Quick Start: Traefik with HTTP/3
Preparation
Create the necessary directories and files:
1
| mkdir -p traefik/dynamic-conf traefik/certs && cd traefik && touch compose.yml traefik.yml dynamic-conf/self.yml
|
Configuration Files
compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| services:
traefik:
image: traefik:3.1
ports:
- "80:80"
- "443:443/tcp"
- "443:443/udp" # Required for HTTP/3
environment:
- TZ=Asia/Shanghai
volumes:
- "./traefik.yml:/etc/traefik/traefik.yml"
- "./dynamic-conf:/etc/traefik/dynamic-conf"
- "./certs:/certs"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik-net
networks:
traefik-net:
name: traefik-net
ipam:
config:
- subnet: 172.16.238.0/24
|
Security Note: Mounting the Docker socket (/var/run/docker.sock
) can pose security risks. Consider using more secure alternatives in production environments.
traefik.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| # Static Configuration
log:
level: INFO
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
http3: {} # Enables HTTP/3 support
providers:
file:
directory: /etc/traefik/dynamic-conf
watch: true
|
self.yml in dir dynamic-conf
1
2
3
4
5
6
7
8
9
10
11
| # Dynamic Configuration
tls:
certificates:
- certFile: /certs/cert.pem
keyFile: /certs/key.pem
http:
routers:
dashboard:
rule: Host(`traefik.x.internal`)
service: api@internal
tls: {}
|
DNS Configuration
Configure your DNS or modify your hosts file:
- For Unix-like systems: Edit
/etc/hosts
- For Windows: Edit
C:\Windows\System32\drivers\etc\hosts
Add the following line:
1
| 127.0.0.1 traefik.x.internal
|
Generate Self-Signed Certificates
Choose one of the following options:
Option 1: Using mkcert (Recommended for Development)
mkcert
can solve browser trust issues. Install mkcert, then run:
1
2
3
4
5
6
| # directly gen certs at the current dir
# mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1
# specify the cert output dir
mkcert -key-file certs/key.pem -cert-file certs/cert.pem x.internal "*.x.internal"
mkcert -install
|
Option 2: Using openssl
a. Command line configuration:
1
2
3
4
| openssl req -new -x509 -nodes -newkey rsa:4096 -days 365 \
-subj "/C=CN/ST=SH/L=Shanghai/CN=*.x.internal" \
-keyout certs/key.pem \
-out certs/cert.pem
|
b. Configuration file (ssl.cnf):
1
2
3
4
5
6
| # When using -x509, default_days in config will be ignored, it is a bug
# using -days to workaround
openssl req -x509 -new -nodes -days 365 \
-config ssl.cnf \
-keyout certs/key.pem \
-out certs/cert.pem
|
ssl.cnf
like as follows:
Tips: DNS.1
, DNS.2
, IP.7
, DNS.11
, the numbers are only required to be unique, and can also be unordered.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| [ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
C = CN
ST = SH
L = Shanghai
O = Individual
OU = MyStudio
CN = x.internal
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = x.internal
DNS.2 = *.x.internal
IP.7 = 127.0.0.1
DNS.11 = localhost
|
Run
1
2
3
4
| docker compose up -d
# Alternative commands:
# docker compose -p traefik up -d
# docker compose -f ./compose.yml -p traefik up -d
|
Access: https://traefik.x.internal