in the docker-compose.yml
example above a commented out volume for traefik.toml
. If you
don't want to use the simplified template that comes with this container and want to customize it, just provide
your own config file and volume it in. The entrypoing script looks for specific placeholders and should not
modify your own provided config.
MIT License
Copyright (c) 2021 SIL International
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.