Это видео недоступно.
Сожалеем об этом.
SSL Certificates Made EASY With Traefik Proxy, Clouflare, and Let's Encrypt - Tutorial
HTML-код
- Опубликовано: 16 авг 2024
- Deploying SSL certificates to protect your services, both internally and externally, has never been simpler thanks to Traefik. I'll show you how to install Traefik to deploy SSL certificates with simple step-by-step instructions.
Config Files: github.com/Jam...
Discord: / discord
00:00 - Introduction to Traefik and SSL encryption
01:30 - Create a Cloudflare domain
04:24 - Docker Compose Configuration Walkthrough
12:00 - Creating Traefik Files for Deployment
17:00 - Running Your Traefik container and obtaining SSL certificates
21:38 - Traefik Dashboard
23:11 - Port Forwarding in Sophos XG
Hi Love your videos
Watched loads of traefik tutorials your tutorials are detailed and very well explained as always thank you.
Thanks 👍
Great video - running SSL certs on all my VM's now. Thanks Jim!
Glad it was useful
This was a great video. Simplified some stuff for me as I was trying to get local docker to honor public certs.. Thanks!
You're welcome 😁
Watched various traefik tutorials your tutorials are just perfect, thank you.
Great to hear! Thanks.
great tutorial. i'm using almost identical traefik config/docker compose file that i got from techno tim. another amazing youtuber in the homelab community
Yeah, Tim's great 👍 I think we've both stayed close to the official documentation. Are you going to install crowdsec?
@@Jims-Garage yes, i need to watch some tutorials on it including yours. you've got a new subscriber, btw. 🤝
Just stumbled upon your site. Looking forward to looking at more of your videos.
Thanks, Claire. Really appreciate the feedback, plenty more to come!
very cool😀 it should be nice undestanding use traefik for both external and internal (local) ssl certificates and name resolution.
Awesome, thanks! I've just uploaded the supporting pihole video for internal DNS.
17:27
After traefik docker compose up, I did not see the log message of loading the configuration file /traefik.yml in portainer.
What happened...but acme.json is not empty, and the private key and Certificate were successfully verified.
It's that right...
Thanks for sharing, boss. 🤣
@@randyyang5574 might have just missed the first part of the log. As long as you have the cert you should be good
At 3:41 in the video its the Traefik documentation you need to look for,
I followed this tutorial but I just keep on getting TRAEFIK DEFAULT CERT. I use adguard as dns and I have configure my domains in there. It resolve but does not get the lets encrypt cert
@@marinuspretorius8230 hey, you need to add your domain to a public domain registrar like Cloudflare, not adguard
Fantastic work mate! keep it up.
Thanks, will do!
Can you please show similar setup for Traefik with Cloudflare origin certificate instead of let's encrypt
Sorry Im at lost on this 18:14 I cannot access the Traefik dashboard
Do you have a DNS record?
@@void.3133 have you added a DNS record?
@@void.3133 I actually gave up on this reverse proxy as I cant make it work, I use CloudFlare Tunnel instead its easy to setup and will give you SSL as well. I move to proceed with other Home lab activity and maybe I'll get back on this in the future.
@@Jims-Garage For some reason my original reply was removed by YT, dunno why. Anyway YES, I did create a CNAME DNS record for this in CloudFlare.
@@JPEO for the dashboard you will need a local DNS record. Something like PiHole, adguard, your firewall or hosts file. E.g. traefik.yourdomain.com dockerHostIP:443
Hi, new sub here, thanks for the very detailed videos!
I just have two questions: 1) should I use the docker-compose from your Github page or the official "Docker-compose with Let's Encrypt: DNS Challenge" one?
2) if I don't specify my ip address on cloudflare (waiting to be able to follow your pihole guide), can I still run other containers through proxy and they will be encrypted?
Absolutely brilliant tutorial, thanks so much!
I currently use Nginx Proxy Manager. For this solution to cover all my needs and requirements, I would need to understand how traefik deals with external hosts not hosted on the local docker service?
Any chance you could cover that? I have tried various configs with config.yaml, and white traefik does not error, I always get a 404 error :(
Help :D
Glad it helped! You need to create an external service, it's pretty simple. I'll try to cover it in the near future.
Hey Jim. Awesome content! Question - how hard is it to apply this on a docker swarm environment?
