Traefic exposed with lets encrypt direct. In my setup traefic stays untouched and requests the certs based on the service labels from the other containers
I was originally soooo frustrated following this tutorial. I went step by step, and took SEVEN hours just to figure out that I had some typos! Thanks @Techno Tim, amazing tutorial. I'm so glad I stuck it out! For anyone else struggling, highly recommend looking over your work even when you copy and paste!
Nice! I've been running this setup for a few years as well. With one difference: I configured the file provider to watch a directory of .yml files. (see the watch option and the directory option). This allows me to create a .yml file PER site and the watch option makes it so I don't have to restart the container and take down the proxy.
This is literally my first ever comment in 8 years. I really enjoy your content. You keep it simple, relatable, and most importantly you tied different services together not just one by one in all different videos. You show the end game scenario. Patreon it is brother.
@@TechnoTim Tim, Is there a self hosted alternative for sel hosted tunnel to get rid of cloudflare services and do the cloudflare job like providing ssl certificates, hiding ip and protection from ddos attacks etc..?? All it done by myself? I heard by something like RPoVP? Does it get the job done or there is another better solution replacing cloudflare and our entire network and ip from external world??
Just tried this today myself. When my Traefik site comes up its still using the default self-signed cert. Not sure why. I see a cert for my domain in the acme.json, it just doesn't seem to be using it. Not sure how to troubleshoot.
The best video on SSL with Portainer and Træfik, period. Thank you so much for your slow and clear approach with excellent quality of video. Keep up the great work Tim! 🐧
Just wanted to say thank you, Tim!!! I've been wanting to set up ssl for a few months now but have been intimidated by it all. After learning how to create a ansible playbook to update,upgrade-dist for my VMs last week . I was like I can do this ssl thing so I bought a domain and watched this video like 10 times but I now have my local services all running with ssl thanks to you. All your videos are great and very infomitve. You and the homelab RUclips community is amazing .. thank you again so much
I've been looking to do that for over a year and a half and scratching my head because it all seemed far too complicated a setup to bother with it all. Until I finally found your video... Damn, that one is very useful and simple to follow... as well as sufficiently detailed to really understand how it works under. Very well done and useful, thanks!
This seems to be a bit more complex then what I am doing directly with PFSense and its HA Proxy and ACME plugins, but I like the nice dashboard that Traefik provides! Thanks Tim for the nice walk through!
It does not go over how this intereact with the regular reverse proxy. I have been stucked for weeks. Since my pfsense forward everything to my main traefik.
I just found your channel and have binged a few videos as I’m right in the process of upgrading my home Proxmox server and home network. I swear you somehow have a video for exactly each thing I was about to do, with detailed instructions and configs (NUT, Proxmox setup, SSL and FQDM for local services, etc etc). These are fantastic jumping off points for my own custom configs and I love that you go into such detail and explain WHY you do things not just a list of steps, as I usually will want a different configuration and am even more interested in the why than the how. Fantastic channel, I hope to see you continue to grow it!
I use Nginx proxy manager, but this looks neat. I really need to move to wildcard, my let’s encrypt list is getting a little silly now. Thanks, Tim for all you do!
I had spent two days trying to figure out how to do this, and I finally got it after carefully going through your video. Thank you so much for helping the community like this, I really appreciate it.
Hey Tim, I'm having a hard time. I'm following this tutorial so that I can subsequently follow your pterodactyl tutorial and I think I may be in over my head. For example, @8.40 you say "just make sure you have a DNS entry pointing back to this portainer". Now, you said that so casually.. but how do I do that? Where do I find this portainers IP? Is it the IP of the server portainer is running on, or do I find that in portainers dashboard? Should I be going further back in your tutorials until I understand the things in this tutorial that do dont fully explain? and if so, where do I start? Thanks.
Love using traefik! It was actually where I started my homelab. A friend showed me traefik and something about it just caught my interest. Started spinning up a bunch of different containers with configs just for the sake of it. Great video!
Hi Tim, great tutorial! I've been running SSL on all my homelabs projects for couple months now without any issues. But recently I had some problems renewing certificate. I found that I had to add 'delayBeforeCheck: 5' in traefik.yml file under dnsChallenge section for cert to renew. I guess Cloudflare has changed something on their end and I needed this line to add a delay for a few seconds otherwise I would always get certificate null error. You may want to add this to your documentation to help others encountering this issue. Banged my head for days until I figure this out. Thanks again for all your great tutorials.
Came across this video just today, and I wanted to leave a comment for the algorithm, along with liking and subscribing. Really appreciate you giving away the hours of trial and error that it had to have taken to get these configs dialed in. I also appreciate your clear and straightforward delivery. Great job with this.
