Put Wildcard Certificates and SSL on EVERYTHING - Traefik + Portainer Tutorial
HTML-код
- Опубликовано: 15 июл 2024
- Today, we're going to use SSL for everything. No more self-sign certs. No more http. No more hosting things on odd ports. We're going all in with SSL for our internal services and our external services too. We going to set up a reverse proxy using Traefik, Portainer, and use that to get wildcard certificates from Let's Encrypt. Join me and let's secure all the things.
Video Notes: technotim.live/posts/traefik-...
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a RUclips member: / @technotim
Merch Shop 🛍️: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
2nd channel: / @technotimtalks
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - What are we doing today?
01:03 - What do we need?
02:51 - What is Traefik?
03:51 - Setting up Traefik
04:27 - Traefik configuration
06:18 - Traefik with Docker Compose
07:00 - Traefik Docker Compose File with Wildcards
10:46 - Spinning Up Traefik
12:09 - Traefik Dashboard
12:34 - We have Wildcards!
13:01 - Portainer Docker Compose
15:19 - Spinning up Portainer
15:41 - Portainer in Traefik Dashboard
15:58 - Portainer now has SSL
16:39 - Proxy Through Traefik to External Services (Proxmox)'
17:34 - Traefik Routes Config
21:38 - Apply Traefik Route Config
22:26 - See Our New External Route
22:45 - SSL for Proxmox with Traefik Reverse proxy
23:41 - Hosting all of your Homelab Services with SSL
23:59 - Which Reverse Proxy Are You Running?
24:11 - Stream Highlight - "I built my server, not sure where to go from here..."
#Traefik #Portainer #Homelab
"Sun Run" is from Harris Heller's album Breaker.
l.technotim.live/sb-music-lic...
Thank you for watching! 
Наука
What are you using to get your certificates?
Internally Active Directory Certificate Services. Externally Let’s Encrypt.
Using Let's Encrpt via HAProxy on my PFSense machine.
Traefic exposed with lets encrypt direct.
In my setup traefic stays untouched and requests the certs based on the service labels from the other containers
LetsEncrypt and apache proxy... both esxi and proxmox works awesome this way.. also Jellyfin and more....
Haproxy runs on my pfsense box and gets let's encrypt certs to all my hostnames.
Half the views came from me watching it over and over.
😅
I was originally soooo frustrated following this tutorial. I went step by step, and took SEVEN hours just to figure out that I had some typos! Thanks @Techno Tim, amazing tutorial. I'm so glad I stuck it out! For anyone else struggling, highly recommend looking over your work even when you copy and paste!
Thank you!!! Nice work!
I got frustrated as well but then I realized that I mistakenly typed a - instead of an = on two lines…Thank you for the great tutorial @TechnoTim!
I know this is an older video, but I just wanted to drop in and say thank you. I really appreciate all you do for the community
The best video on SSL with Portainer and Træfik, period. Thank you so much for your slow and clear approach with excellent quality of video. Keep up the great work Tim! 🐧
This is literally my first ever comment in 8 years. I really enjoy your content. You keep it simple, relatable, and most importantly you tied different services together not just one by one in all different videos. You show the end game scenario. Patreon it is brother.
Thank you so much! Glad I helped break the seal! Welcome!
@Inu Yasha you can check on RUclips now. Homeboy only has one comment in 10 years.
@@TechnoTim
Tim, Is there a self hosted alternative for sel hosted tunnel to get rid of cloudflare services and do the cloudflare job like providing ssl certificates, hiding ip and protection from ddos attacks etc..?? All it done by myself?
I heard by something like RPoVP? Does it get the job done or there is another better solution replacing cloudflare and our entire network and ip from external world??
I just found your channel and have binged a few videos as I’m right in the process of upgrading my home Proxmox server and home network. I swear you somehow have a video for exactly each thing I was about to do, with detailed instructions and configs (NUT, Proxmox setup, SSL and FQDM for local services, etc etc). These are fantastic jumping off points for my own custom configs and I love that you go into such detail and explain WHY you do things not just a list of steps, as I usually will want a different configuration and am even more interested in the why than the how. Fantastic channel, I hope to see you continue to grow it!