Thanks, should work fine. I don't have a config to hand but converting the compose to swarm format should be all you need (I run this in Kubernetes which is similar)
The problem with Let's Encrypt is that the certificates are only valid for 90 days so if you're device doesn't support one of their automated update services/methods, such as a Synology NAS for example, then it can become a headache to manage.
True, thankfully this has an automatic renewal.
Hi James, Thanks for the great videos. You have covered some very interesting topics. One observation regarding traefik. I have deployed traefik ingress routes for many services in my k3s cluster. All of them work fine and ssl is also working as expected. But strangely on the traefik pod logs, I can see all the services deployed show an error that the cert-tls secret is not found in the namespace of that application. I only deployed the secret in the traefik namespace. Bit confused at the moment. If the cert is needed in the individual namespaces, why would my tls work correctly at the moment? If it is not needed, why would the traefik logs be reporting these errors...
You only need it in the Traefik namespace from my experience. I'm not sure why it's in your logs. Can most likely be ignored.
@@Jims-Garage actually figured it out. The ingress route created for each individual app, doesn't need the tls-secret set. Once I removed and redeployed, logs are clean. :)
@@bharatveeranki5091 great, nice one
Hi Jim. Great work, as always. Is it possible to use cloudflare tunnel instead of ddns?
Yes, although be aware of the privacy concerns relating to tunnels
Hi, very helpful videos!! But I have a problem with the cloudflare workaround. Is ist possible to change this to another provider like netcup (in my case)? If I try, it doesn't work.
Check the Traefik website. It shows all of the supported registrars and their configuration steps
would you consider doing a video without having to purchase a domain, local.domain with Kubernetes, Traefik, DNS Server on local network, Let's Encrypt
That won't achieve what I'm trying to achieve, removing the security warning in the browser.
If I wanted to run this on Fedora, what would I use for the apache2-utils file? anyone
Thanks for your cool site. Unfortunately I'm having a problem. In the Portainer logs for traefik I see:
2023/06/05 11:54:14 command traefik error: yaml: line 32: found character that cannot start any token.
Any ideas?
Check line 32 of your traefik yaml. Make sure that you have " " either side, and check that it looks right. Let me know.
Hello! I wonder if you have solved issue because I ran into the same problem too!
Hey Jim, I'm getting -> Unable to locate package apache2-utils for generating username-password
@@user-yk1qu6iv2l which distro? You may need to install it first
@@Jims-Garage Ubuntu 24.04 LTS
@@user-yk1qu6iv2l sudo apt install apache2
@@Jims-Garage Done. But the echo command giving some issue -> sed: -e expression #1, char 9: unknown option to `s' (command I given: echo $(htpasswd -nb "myusername" "mypassword") | sed -e s/\\$/\\$/\\$/g )
Resolved by using this command -> echo $(htpasswd -nb "username" "password") | sed -e 's/\$/\\$/g'. Thanks
Sorry, i don't understand under what situation should one expose home servers to the internet? It feels very insecure. Why not protect all internal home servers with a VPN like Wireguard?
How about a public website? I agree a VPS is a better solution, but some don't want to use those.
How can i proxy non-docker based services? such as some docker containers on a synology nas, or even the nas's DSM home page itself?
Use an external service configuration.
Hi Jim, appreciate your video! So well put.
I followed your tutorial all the way, but like other comments here, could not access the traefik dashboard. Not under 8080 (http) or 443 (https). Do you happen to know if traefik changed something since then? Thanks.
So I did the htpasswd thing and did not save the string it spit out and can not find the file location. When I rerun the htpaswd command it just sits there thinking
Hello hello! You homelab series is the best series for homelab progresses making (while other youtubers don't even have a progress series)! But I ran into issues following this video, my container log is keep giving me "command traefik error: yaml: line 32: found unexpected end of stream"; I saw another guy having the same issue as I do in the comments and I checked my yml file as what you told him to do, yet I don't see an issue. Would you mind to help me out here?
For anyone else with this issue, check for quotes marks on your DNS entry. It needs them.
How did you managed to create an A record (or a CNAME) on cloudflare for your subdomain and point it to your home ip? And isn't your home ISP IP dynamic? Did I miss any step? Thank you.
Go to DNS settings on Cloudflare and create a cname. I do have a dynamic DNS. I use dynamic DNS on my firewall to automatically update my IP address.