I love the way this skips along the surface of the topic, allowing my brain to see the big picture with just enough anchor points to make it concrete and relatable. I know what a container and a reverse proxy and a DNS server are and how certificates work. I don’t need or want to be distracted by any explanations of those. We need to keep it moving or my buffer will overflow. I can explore sub-topics separately. You have a perfect style for a top-down learner. Thank you.
In a more recent video (I think it was the overview of your whole lab) you mentioned you now have two instances of Traefik, one for external traffic, and the one described in this video. I spent several days trying to set up a second instance to pass external traffic along, and was never able to get it to work. Would you be willing to do a more in depth tutorial about that setup?
I just use you Pihole DNS setting for local DNS (must use as your main DNS), external use Cloudflare, both of them use the same certificate with different subdomains, It's just that the internal subdomains name can only be used on the internal network because this domain name is not exist on public DNS.
Amazing tutorial. I can't tell you how long I've been annoyed with my homelab services not using SSL or just using the self signed stuff... it's so nice to have these being properly secured now.
Hey Tim, this is awesome, I have got everything internally and external, to docker, set up flawlessly. However, I think I might be missing something, as I am a little stuck on how to configure this to allow internet-facing external access. I have configured the Cloudflare DNS and port forwarded, but I think I am missing some key config on Traefik itself? I would absolutely love it if you could reply (or even make a video!) on how *you* would go about setting up internet facing services through Traefik!
Hi Tim, I'm having the same issues too. I've been able to get everything working while I'm on my local network. Once I'm outside, I get a "too many redirects" error. I'm using Cloudflare tunnels, and I've tried disabling any kind of redirect at the CF level with no luck. Each time I remove the redirect in Traefik I seem to break things. Any guidance will be greatly appreciated
I stumbled upon your channel today (started with high availability pihole), and I am amazed by the quality of your videos! It was insta subscribe, and I hope you will continue the excellent work Tim!
@@TechnoTim :D I’ve got big plans to rebuild my truenas server into a virtualization host for my home services (including truenas itself) and i will continue to refer to your videos.
Seriously the best traefik tutorial on all of youtube. Maybe its copy pasting but holy shit week of banging my head reading confusing documentation solved by this
@@TechnoTim Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally. With much thanks and appreciation
Heads up. It looks like in the video you create your traefik config.yml in the traefik directory (traefik/config.yml). But it's supposed to be at traefik/data/config.yml. I got hung up on this for a while. The documentation does show it in the right place, however.
Tim thank you so much for this video and tutorial. I got this up and running for my internal services, and it inspired me to also set up a separate process for the stuff I wanted to take external. Keep it up!
Oh heck yeah!! Thanks Tim! This was just what I needed, like I mentioned last time! The k8s focused rancher ones were great, but I have been running portainer with regular docker containers and hoping for inspiration to add traefik. Had been using Caddy for certs and it's really easy, but Traefik supports SSO with Authelia and Caddy doesn't. Any odds on setting up SSO with Authelia next? Thanks very much, you're the best!!
I think I found my tribe. People outside tech would have left once the CLI part started. Me as a swe would rather stay in cli all day long. Thanks for the vid.
Tim, i think there's a bit of a confusion in commands... there are a bit of "cd .." which you show in video but missing on docs page... also the config.yaml is done in the data folder, not in its parent one, as in video... please share full folders structure for both portainer and traefik, thanks :) oh, and again, you make a data folder inside portainer one, but you refer to the portainer one in docker-compose.yaml instead of data :) edit: adding that the user:password (encoded via htpasswd) generates other errors on the docker-compose up -d command, because some "$" in the password which triggers some variable substitution in while running docker-compose, that should be escaped some way... i fixed by removing the initial and final backtick and converting double back-slashes to single ones oh, and you need just the apache addon package, no need for the apache2 one to just generate password hashes
Nice! I just learn how to config Round Robin and Failover under services in dynamic config file, I will implement this later. With this feature, this thing is even more powerful for home LAB.
He did a video where he set up Let's Encrypt and Traefik on Rancher, about 8 months before this one... I think this is more of a "because we can" video instead of following along the vein of setting up one holistic infrastructure consistent with the other videos. I landed here first, and realized I probably want to follow along with that video instead. It would have been nice for Tim to call that out, though.
Absolutely Brilliant my man. I have containers and servers and more containers and more servers. This is going to help soooo much. I am a 15 year long IT professional and sometimes, just sometimes its nice when someone else does the work....makes a video....uploads config, and takes some of the guesswork out of deploying some stuff. I will be coming back to this video over and over, its the template for how to deploy docker..contaqiners...vm..certs...dns etc. Thank you very very much. Shane.
