> ## Documentation Index
> Fetch the complete documentation index at: https://testdocs.riad.com.bd/llms.txt
> Use this file to discover all available pages before exploring further.

# Deploy Traefik locally with mkcert

> A step-by-step guide to deploying Traefik as a reverse proxy locally using mkcert for SSL certificates.

## Introduction

In this guide, we will walk through the steps to deploy Traefik, a popular open-source reverse proxy and load balancer, locally using mkcert to generate SSL certificates for secure HTTPS connections.

## <Icon icon="https://mintcdn.com/thedailyprothomalo/BHFxhJnL0YxSMxN8/icons/mkcert.svg?fit=max&auto=format&n=BHFxhJnL0YxSMxN8&q=85&s=6e738461cf75161655ce260ed2d4bf2a" iconType="solid" width="512" height="512" data-path="icons/mkcert.svg" /> Mkcert:

mkcert is a simple tool that makes it easy to create locally-trusted development certificates. It automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. This is particularly useful for local development environments where you want to test HTTPS without dealing with self-signed certificates that browsers typically distrust.

<Info>
  ## Prerequisites

  Before we begin, ensure you have the following prerequisites in place:

  * A local machine with Docker installed.
  * mkcert installed for generating local SSL certificates.
  * Basic knowledge of Docker and Traefik.
</Info>

## Logical Diagram

```plaintext theme={null}
+-------------------+          +------------------+
|                   |          |                  |
|   Client Browser  +--------->|   Traefik        |
|                   |          |   Reverse Proxy  |
+-------------------+          +--------+---------+     
                                        |
                                        |
                                +--------v---------+
                                |                  |
                                |   Backend Apps   |
                                |                  |
                                +------------------+            
```

## Step 1: Generate Local SSL Certificates with mkcert

a. Install mkcert if you haven't already. Follow the instructions on the [mkcert GitHub page](https://github.com/FiloSottile/mkcert).
b. Generate a local CA (Certificate Authority):

```bash theme={null}
mkcert -install
```

c. Create SSL certificates for your local domain (e.g., `traefik.local`):

```bash theme={null}
mkcert traefik.local
```

d. This will generate two files: `traefik.local.pem` (certificate) and      `traefik.local-key.pem` (private key).

## Step 2: Deploy Traefik with Docker

a. Create a `docker-compose.yml` file to define the Traefik service:

```yaml theme={null}
# Define the services to be run by Docker Compose
services:
traefik:
    image: traefik:v3.4
    container_name: traefik # Name the container "traefik"
    restart: unless-stopped # Always restart unless explicitly stopped
    security_opt:
    - no-new-privileges:true # Prevent container from gaining new privileges
    ports:
    - "80:80"
    - "443:443"
    networks:
    - web
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro # Docker socket for Traefik to monitor containers
    - /opt/traefik/traefik.yml:/etc/traefik/traefik.yml # Traefik static configuration file
    - /opt/traefik/certs:/etc/traefik/certs # Directory for SSL certificates
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.traefik-dashboard.rule=Host('local domain name/localhost`)" # Replace with your local domain
    - "traefik.http.routers.traefik-dashboard.entrypoints=websecure" # Use the "websecure" entrypoint (usually port 443)
    - "traefik.http.routers.traefik-dashboard.tls=true" # Enable TLS for the dashboard
    - "traefik.http.routers.traefik-dashboard.tls
    - "traefik.http.routers.traefik-dashboard.service=api@internal"
    - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$XXXXXXXX"
    - "traefik.http.routers.traefik-dashboard.middlewares=dashboard-auth@docker"


networks:
web:
    external: true

```

b. Now, create a `traefik.yml` file in that `traefik-data` directory. This file will contain the static configuration for Traefik:

```bash theme={null}
sudo touch traefik-data/traefik.yml
```

c. Add the following configuration to the `traefik.yml` file:

```yaml theme={null}
entryPoints:
web:
    address: ":80"
    http:
    redirections:
        entryPoint:
        to: websecure
        scheme: https
websecure:
    address: ":443"

api:
dashboard: true
insecure: false

providers:
docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

tls:
certificates:
    - certFile: "/etc/traefik/certs/cert.pem"
    keyFile: "/etc/traefik/certs/key.pem"

log:
level: DEBUG
```

d. Place the generated SSL certificate and key files into the `certs` directory:

```bash theme={null}
sudo mkdir -p traefik-data/certs
sudo mv traefik.local.pem traefik-data/certs/cert.pem
sudo mv traefik.local-key.pem traefik-data/certs/key.pem
```

e. Start the Traefik container using Docker Compose:

```bash theme={null}
docker-compose -f docker-compose.yml up -d
```

## 3. Autometic Renewal of mkcert Certificates

mkcert certificates do not have an automatic renewal mechanism like Let's Encrypt. However, you can set up a cron job to regenerate the certificates periodically. Here's how you can do it:
a. Open the crontab file for editing:

```bash theme={null}
crontab -e
```

b. Add the following line to regenerate the certificates every 90 days (adjust the path and domain as needed):

```bash theme={null}
0 0 */90 * * /usr/local/bin/mkcert -cert-file /path/to/traefik-data/certs/cert.pem -key-file /path/to/traefik-data/certs/key.pem traefik.local
```

c. Save and exit the crontab editor. This will ensure that your mkcert certificates are regenerated every 90 days.

## Step 3: Access the Traefik Dashboard

a. Open your web browser and navigate to `https://traefik.local` (or your chosen local domain).
b. You should see the Traefik dashboard login prompt. Enter the username and password you configured in the `docker-compose.yml` file.
c. Once logged in, you can monitor and manage your Traefik instance.

## Conclusion

You have successfully deployed Traefik locally using mkcert for SSL certificates. You can now take advantage of Traefik's powerful features for managing your local development environment securely over HTTPS.