@@Jims-Garage in my current setup I use duckdns on a docker. I'll check your suggestion. Thank you for your support and please keep posting new videos 💪💪
@@FilipeNeto616 thanks. Will do, tons more planned.
Hey Jim, forst off tha ks for your videos, and the explanations. Have two questions: 1 when trying to run the traffic docker compose file got an error where it basically said the proxy network already exists and advised to change the network to external (like on the nginx compose file) changing this worked and the container was created. Just confirming this is correct as it was not the case in the video. 2 in the nginx compose file there is reference to a router middleware with jellyfin. I was seeing an error in tue traef8k dashboard and it only went away when this line was changed to nginx confirming I an correct with this.
1) That looks fine. You only need to create the network once, then specify it afterwards for subsequent containers.
2) That's an error in the video (shh! 🤫). Please always refer to the GitHub for the latest files where it has been rectified.
Please let me know if you have any further questions.
I was also tricked by jellyfin, haha
Hey, will this configuration create a unique certificate for each server? I plan on setting up multiple servers , each with its own traefik proxy and subset of websites in my domain.
server 1 - sites a, b, c
server 2 - sites d, e, f
Will traefik on server one request the certs a.mydomain , b.mydomain , and c.mydomain ?
A wildcard won’t work since I’d need 2 active wildcard certs.
@@majorgear1021 you could use the same wildcard certificate on both.
@@Jims-Garage Oh sweet! Well, I’d rather have unique certs for each host, but if LE will
issue multiple wildcard certs for the same
domain, then that will work, too.
@@majorgear1021 it will only work if they share the same public IP. Otherwise it's discreet subdomains.
@@Jims-Garage good point. I may eventually host services on VPS , so using a different domain ( I have a few) or using subdomains may be in my future.
@@majorgear1021 I use subdomains for pretty much everything
can you do a mailcow with this add on?
I would need to check but I suspect so.
1. Can you re do this video, but using NPM so that we can see the different?
2. Why are youtubers showing/teaching Traefik instead of Nginx Proxy Manager, which is much easier to used?
Perhaps, I might. The reason is because Traefik is more secure, and more container orientated. Nginx Proxy Manager has been riddled with security vulnerabilities for years, I cannot recommend that people use it.
Hi Jim, thank you for your work. quick question, how did you set up your local dns entry in pihole for your containers that are using traefik? I dont want to expose my containers outside my network.
Go to local DNS in PiHole and add your subdomains. Set the IP to your proxy IP (likely your docker VM IP). Make sure your PC then has the PiHole set as its DNS resolver (windows network settings).
Strongly recommend using Cloudflare proxy for any external domains/subdomains on the same IP as it will hide it. Otherwise people could manually assign the IP and try to guess internal subdomains.
A more thorough measure would be to use IP whitelisting in Traefik to limit access to containers using network blocks (I'll get onto this in a later video). You could also setup separate entrypoints for different services. E.g., secure on port 443 for internal, and web-secure on port 444 for external. You'd then portforward 444 to 443 and thus no internal services are accessible externally.
@@Jims-Garage Thank you for your response. I have my Pihole set up for network-wide dns resolver using my unifi udm-pro router. I was confused as to what ip address to use for A record entry. I will play around with it.
I look forward to your upcoming content. I appreciate it.
Firstly this was a great video to follow. I have 2 questions:
1) I do not understand the need for the nginx container. Is the nginx container used to simplify importing the CA certificates?
2) For the password hash, I have used argon2id to hash a password when setting up the admin portal for vaultwarden. Is it possible to get that to work so that you can run a temp docker container to hash the password and not require the install of apache2-utils?
To expand on the first question:
When I was first learning I started with NPM and then tried Traefik but it was too complicated while I was just learning. I am now trying to get back to learning Traefik but I do not remember needed an nginx container when I set up Traefik in the past. I remember being confused importing the certs into Traefik. Is the nginx container used to simplify importing the CA certificates?
Hey, thanks for the feedback. The nginx is merely a lightweight example of using the cert. You can ignore it if you want. I'm not sure about using the container for password generation. Anything could do it in theory that supports base64 encodings.
@@Jims-Garage I was under the impression Traefik had that functionality built in. I will end up circling back once I finalize the plans for my home-lab and will think more on how it will all come together.