You can do this if have a dynamic IP address from your ISP. I image most non business location are going to have a dynamic IP address from their ISP. There are several DDNS (Dynamic DNS) options, some free some a paid service. I use Cloudflare DNS, for this. In short you run/host a small utility that checks your current IP address at a set interval to your current DNS record. If it doesn't match then with an API key it updates the DNS record at Cloudflare. I use an inbound VPN, host a PBX, cloud storage, ect. and it just works despite having a dynamic IP address. I set it up in pfSense to handle the DDNS since it is at the head of the network. Not everyone is using pfSense, but there is also docker containers out there that do the same thing.
@Techno Tim Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally. With much thanks and appreciation
Very helpful, thank you! I did notice that it didn't cover sending traffic via docker (these templates do ip:port), so I am diving in to see if I can find anything!
Amazing video … as always! I wish that I had this in my hands before I created my internal network (windows 2022 based) and made it match my public domain
How specifically do you get the wildcard certs from Let's Encrypt as it says in the video description? Overall this tutorial is ok, but after countless hours I still don't have ssl on the local dns domains. I have cloudflare providing ssl for the domains and subdomains, but the local sub-sub-domains have to reasonable way to get dns. Is there more configuration required on the cloudflare side?
Great video, took a about 5 hours to trouble shoot some issues, and when I worked them out felt stupid. For those like me who take a little time (yes a silly pun) to catch on. The txt record error in my case was fixed with adding a 5 minute delay to the letsencrypt request, `delayBeforeCheck: 5` put it after the dnsChallenge provider. Not sure why but I had issues with putting quotes around the ports in the compose file you did not have them, but when looking at Christian Lempa's recent video and compose file he did, once I removed them it fixed one of my issues. :)
Hey Man thanks for all your great efforts in this wonderful channel , yet i would ask you if is it worth to use traeffik or nginix only with port forwarding, or using cloudflare zeroTrust without port forwarding, or use them both.. In order to get optimum security for local network ? Which is the best solution ? Also, im confused if we could trust cloudflare for securing our network?
One thing I've noticed is that the local domain is also exposed to the internet if ports 80 and 443 are forwarded to the traefik container. So even if I have a local DNS to route things locally, I can still access the service from the internet. Is there a to use a single Traefik instance to manage both local SSL and external routing, preventing the local domain from being exposed publically?
Enjoyed the concept of Wildcard Certs, but not Docker. Although I can do Docker on FreeBSD, I'd rather not switch to that now. Can you do a similar video on pfSense and HAproxy or something that runs under pfSense. I'm about half done configuring the HAproxy stuff but trying to work through a cutover plan where downtime is minimized. Since I have port 443 and 80 both in use presently. Tim, you seem like a savvy guy... come to my rescue !
I think I'm getting myself confused on what to put in on the host sections. Is it the domain that I set up internally via pihole or is it the domain through cloud fare? I'm still getting familiar with things to setup my pterodactyl server. 😅 Love your videos by the way!
Quick questions regarding the tutorial. When you mention that you need to create a DMS entry are you referring to local DNS entry in pihole? Also can you show what kind of entries I need to create in cloud flare?
What I don't quiet get - with this setup, I always would have to have at least port 443 exposed to the internet for the reverse proxy to function, correct? Since communication with Clouflare has to take place in order to reach the subdomains. I would be nice to use these subdomains only locally. The other thing I am wondering: I used to use nginx as a reverse proxy and configured ufw to only allow cloudflare IPs and block any other direct IP traffic to my proxy - setting up traefik via docker obviously bypasses ufw completely. How can I set up a similair functionality without using ufw?
Hi, Great content!, thanks!. I was following this and trying to figure this on my end, just starting with the homelab and others. For us the more on the noob side, I am trying to understand how to do this let's encrypt and get certs only for internal use (not exposing anything to the web) ... then perhaps as an addendum what to do to expose some service to the big bad inet.. hoping a good suggestion for a future video to play with this. thanks again for the content
Got everything up and working according to your info but other than Portainer traefik isn't picking up any other containers with the labels applied, I guess I could fall back to the config.yml but that seems unnecessary
I know this is an older video but still great content and I have watched the new version for Traefik 3 as well. But I was curious if you have any nuggets on how to proxy VMware vCenter and the VMRC remote control plugin?
What kinda puts me off about træfik is the way it requires all those labels in each and every containers compose file. Nginx Proxy Manager doesn't need that, which makes it much easier to work with. Unfortunately it's about as stable as a cardhouse so I guess I will have to look into træfik somtime.
