Quick Start: Traefik with HTTP/3

how to enable http3 for traefik

Quick Start: Traefik with HTTP/3

Preparation

Create the necessary directories and files:

1
mkdir -p traefik/dynamic-conf traefik/certs && cd traefik && touch compose.yml traefik.yml dynamic-conf/self.yml

Configuration Files

compose.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
services:
  traefik:
    image: traefik:3.1
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"  # Required for HTTP/3
    environment:
      - TZ=Asia/Shanghai
    volumes:
      - "./traefik.yml:/etc/traefik/traefik.yml"
      - "./dynamic-conf:/etc/traefik/dynamic-conf"
      - "./certs:/certs"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - traefik-net

networks:
  traefik-net:
    name: traefik-net
    ipam:
      config:
        - subnet: 172.16.238.0/24

Security Note: Mounting the Docker socket (/var/run/docker.sock) can pose security risks. Consider using more secure alternatives in production environments.

traefik.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# Static Configuration
log:
  level: INFO
api:
  dashboard: true
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: :443
    http3: {}  # Enables HTTP/3 support
providers:
  file:
    directory: /etc/traefik/dynamic-conf
    watch: true

self.yml in dir dynamic-conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Dynamic Configuration
tls:
  certificates:
    - certFile: /certs/cert.pem
      keyFile: /certs/key.pem
http:
  routers:
    dashboard:
      rule: Host(`traefik.x.internal`)
      service: api@internal
      tls: {}

DNS Configuration

Configure your DNS or modify your hosts file:

  • For Unix-like systems: Edit /etc/hosts
  • For Windows: Edit C:\Windows\System32\drivers\etc\hosts

Add the following line:

1
127.0.0.1 traefik.x.internal

Generate Self-Signed Certificates

Choose one of the following options:

mkcert can solve browser trust issues. Install mkcert, then run:

1
2
3
4
5
6
# directly gen certs at the current dir
# mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

# specify the cert output dir
mkcert -key-file certs/key.pem -cert-file certs/cert.pem x.internal "*.x.internal"
mkcert -install

Option 2: Using openssl

a. Command line configuration:

1
2
3
4
openssl req -new -x509 -nodes -newkey rsa:4096 -days 365 \
    -subj "/C=CN/ST=SH/L=Shanghai/CN=*.x.internal" \
    -keyout certs/key.pem \
    -out certs/cert.pem

b. Configuration file (ssl.cnf):

1
2
3
4
5
6
# When using -x509, default_days in config will be ignored, it is a bug
# using -days to workaround
openssl req -x509 -new -nodes -days 365 \
    -config ssl.cnf \
    -keyout certs/key.pem \
    -out certs/cert.pem

ssl.cnf like as follows:

Tips: DNS.1, DNS.2, IP.7, DNS.11, the numbers are only required to be unique, and can also be unordered.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
x509_extensions    = v3_req

[ req_distinguished_name ]
C  = CN
ST = SH
L  = Shanghai
O  = Individual
OU = MyStudio
CN = x.internal

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1  = x.internal
DNS.2  = *.x.internal
IP.7   = 127.0.0.1
DNS.11 = localhost

Run

1
2
3
4
docker compose up -d
# Alternative commands:
# docker compose -p traefik up -d
# docker compose -f ./compose.yml -p traefik up -d

Access: https://traefik.x.internal