As for the password hash I used argon2id and I just had to double the “$” for escaping. Argon2 is supposed to be more resilient than BCrypt or MD5.
echo -n "YourSuperSecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
are there any plans to ever make a video on hosting your own Matrix server and making it publically available?
You probably want to check this one out 😜ruclips.net/video/SVMHsoWMKI4/видео.html
I also have follow up videos on a discord bridge
@Jims-Garage oh wow I should really search before I ask 🤣
Traefik log is giving me these errors: level=error msg="Error while starting server: accept tcp [::]:80: use of closed network connection" entryPointName=http and time="2023-06-01T01:00:04Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=https. I did the port forward but notice the wan port on sopho has a default IP that is different than my ISP dynamic public IP, also using pihle DNS i can't get any site to resolve i'm getting error 404 page not found.
Check if nginx is already using port 80, if so you have a clash. Either change the port of nginx in the docker compose, or just remove it as it'll be routed through traefik once you update the labels.
@@Jims-Garage I'm doing a brand new setup following your series from the Promox install video, only thing i have install on this VM is docker, portainer, traefik and pihole i haven't gotten to the part to install nginx
@@user-js2dz5oy1s just checked, I believe it's caused by the wrong IP on your wan. You'll want to update that to your actual IP. (You can setup dynamic DNS with Sophos and Cloudflare so it checks and updates if necessary every 5 mins).
@@user-js2dz5oy1s i now it should be and old issue for you, but how you fixed it? Im going mad here with the sample problem of closed network connection. Thanks!
I get a "404 page not found" when I try and pull up the Traefik dashboard. Any idea what to check?
Did you create a domain record for traefik-dashboard.yourdomain.com ?
@@Jims-Garage Thanks Jim for replying. I got it sorted out and ya, I think it had to do with not having a domain record. I did a lot of troubleshooting, so I'm not exactly sure what solved it, but I am good now. I was able to replicate this setup twice, so now I think I have it all figured out (famous last words). Thanks again. You have some great content. Keep up to the good work.
@@i.s.statesteel8316 great, good job. Thanks for letting me know
@@Jims-GarageHi Jim, I also met some trouble and be confused while trying to use traefik reverse proxy along side with headscale😢
Seems like you have updated the compose file for traefik, while the label used in headscale with traefik is still based on the old one. It would be good if there is also a updated version of headscale compose file as well… 🙏
Can’t really figure out the correct set up, the gui is working just fine, but the machine/register is not… seems like some of the traffic has not passed through the proxy?
I thought you had to add port 8080:8080 to enable the dashboard since the dashboard is on ip:8080/dashboard/#/ instead of 80.
This video is great but too high level for me. I feel lot of abstractions there. I am not very much confident over docker compose, so I want you to do a video which deploys multiple apps (maybe frontend and backend) with docker, docker-compose, traefik, some IaaS like linode etc.
Can you do that video please? Considering those who know just docker (not even docker compose) you will explain every line of config and then deploy (add) one more app after everything is working.
@jims-garage thanks for putting this together! Been following along and am having issues executing sudo docker compose up -d @21:10 (nginx container creation). My first error was: yaml: line 5: could not find expected ':'. My code is: container_name:homelab. After putting space after : I received services.web Additional property secuity_opt is not allowed and have had other errors that seem to point to my yaml formatting. Any ideas what this might be?
Almost certainly a formatting issue with your compose file. Double check what I have on my GitHub. Be sure to only use spaces, not tab.
@@Jims-Garage I could not find an nginx compose file on GH. Could you point me to it?
hi. I get ERR_TOO_MANY_REDIRECTS when trying to access dashboard. How can it be worked out?
Have you added a DNS entry pointing to your proxy? Did you add /dashboard?
@@Jims-Garage I.ve added a public hostname (subdomain) inside a tunnel in Cloudflare pointing at the server's IP. Is that correct?
@@GrooveNook no, don't think so. I don't use Cloudflare Tunnels for privacy reasons. AFAIK the tunnel negates the need for a proxy. Use this video without a Cloudflare Tunnel.
@@Jims-Garage so I just need to create a DNS entry A name like entry?
@@GrooveNook Yes, pointed to your IP. DNS challenge means you don't even need a port forward. Use an internal tool like PiHole.
how to expose service with port 8003:3000 for example
Why would you want to change the internal port for Traefik?