I'd be curious to see how you configured your cloudflare DNS settings Edit: To elaborate, I'm slightly confused with how my DNS records should be configured if I want to use both private and public addresses. I currently have an A record pointing to my proxy and then a CNAME with a wildcard pointing to my A record. I can hit my A record fine through the proxy but my subdomains are not getting the SSL certificate.
this guy has made the ability to get multisite SSL certificates as difficult as possible. There are extremely easy ways to do this without this dudes external services that he has some investment in.
Umm, it’s as easy as a few lines of config. Also, if you’ve never heard of CloudFlare, it’s a thing, and powers a lot of the web, and I am not affiliated with them. My name is Tim BTW
Great and really detailed video. I am curious though why you use `docker-compose` on the command line to set up Traefik instead of using the Portainer UI to set it up as a Portainer Stack?
Also, I can't seem to find the repo where you said all your configurations were located. The "...more" link doesn't seem to have a bespoke URL for the repo mentioned in video. Would you mind sharing it?
@TechnoTim Thank you so much for this video and more. I Also tried used this concept after installing the k3s cluster, and traefik, but I cannot get my head around the external router config in k3s. Especially the config for external services not run by the cluster. I cannot get it work. Are you maybe please making a tutorial for these kind of configs as well? Because in the k3s vids, there are no explanations for this (or did I missed it?)
how do i setup the api token? just take the Global API Key or need to create new token, can u guide how to create a token and what to put at the cloudflare? im confuse.
Thanks for the detailed video and blog post. The thing I don't get is how do I need to set my Cloudflare dns entry that it points back to the Traefik. Does it just need to point to the internal ip or do I need to expose the traefik itself?
What are you using to get your certificates?
Internally Active Directory Certificate Services. Externally Let’s Encrypt.
Using Let's Encrpt via HAProxy on my PFSense machine.
Traefic exposed with lets encrypt direct.
In my setup traefic stays untouched and requests the certs based on the service labels from the other containers
LetsEncrypt and apache proxy... both esxi and proxmox works awesome this way.. also Jellyfin and more....
Haproxy runs on my pfsense box and gets let's encrypt certs to all my hostnames.
I was originally soooo frustrated following this tutorial. I went step by step, and took SEVEN hours just to figure out that I had some typos! Thanks @Techno Tim, amazing tutorial. I'm so glad I stuck it out! For anyone else struggling, highly recommend looking over your work even when you copy and paste!
Thank you!!! Nice work!
I got frustrated as well but then I realized that I mistakenly typed a - instead of an = on two lines…Thank you for the great tutorial @TechnoTim!
I know this is an older video, but I just wanted to drop in and say thank you. I really appreciate all you do for the community
Nice! I've been running this setup for a few years as well. With one difference: I configured the file provider to watch a directory of .yml files. (see the watch option and the directory option). This allows me to create a .yml file PER site and the watch option makes it so I don't have to restart the container and take down the proxy.
Did not know about the watch option. Great tip and thanks for sharing.
This is literally my first ever comment in 8 years. I really enjoy your content. You keep it simple, relatable, and most importantly you tied different services together not just one by one in all different videos. You show the end game scenario. Patreon it is brother.
Thank you so much! Glad I helped break the seal! Welcome!
@Inu Yasha you can check on RUclips now. Homeboy only has one comment in 10 years.
@@TechnoTim
Tim, Is there a self hosted alternative for sel hosted tunnel to get rid of cloudflare services and do the cloudflare job like providing ssl certificates, hiding ip and protection from ddos attacks etc..?? All it done by myself?
I heard by something like RPoVP? Does it get the job done or there is another better solution replacing cloudflare and our entire network and ip from external world??
After almost 3 years, this still works like a charm... Save my life... Kudos 👏😎
About to step through this procedure myself. Good to know it still works ha ha.
Just tried this today myself. When my Traefik site comes up its still using the default self-signed cert. Not sure why. I see a cert for my domain in the acme.json, it just doesn't seem to be using it. Not sure how to troubleshoot.
Tim, you are inspirational. I hope this small token of my appreciation keeps you inspired.
Wow!!!! Thank you!!!!!!
The best video on SSL with Portainer and Træfik, period. Thank you so much for your slow and clear approach with excellent quality of video. Keep up the great work Tim! 🐧
Thanks for the great tutorial. After fixing a few of my typos and scratching my head a bunch I got everything to work! Liked and subscribed!
Glad it helped! Thank you!
Just wanted to say thank you, Tim!!! I've been wanting to set up ssl for a few months now but have been intimidated by it all. After learning how to create a ansible playbook to update,upgrade-dist for my VMs last week . I was like I can do this ssl thing so I bought a domain and watched this video like 10 times but I now have my local services all running with ssl thanks to you. All your videos are great and very infomitve. You and the homelab RUclips community is amazing .. thank you again so much
Thanks a lot, you helped me to setup Traefik perfectly.