Thank you so much!!! Welcome!!!
Came across this video just today, and I wanted to leave a comment for the algorithm, along with liking and subscribing. Really appreciate you giving away the hours of trial and error that it had to have taken to get these configs dialed in. I also appreciate your clear and straightforward delivery. Great job with this.
Thank you!
Just wanted to say thank you, Tim!!! I've been wanting to set up ssl for a few months now but have been intimidated by it all. After learning how to create a ansible playbook to update,upgrade-dist for my VMs last week . I was like I can do this ssl thing so I bought a domain and watched this video like 10 times but I now have my local services all running with ssl thanks to you. All your videos are great and very infomitve. You and the homelab RUclips community is amazing .. thank you again so much
After almost 3 years, this still works like a charm... Save my life... Kudos 👏😎
About to step through this procedure myself. Good to know it still works ha ha.
Just tried this today myself. When my Traefik site comes up its still using the default self-signed cert. Not sure why. I see a cert for my domain in the acme.json, it just doesn't seem to be using it. Not sure how to troubleshoot.
I've watched this video twice fully and a few times in part over a period of several months. You've been a teacher for me and I appreciate you.
I've been looking to do that for over a year and a half and scratching my head because it all seemed far too complicated a setup to bother with it all. Until I finally found your video... Damn, that one is very useful and simple to follow... as well as sufficiently detailed to really understand how it works under. Very well done and useful, thanks!
Nice! I've been running this setup for a few years as well. With one difference: I configured the file provider to watch a directory of .yml files. (see the watch option and the directory option). This allows me to create a .yml file PER site and the watch option makes it so I don't have to restart the container and take down the proxy.
Did not know about the watch option. Great tip and thanks for sharing.
Hi Tim, great tutorial! I've been running SSL on all my homelabs projects for couple months now without any issues. But recently I had some problems renewing certificate. I found that I had to add 'delayBeforeCheck: 5' in traefik.yml file under dnsChallenge section for cert to renew. I guess Cloudflare has changed something on their end and I needed this line to add a delay for a few seconds otherwise I would always get certificate null error. You may want to add this to your documentation to help others encountering this issue. Banged my head for days until I figure this out. Thanks again for all your great tutorials.
Holy Crap man! You've saved me hours of trial and error! I hope this gets the attention it deserves.
I use Nginx proxy manager, but this looks neat. I really need to move to wildcard, my let’s encrypt list is getting a little silly now.
Thanks, Tim for all you do!
Amazing tutorial. I can't tell you how long I've been annoyed with my homelab services not using SSL or just using the self signed stuff... it's so nice to have these being properly secured now.
Glad it helped!
I had spent two days trying to figure out how to do this, and I finally got it after carefully going through your video. Thank you so much for helping the community like this, I really appreciate it.
Glad it helped!
This seems to be a bit more complex then what I am doing directly with PFSense and its HA Proxy and ACME plugins, but I like the nice dashboard that Traefik provides! Thanks Tim for the nice walk through!
How is that setup going?
It does not go over how this intereact with the regular reverse proxy. I have been stucked for weeks. Since my pfsense forward everything to my main traefik.
Automation man!! automation....
Love using traefik! It was actually where I started my homelab. A friend showed me traefik and something about it just caught my interest. Started spinning up a bunch of different containers with configs just for the sake of it.
Great video!
Dude! Nice work! It's not about the complexity, it's about the way you describe and explain something...you nailed both.
Thank you!
I stumbled upon your channel today (started with high availability pihole), and I am amazed by the quality of your videos! It was insta subscribe, and I hope you will continue the excellent work Tim!
Thank you so much! Welcome!
I was struggling with setting up a reverse proxy yesterday, today this video pops up in my feed. Great timing! :D
yeah me too
problem?
