Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.riad.com.bd/llms.txt

Use this file to discover all available pages before exploring further.

Introduction

In this guide, we will walk through the steps to deploy Traefik, a popular open-source reverse proxy and load balancer, locally using mkcert to generate SSL certificates for secure HTTPS connections.

https://mintcdn.com/thedailyprothomalo/BHFxhJnL0YxSMxN8/icons/mkcert.svg?fit=max&auto=format&n=BHFxhJnL0YxSMxN8&q=85&s=6e738461cf75161655ce260ed2d4bf2a Mkcert:

mkcert is a simple tool that makes it easy to create locally-trusted development certificates. It automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. This is particularly useful for local development environments where you want to test HTTPS without dealing with self-signed certificates that browsers typically distrust.

Prerequisites

Before we begin, ensure you have the following prerequisites in place:
  • A local machine with Docker installed.
  • mkcert installed for generating local SSL certificates.
  • Basic knowledge of Docker and Traefik.

Logical Diagram

+-------------------+          +------------------+
|                   |          |                  |
|   Client Browser  +--------->|   Traefik        |
|                   |          |   Reverse Proxy  |
+-------------------+          +--------+---------+     
                                        |
                                        |
                                +--------v---------+
                                |                  |
                                |   Backend Apps   |
                                |                  |
                                +------------------+

Step 1: Generate Local SSL Certificates with mkcert

a. Install mkcert if you haven’t already. Follow the instructions on the mkcert GitHub page. b. Generate a local CA (Certificate Authority): 
mkcert -install
c. Create SSL certificates for your local domain (e.g., traefik.local): 
mkcert traefik.local
d. This will generate two files: traefik.local.pem (certificate) and traefik.local-key.pem (private key).

Step 2: Deploy Traefik with Docker

a. Create a docker-compose.yml file to define the Traefik service: 
# Define the services to be run by Docker Compose
services:
traefik:
    image: traefik:v3.4
    container_name: traefik # Name the container "traefik"
    restart: unless-stopped # Always restart unless explicitly stopped
    security_opt:
    - no-new-privileges:true # Prevent container from gaining new privileges
    ports:
    - "80:80"
    - "443:443"
    networks:
    - web
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro # Docker socket for Traefik to monitor containers
    - /opt/traefik/traefik.yml:/etc/traefik/traefik.yml # Traefik static configuration file
    - /opt/traefik/certs:/etc/traefik/certs # Directory for SSL certificates
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.traefik-dashboard.rule=Host('local domain name/localhost`)" # Replace with your local domain
    - "traefik.http.routers.traefik-dashboard.entrypoints=websecure" # Use the "websecure" entrypoint (usually port 443)
    - "traefik.http.routers.traefik-dashboard.tls=true" # Enable TLS for the dashboard
    - "traefik.http.routers.traefik-dashboard.tls
    - "traefik.http.routers.traefik-dashboard.service=api@internal"
    - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$XXXXXXXX"
    - "traefik.http.routers.traefik-dashboard.middlewares=dashboard-auth@docker"


networks:
web:
    external: true
b. Now, create a traefik.yml file in that traefik-data directory. This file will contain the static configuration for Traefik: 
sudo touch traefik-data/traefik.yml
c. Add the following configuration to the traefik.yml file: 
entryPoints:
web:
    address: ":80"
    http:
    redirections:
        entryPoint:
        to: websecure
        scheme: https
websecure:
    address: ":443"

api:
dashboard: true
insecure: false

providers:
docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

tls:
certificates:
    - certFile: "/etc/traefik/certs/cert.pem"
    keyFile: "/etc/traefik/certs/key.pem"

log:
level: DEBUG
d. Place the generated SSL certificate and key files into the certs directory: 
sudo mkdir -p traefik-data/certs
sudo mv traefik.local.pem traefik-data/certs/cert.pem
sudo mv traefik.local-key.pem traefik-data/certs/key.pem
e. Start the Traefik container using Docker Compose: 
docker-compose -f docker-compose.yml up -d

3. Autometic Renewal of mkcert Certificates

mkcert certificates do not have an automatic renewal mechanism like Let’s Encrypt. However, you can set up a cron job to regenerate the certificates periodically. Here’s how you can do it: a. Open the crontab file for editing: 
crontab -e
b. Add the following line to regenerate the certificates every 90 days (adjust the path and domain as needed): 
0 0 */90 * * /usr/local/bin/mkcert -cert-file /path/to/traefik-data/certs/cert.pem -key-file /path/to/traefik-data/certs/key.pem traefik.local
c. Save and exit the crontab editor. This will ensure that your mkcert certificates are regenerated every 90 days.

Step 3: Access the Traefik Dashboard

a. Open your web browser and navigate to https://traefik.local (or your chosen local domain). b. You should see the Traefik dashboard login prompt. Enter the username and password you configured in the docker-compose.yml file. c. Once logged in, you can monitor and manage your Traefik instance.

Conclusion

You have successfully deployed Traefik locally using mkcert for SSL certificates. You can now take advantage of Traefik’s powerful features for managing your local development environment securely over HTTPS.