Thank you so much!!!!
Thanks! Your videos are awesome and are extremely helpful as I start up my own home lab
Great to hear! Thank you so much!!!!!
Half the views came from me watching it over and over.
and me
Thanks, your content rocks!
Glad you like them! Thank you!
I was struggling with setting up a reverse proxy yesterday, today this video pops up in my feed. Great timing! :D
yeah me too
problem?
I've been looking to do that for over a year and a half and scratching my head because it all seemed far too complicated a setup to bother with it all. Until I finally found your video... Damn, that one is very useful and simple to follow... as well as sufficiently detailed to really understand how it works under. Very well done and useful, thanks!
This seems to be a bit more complex then what I am doing directly with PFSense and its HA Proxy and ACME plugins, but I like the nice dashboard that Traefik provides! Thanks Tim for the nice walk through!
How is that setup going?
It does not go over how this intereact with the regular reverse proxy. I have been stucked for weeks. Since my pfsense forward everything to my main traefik.
Automation man!! automation....
I just found your channel and have binged a few videos as I’m right in the process of upgrading my home Proxmox server and home network. I swear you somehow have a video for exactly each thing I was about to do, with detailed instructions and configs (NUT, Proxmox setup, SSL and FQDM for local services, etc etc). These are fantastic jumping off points for my own custom configs and I love that you go into such detail and explain WHY you do things not just a list of steps, as I usually will want a different configuration and am even more interested in the why than the how. Fantastic channel, I hope to see you continue to grow it!
Thank you so much!!! Welcome!!!
I use Nginx proxy manager, but this looks neat. I really need to move to wildcard, my let’s encrypt list is getting a little silly now.
Thanks, Tim for all you do!
I had spent two days trying to figure out how to do this, and I finally got it after carefully going through your video. Thank you so much for helping the community like this, I really appreciate it.
Glad it helped!
Hey Tim, I'm having a hard time. I'm following this tutorial so that I can subsequently follow your pterodactyl tutorial and I think I may be in over my head. For example, @8.40 you say "just make sure you have a DNS entry pointing back to this portainer".
Now, you said that so casually.. but how do I do that? Where do I find this portainers IP? Is it the IP of the server portainer is running on, or do I find that in portainers dashboard? Should I be going further back in your tutorials until I understand the things in this tutorial that do dont fully explain? and if so, where do I start?
Thanks.
I've watched this video twice fully and a few times in part over a period of several months. You've been a teacher for me and I appreciate you.
Love using traefik! It was actually where I started my homelab. A friend showed me traefik and something about it just caught my interest. Started spinning up a bunch of different containers with configs just for the sake of it.
Great video!
I struggled so much with Swag and getting anything running securely. This vid honestly saved my sanity, thank you so much Tim!
Glad it helped!
Hi Tim, great tutorial! I've been running SSL on all my homelabs projects for couple months now without any issues. But recently I had some problems renewing certificate. I found that I had to add 'delayBeforeCheck: 5' in traefik.yml file under dnsChallenge section for cert to renew. I guess Cloudflare has changed something on their end and I needed this line to add a delay for a few seconds otherwise I would always get certificate null error. You may want to add this to your documentation to help others encountering this issue. Banged my head for days until I figure this out. Thanks again for all your great tutorials.
Holy Crap man! You've saved me hours of trial and error! I hope this gets the attention it deserves.
Techno Tim is legit the best. Really motivating and quality IT configuration content
Thank you so much!
Came across this video just today, and I wanted to leave a comment for the algorithm, along with liking and subscribing. Really appreciate you giving away the hours of trial and error that it had to have taken to get these configs dialed in. I also appreciate your clear and straightforward delivery. Great job with this.
Thank you!
I definitely prefer your more advanced videos will you show a whole solution like these. Keep it up!!
Thanks for the video, can i add labels to a stack in another portainer environment (another proxmox host) ? how?
I love the way this skips along the surface of the topic, allowing my brain to see the big picture with just enough anchor points to make it concrete and relatable. I know what a container and a reverse proxy and a DNS server are and how certificates work. I don’t need or want to be distracted by any explanations of those. We need to keep it moving or my buffer will overflow. I can explore sub-topics separately.
You have a perfect style for a top-down learner. Thank you.
Thank you so much!
In a more recent video (I think it was the overview of your whole lab) you mentioned you now have two instances of Traefik, one for external traffic, and the one described in this video.
