Quick Start: Traefik with HTTPS

how to enable https for traefik and make browsers trust HTTPS

Quick Start: Traefik with SSL

Preparation

Create the necessary directories and files:

1
mkdir -p traefik/dynamic-conf traefik/certs && cd traefik && touch compose.yml traefik.yml dynamic-conf/self.yml

Configuration Files

compose.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
services:
    traefik:
        image: traefik:3.1
        ports:
            - "80:80"
            - "443:443"
        environment:
            - TZ=Asia/Shanghai
        volumes:
            # /traefik.yml and /etc/traefik/traefik.yml are both available.
            - "./traefik.yml:/etc/traefik/traefik.yml"
            # dynamic-conf dir is self-defined
            - "./dynamic-conf:/etc/traefik/dynamic-conf"
            - "./certs:/certs"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        networks:
            - traefik-net

networks:
    traefik-net:
        name: traefik-net
        ipam:
            config:
                -   subnet: 172.16.238.0/24

Note: Mounting the Docker socket (/var/run/docker.sock) can pose security risks. Consider using more secure alternatives in production environments.

traefik.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
### Static Configuration
log:
    level: INFO
api:
    dashboard: true
entryPoints:
    web:
        address: :80
        http:
            redirections:
                entryPoint:
                    to: websecure
                    scheme: https
                    permanent: true
    websecure:
        address: :443
providers:
    file:
        directory: /etc/traefik/dynamic-conf
        watch: true

self.yml in dir dynamic-conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
### Dynamic Configuration
tls:
    certificates:
        -   certFile: /certs/cert.pem
            keyFile: /certs/key.pem
http:
    routers:
        dashboard:
            rule: Host(`traefik.x.internal`)
            service: api@internal
            tls: { }

DNS Configuration

Configure your DNS or modify your hosts file:

  • For Unix-like systems: Edit /etc/hosts
  • For Windows: Edit C:\Windows\System32\drivers\etc\hosts

Add the following line:

1
127.0.0.1 traefik.x.internal

Generate Self-Signed Certificates

Choose one of the following options:

mkcert can solve browser trust issues. Install mkcert, then run:

1
2
3
4
5
6
# directly gen certs at the current dir
# mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

# specify the cert output dir
mkcert -key-file certs/key.pem -cert-file certs/cert.pem x.internal "*.x.internal"
mkcert -install

Option 2: Using openssl

a. Command line configuration:

1
2
3
4
openssl req -new -x509 -nodes -newkey rsa:4096 -days 365 \
    -subj "/C=CN/ST=SH/L=Shanghai/CN=*.x.internal" \
    -keyout certs/key.pem \
    -out certs/cert.pem

b. Configuration file (ssl.cnf):

1
2
3
4
5
6
# When using -x509, default_days in config will be ignored, it is a bug
# using -days to workaround
openssl req -x509 -new -nodes -days 365 \
    -config ssl.cnf \
    -keyout certs/key.pem \
    -out certs/cert.pem

ssl.cnf like as follows:

Tips: DNS.1, DNS.2, IP.7, DNS.11, the numbers are only required to be unique, and can also be unordered.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
x509_extensions    = v3_req

[ req_distinguished_name ]
C  = CN
ST = SH
L  = Shanghai
O  = Individual
OU = MyStudio
CN = x.internal

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1  = x.internal
DNS.2  = *.x.internal
IP.7   = 127.0.0.1
DNS.11 = localhost

Run

1
2
3
4
docker compose up -d
# Alternative commands:
# docker compose -p traefik up -d
# docker compose -f ./compose.yml -p traefik up -d

Access: https://traefik.x.internal