CODEWITHSUNDEEP
ssltraefik
jmc
jmc

Reputation: 183

Is there a way to let some traefik services manage their tls certificates themselves?

I'll try to configure traefik for something like that:

1) server.example.com --> traefik --> httpChallengeToLetsEncrypt

2) client --> traefik (passthrough tls) --> server.example.com( with let's encrypt )

N.B.: traefik receives its requests at example.com level

What is happening:

1) Works correctly only if traefik does not manage let's encrypt certificates itself (otherwise it does not transmit any request whose pathPrefix begins with ".well-known/acme-challenge" :-\ )

2) Does not work with a config for tcp router like this:

tcp:
  routers:
    example:
      entryPoints:
        - web-secure
      rule: "HostSNI(`server.example.com`)"
      service: example
      tls:
        passthrough: true

  services:
    example:
      loadBalancer:
        servers:
          - url: "https://192.168.0.1:443/"

How would you let one or more services manage their let's encrypt certificates themselves ? And is it possible to do it at the same time that traefik also manages let's encrypt certificates or the problem mentioned in point 1 is it redibitory?

Best regards,

jmc

Upvotes: 2

Views: 2579

Answers (1)

yodog
yodog

Reputation: 6242

use tls.passthrough=true and a tcp router instead of http

below is a fully working example where apache is responsible for its own certificates.

traefik never touches them

version: "3"

services:
    traefik:
        image: traefik
        command:
            - --api.insecure=true
            - --providers.docker=true
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
        labels:
            - traefik.http.routers.api.rule=Host(`traefik.docker.local`)
            - traefik.http.routers.api.service=api@internal

    whoami:
        image: containous/whoami
        labels:
            - traefik.http.routers.whoami.rule=Host(`whoami.docker.local`)
            - traefik.http.routers.whoami.service=whoami@docker
            - traefik.http.services.whoami.loadbalancer.server.port=80

    apache:
        build: php-apache
        depends_on: [traefik]
        env_file: ./php-apache/env
        volumes:
            - "./php-apache/cert/haproxy/:/etc/ssl/haproxy/"
            - "./php-apache/cert/private/:/etc/ssl/private/"
            - "./php-apache/cert/trusted/:/usr/local/share/ca-certificates/"
            - "./php-apache/conf/:/etc/apache2/conf-enabled/"
            - "./php-apache/log/:/var/log/apache2/"
            - "./php-apache/sites/available/:/etc/apache2/sites-available/"
            - "./php-apache/sites/enabled/:/etc/apache2/sites-enabled/"
            - "./php-apache/www/:/var/www/"
        labels:
            - "traefik.http.routers.apache.entrypoints=http"
            - "traefik.http.routers.apache.priority=1"
            - "traefik.http.routers.apache.rule=HostRegexp(`{catchall:.*}`)"
            - "traefik.http.routers.apache.service=apache@docker"
            - "traefik.http.services.apache.loadbalancer.server.port=80"

            - "traefik.tcp.routers.apache.entrypoints=https"
            - "traefik.tcp.routers.apache.rule=HostSNI(`*`)"
            - "traefik.tcp.routers.apache.service=apache@docker"
            - "traefik.tcp.routers.apache.tls.passthrough=true"
            - "traefik.tcp.services.apache.loadbalancer.server.port=443"

Upvotes: 0

Related Questions