I spent several days trying to set up a second instance to pass external traffic along, and was never able to get it to work. Would you be willing to do a more in depth tutorial about that setup?
I just use you Pihole DNS setting for local DNS (must use as your main DNS), external use Cloudflare, both of them use the same certificate with different subdomains, It's just that the internal subdomains name can only be used on the internal network because this domain name is not exist on public DNS.
Amazing tutorial. I can't tell you how long I've been annoyed with my homelab services not using SSL or just using the self signed stuff... it's so nice to have these being properly secured now.
Glad it helped!
Hey Tim, this is awesome, I have got everything internally and external, to docker, set up flawlessly. However, I think I might be missing something, as I am a little stuck on how to configure this to allow internet-facing external access.
I have configured the Cloudflare DNS and port forwarded, but I think I am missing some key config on Traefik itself? I would absolutely love it if you could reply (or even make a video!) on how *you* would go about setting up internet facing services through Traefik!
Hi Tim, I'm having the same issues too. I've been able to get everything working while I'm on my local network. Once I'm outside, I get a "too many redirects" error. I'm using Cloudflare tunnels, and I've tried disabling any kind of redirect at the CF level with no luck. Each time I remove the redirect in Traefik I seem to break things. Any guidance will be greatly appreciated
Dude! Nice work! It's not about the complexity, it's about the way you describe and explain something...you nailed both.
Thank you!
thank for this between you and Christian Lempa I was able to get traefik working the way I wanted.
How do you decide whether to use Kubernetes or Docker?
I stumbled upon your channel today (started with high availability pihole), and I am amazed by the quality of your videos! It was insta subscribe, and I hope you will continue the excellent work Tim!
Thank you so much! Welcome!
Absolutely love this channel. Incredible editing and great documentation. Just what I need to rebuild my homelab. :)
Thank you so much!
@@TechnoTim :D I’ve got big plans to rebuild my truenas server into a virtualization host for my home services (including truenas itself) and i will continue to refer to your videos.
Seriously the best traefik tutorial on all of youtube. Maybe its copy pasting but holy shit week of banging my head reading confusing documentation solved by this
Do you have network diagram, it helps some of us understand the flow and config easier.
Great vid as always, well explained. Thanks Tim
I do! ruclips.net/video/Cs8yOmTJNYQ/видео.html
Took me a while to get this working, but now everything is up and running thanks to your guide! TYVM!
Thank's for the video !
What about doing the same thing within and for Rancher ?
If you had a network map or diagram of each step you were configuring; that would help a lot.
Great feedback!
I do now ruclips.net/video/Cs8yOmTJNYQ/видео.html
@@TechnoTim
Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally.
With much thanks and appreciation
Tim! You seem to know what I am working on every time a video comes out. Thank You!!!
Heads up. It looks like in the video you create your traefik config.yml in the traefik directory (traefik/config.yml). But it's supposed to be at traefik/data/config.yml. I got hung up on this for a while. The documentation does show it in the right place, however.
Thanks! Yeah, I noticed after the video. the docs should be right. Thank you and sorry!
Tim thank you so much for this video and tutorial. I got this up and running for my internal services, and it inspired me to also set up a separate process for the stuff I wanted to take external. Keep it up!
Oh heck yeah!! Thanks Tim! This was just what I needed, like I mentioned last time!
The k8s focused rancher ones were great, but I have been running portainer with regular docker containers and hoping for inspiration to add traefik. Had been using Caddy for certs and it's really easy, but Traefik supports SSO with Authelia and Caddy doesn't. Any odds on setting up SSO with Authelia next? Thanks very much, you're the best!!
I think I found my tribe. People outside tech would have left once the CLI part started. Me as a swe would rather stay in cli all day long. Thanks for the vid.
Welcome home
Tim, i think there's a bit of a confusion in commands... there are a bit of "cd .." which you show in video but missing on docs page... also the config.yaml is done in the data folder, not in its parent one, as in video... please share full folders structure for both portainer and traefik, thanks :)
oh, and again, you make a data folder inside portainer one, but you refer to the portainer one in docker-compose.yaml instead of data :)
edit: adding that the user:password (encoded via htpasswd) generates other errors on the docker-compose up -d command, because some "$" in the password which triggers some variable substitution in while running docker-compose, that should be escaped some way... i fixed by removing the initial and final backtick and converting double back-slashes to single ones
oh, and you need just the apache addon package, no need for the apache2 one to just generate password hashes
man, you rock! All working here, after addressed the few problems i reported, thanks a lot!
@@squalazzo Thanks! Docs are open source and have been fixed!
Nice! I just learn how to config Round Robin and Failover under services in dynamic config file, I will implement this later. With this feature, this thing is even more powerful for home LAB.