Hey Jim, I'm a bit confused. I've set everything in my homelab just like in your video, but i cannot access my domain name from the internet. I'm connected to a lan zone vlan while my docker vm is on a separated dmz vlan. I can access the urls i've set in traefik and pihole only from the host vm they are running on. What did I miss in my configuration that prevents me from accessing the docker services by the urls?
Btw I've set a dns a record in my cloudflare accout to direct my root domain to my public ip, and configured dnat as shown.
Thank you for your awesome content
Have you made sure the right zones are specified in the firewall rules? Are you sure that your ISP allows port forwarding?
@@Jims-Garage I'm pretty sure my ISP doesn't block any port forwarding since the only hardware I use that's provided by the ISP is a simple modem with a single fiber to eth port.
Just to clarify the structure of my network: internet -> ISP modem -> proxmox server running sophos (vlan 10) and docker vm (vlan 80 - DMZ). The docker vm is configured in proxmox to be on the DMZ vlan that is managed by the sophps vm.
All my vlans have a firewall rule that allows WAN connection but no interVlan connections.
I've added the DNAT rule for the static ip address I've set for the docker vm in sophos.
Should there be any routing rules set in sophos? Should I set a domain for the DMZ vlan that matches my cloudflare domain name in sophos? Should there be any additional configuration set in the hosting proxmox server?
I tried to stick to your instructions as much as possible, but I cannot access the docker vm by either domain name nor its ip address from my other machines.
Your help is very much appreciated, thanks again :)
@@oramsalem if you're on Discord send me some screenshots. It's going to be difficult to diagnose on yt comments.
Quick question:
Cloudflare is the certificatesResolvers but Certificate is issued by Let's Encrypt (time stamp: 27:40), do we know why?
Thank you.
I think I found the answer:
(1) Traefik leverages Let's Encrypt for certificate issuance: It uses the ACME protocol to automatically request and renew certificates from Let's Encrypt, a widely trusted certificate authority.
(2) Cloudflare is not a certificate authority: It doesn't issue certificates directly.
Correct. Cloudflare is used to check domain ownership. If the domain record points to my IP I own it. Then letsencrypt issues it.
Hello, I have a question about Sophos. After installing nginx and Trafik, my site displays fine, is it necessary to configure Sophos or in what cases would it be? I used the Cloudflare api to generate the ssl...
Do you mean to access from external networks? That would require a port forward.
any chance you can upload the files for us to modify?
Yes, I will be creating a GitHub page to share later today.
Added to the description
@@Jims-Garage awesome ty!
Cloudflate as a domain registrar is a very bad solution their api for domain management is inferior to most of other professional solution.
Interesting, I haven't heard that before. Who do you recommend?
Traefik is NOT EASY, nginx proxy manager is easy .. hell even editing nginx conf with vim is easier than traefik
Nginx proxy manager is easy but it has a rocky history with security vulnerabilities. I prefer Traefik for this reason as well as it's dynamic nature. Nginx is a solid choice, although it isn't dynamic.
@@Jims-Garage yea, but its very simple ... even my grandma can set it up
And nginx is faster for high load.
Faster but not as secure.
your audio level is very low
Appreciate your feedback, that's fixed in later videos (upgraded my kit). Sorry about that!
ruclips.net/video/XH9XgiVM_z4/видео.htmlsi=QVkyZRW_rDXdsRFQ&t=1258 this is not in the github
It's in the Jellyfin folder :) it was simply an example of how to make use of it
@@Jims-Garage i found it, thank you
Hi Jim... very detailed and I love that. I have one question, you ran your Traefik from Ubuntu, so obviously some of the commands wont work in Debian. How do I get to echo the password from Debian? echo $(htpasswd -nb "admin" "admin" | sed -e s/\\$/\\$\\$/g
Ubuntu is Debian based, did that command not work?
Unfortunately 😔 not. Everything worked up to that point.
@@kslim34 it's not installed by default. Did you install it?
@@Jims-Garage so your tutorial was installed on Ubuntu... I was trying to run it on Debian 12. So some of the commands will work but this one will not execute 😞.
You are missing a ")" ... the correect command is echo $(htpasswd -nb "admin" "admin") | sed -e s/\\$/\\$\\$/g