Great video thx 👍
One question - could this had been done in Rancher ? Why not Rancher if yes, why docker ?
He did a video where he set up Let's Encrypt and Traefik on Rancher, about 8 months before this one... I think this is more of a "because we can" video instead of following along the vein of setting up one holistic infrastructure consistent with the other videos. I landed here first, and realized I probably want to follow along with that video instead. It would have been nice for Tim to call that out, though.
This is literally what I am struggling with right now. I am glad Google tracks my calls for proper advertisement.
first ever RUclipsr to convince me to become a patreon supporter
Thank you so much!
literally the best IT youtuber these days.
Thank you so much!
Absolutely Brilliant my man. I have containers and servers and more containers and more servers. This is going to help soooo much. I am a 15 year long IT professional and sometimes, just sometimes its nice when someone else does the work....makes a video....uploads config, and takes some of the guesswork out of deploying some stuff. I will be coming back to this video over and over, its the template for how to deploy docker..contaqiners...vm..certs...dns etc. Thank you very very much. Shane.
Thanks!
Thank you!!!
You can do this if have a dynamic IP address from your ISP. I image most non business location are going to have a dynamic IP address from their ISP. There are several DDNS (Dynamic DNS) options, some free some a paid service. I use Cloudflare DNS, for this. In short you run/host a small utility that checks your current IP address at a set interval to your current DNS record. If it doesn't match then with an API key it updates the DNS record at Cloudflare. I use an inbound VPN, host a PBX, cloud storage, ect. and it just works despite having a dynamic IP address. I set it up in pfSense to handle the DDNS since it is at the head of the network. Not everyone is using pfSense, but there is also docker containers out there that do the same thing.
How do you literally upload exactly what i've been looking for, one day after i began reading up on it?!?
As always, awesome video!
WHERE WAS THIS VIDEO TEN YEARS AGO?!?!?!!???! Thanks for publishing it, I did more than like and subscribe. I sent links to several friends.
Thank you so much! Referrals from friends helps more than you know! Commenting and liking does too so thank you!
@Techno Tim
Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally.
With much thanks and appreciation
love that i found your channel, learning more here than i did at uni
Very helpful, thank you! I did notice that it didn't cover sending traffic via docker (these templates do ip:port), so I am diving in to see if I can find anything!
Just watched it again a year later..... amazing material, thank you Tim.
Awesome tutorial, been using traefik since 1.0 but this video helped me to understand a few things clearly, thanks for your work!
Thank you very much. I am rebuilding my homelab and I was looking for instructions about certificates. Greatly explained, thanks again!
Amazing video … as always! I wish that I had this in my hands before I created my internal network (windows 2022 based) and made it match my public domain
Worked like a charm. Took me a while to figure out how to connect another DNS provider, but i got it up and running! Thank you very much
Nice work!
Danke!
Thank you!
Congrats for the tutorial! Very helpful. One of the best channels for the Home Lab enthusiasts.
Hello Timothy, thanks for the tutorials. i've followed the documentation. finally it works
How specifically do you get the wildcard certs from Let's Encrypt as it says in the video description? Overall this tutorial is ok, but after countless hours I still don't have ssl on the local dns domains. I have cloudflare providing ssl for the domains and subdomains, but the local sub-sub-domains have to reasonable way to get dns. Is there more configuration required on the cloudflare side?
Huh, RUclips hasn't recommended your last 3 or 4 videos. I had thought "oh he's back" only to find out Ive got some videos to go back and check out.
Subscribe to his channel. You'll see them all ;)
@@yanosjr truth
Great video, took a about 5 hours to trouble shoot some issues, and when I worked them out felt stupid. For those like me who take a little time (yes a silly pun) to catch on. The txt record error in my case was fixed with adding a 5 minute delay to the letsencrypt request, `delayBeforeCheck: 5` put it after the dnsChallenge provider. Not sure why but I had issues with putting quotes around the ports in the compose file you did not have them, but when looking at Christian Lempa's recent video and compose file he did, once I removed them it fixed one of my issues. :)
Thanks
Thank you!
Hey Man thanks for all your great efforts in this wonderful channel , yet i would ask you if is it worth to use traeffik or nginix only with port forwarding, or using cloudflare zeroTrust without port forwarding, or use them both.. In order to get optimum security for local network ?
Which is the best solution ?
Also, im confused if we could trust cloudflare for securing our network?
I didn't knew Jack Sparrow was so technologically savvy.
One thing I've noticed is that the local domain is also exposed to the internet if ports 80 and 443 are forwarded to the traefik container. So even if I have a local DNS to route things locally, I can still access the service from the internet. Is there a to use a single Traefik instance to manage both local SSL and external routing, preventing the local domain from being exposed publically?
Enjoyed the concept of Wildcard Certs, but not Docker. Although I can do Docker on FreeBSD, I'd rather not switch to that now. Can you do a similar video on pfSense and HAproxy or something that runs under pfSense. I'm about half done configuring the HAproxy stuff but trying to work through a cutover plan where downtime is minimized. Since I have port 443 and 80 both in use presently. Tim, you seem like a savvy guy... come to my rescue !
I think I'm getting myself confused on what to put in on the host sections. Is it the domain that I set up internally via pihole or is it the domain through cloud fare? I'm still getting familiar with things to setup my pterodactyl server. 😅 Love your videos by the way!
Quick questions regarding the tutorial. When you mention that you need to create a DMS entry are you referring to local DNS entry in pihole? Also can you show what kind of entries I need to create in cloud flare?
Thanks a ton for this godly work :) I have completed my setup using AWS Route 53 DNS Provider.
It’s been a year but thank you for being an inspiration, you’re awesome 🎉
great job man.. you're videos are always solid !! Greetings from Denmark
Duuuuuuuuude, just got this working now! Thanks for the guide Tim!
NP! Nice work!
Very straightforward and helpful, +1 for this video
What I don't quiet get - with this setup, I always would have to have at least port 443 exposed to the internet for the reverse proxy to function, correct? Since communication with Clouflare has to take place in order to reach the subdomains. I would be nice to use these subdomains only locally.
The other thing I am wondering: I used to use nginx as a reverse proxy and configured ufw to only allow cloudflare IPs and block any other direct IP traffic to my proxy - setting up traefik via docker obviously bypasses ufw completely. How can I set up a similair functionality without using ufw?
Best tutorial on this topic I have seen. Thank you!
You should check out my others 😅. Thank you!
Exactly what I needed man, thank you so much! Really enjoy the videos! Super clear and fun to watch!
Hi, Great content!, thanks!. I was following this and trying to figure this on my end, just starting with the homelab and others. For us the more on the noob side, I am trying to understand how to do this let's encrypt and get certs only for internal use (not exposing anything to the web) ... then perhaps as an addendum what to do to expose some service to the big bad inet.. hoping a good suggestion for a future video to play with this.
thanks again for the content
Got everything up and working according to your info but other than Portainer traefik isn't picking up any other containers with the labels applied, I guess I could fall back to the config.yml but that seems unnecessary
Man you are seriously awesome i am still trying to catch up to all the tutorials you post you are great
I know this is an older video but still great content and I have watched the new version for Traefik 3 as well. But I was curious if you have any nuggets on how to proxy VMware vCenter and the VMRC remote control plugin?
What kinda puts me off about træfik is the way it requires all those labels in each and every containers compose file. Nginx Proxy Manager doesn't need that, which makes it much easier to work with. Unfortunately it's about as stable as a cardhouse so I guess I will have to look into træfik somtime.
I'd be curious to see how you configured your cloudflare DNS settings
Edit: To elaborate, I'm slightly confused with how my DNS records should be configured if I want to use both private and public addresses.
I currently have an A record pointing to my proxy and then a CNAME with a wildcard pointing to my A record. I can hit my A record fine through the proxy but my subdomains are not getting the SSL certificate.
this guy has made the ability to get multisite SSL certificates as difficult as possible. There are extremely easy ways to do this without this dudes external services that he has some investment in.
Umm, it’s as easy as a few lines of config. Also, if you’ve never heard of CloudFlare, it’s a thing, and powers a lot of the web, and I am not affiliated with them. My name is Tim BTW
Great and really detailed video.
I am curious though why you use `docker-compose` on the command line to set up Traefik instead of using the Portainer UI to set it up as a Portainer Stack?
Also, I can't seem to find the repo where you said all your configurations were located. The "...more" link doesn't seem to have a bespoke URL for the repo mentioned in video. Would you mind sharing it?
@TechnoTim Thank you so much for this video and more. I Also tried used this concept after installing the k3s cluster, and traefik, but I cannot get my head around the external router config in k3s. Especially the config for external services not run by the cluster. I cannot get it work. Are you maybe please making a tutorial for these kind of configs as well? Because in the k3s vids, there are no explanations for this (or did I missed it?)
how do i setup the api token? just take the Global API Key or need to create new token, can u guide how to create a token and what to put at the cloudflare? im confuse.
Thanks for the detailed video and blog post. The thing I don't get is how do I need to set my Cloudflare dns entry that it points back to the Traefik. Does it just need to point to the internal ip or do I need to expose the traefik itself?
best tech channel on youtube