Absolutely love this channel. Incredible editing and great documentation. Just what I need to rebuild my homelab. :)
Thank you so much!
@@TechnoTim :D I’ve got big plans to rebuild my truenas server into a virtualization host for my home services (including truenas itself) and i will continue to refer to your videos.
Tim thank you so much for this video and tutorial. I got this up and running for my internal services, and it inspired me to also set up a separate process for the stuff I wanted to take external. Keep it up!
Awesome tutorial, been using traefik since 1.0 but this video helped me to understand a few things clearly, thanks for your work!
Oh heck yeah!! Thanks Tim! This was just what I needed, like I mentioned last time!
The k8s focused rancher ones were great, but I have been running portainer with regular docker containers and hoping for inspiration to add traefik. Had been using Caddy for certs and it's really easy, but Traefik supports SSO with Authelia and Caddy doesn't. Any odds on setting up SSO with Authelia next? Thanks very much, you're the best!!
I definitely prefer your more advanced videos will you show a whole solution like these. Keep it up!!
Exactly what I needed man, thank you so much! Really enjoy the videos! Super clear and fun to watch!
I struggled so much with Swag and getting anything running securely. This vid honestly saved my sanity, thank you so much Tim!
Glad it helped!
Techno Tim is legit the best. Really motivating and quality IT configuration content
Thank you so much!
Hey Tim, I'm having a hard time. I'm following this tutorial so that I can subsequently follow your pterodactyl tutorial and I think I may be in over my head. For example, @8.40 you say "just make sure you have a DNS entry pointing back to this portainer".
Now, you said that so casually.. but how do I do that? Where do I find this portainers IP? Is it the IP of the server portainer is running on, or do I find that in portainers dashboard? Should I be going further back in your tutorials until I understand the things in this tutorial that do dont fully explain? and if so, where do I start?
Thanks.
love that i found your channel, learning more here than i did at uni
How do you literally upload exactly what i've been looking for, one day after i began reading up on it?!?
As always, awesome video!
In a more recent video (I think it was the overview of your whole lab) you mentioned you now have two instances of Traefik, one for external traffic, and the one described in this video.
I spent several days trying to set up a second instance to pass external traffic along, and was never able to get it to work. Would you be willing to do a more in depth tutorial about that setup?
I just use you Pihole DNS setting for local DNS (must use as your main DNS), external use Cloudflare, both of them use the same certificate with different subdomains, It's just that the internal subdomains name can only be used on the internal network because this domain name is not exist on public DNS.
Thank's for the video !
What about doing the same thing within and for Rancher ?
Tim! You seem to know what I am working on every time a video comes out. Thank You!!!
Thank you very much. I am rebuilding my homelab and I was looking for instructions about certificates. Greatly explained, thanks again!
How do you decide whether to use Kubernetes or Docker?
Do you have network diagram, it helps some of us understand the flow and config easier.
Great vid as always, well explained. Thanks Tim
I do! ruclips.net/video/Cs8yOmTJNYQ/видео.html
Thanks for the great tutorial. After fixing a few of my typos and scratching my head a bunch I got everything to work! Liked and subscribed!
Glad it helped! Thank you!
Congrats for the tutorial! Very helpful. One of the best channels for the Home Lab enthusiasts.
Thanks for the video, can i add labels to a stack in another portainer environment (another proxmox host) ? how?
Hey Tim, this is awesome, I have got everything internally and external, to docker, set up flawlessly. However, I think I might be missing something, as I am a little stuck on how to configure this to allow internet-facing external access.
I have configured the Cloudflare DNS and port forwarded, but I think I am missing some key config on Traefik itself? I would absolutely love it if you could reply (or even make a video!) on how *you* would go about setting up internet facing services through Traefik!
Hi Tim, I'm having the same issues too. I've been able to get everything working while I'm on my local network. Once I'm outside, I get a "too many redirects" error. I'm using Cloudflare tunnels, and I've tried disabling any kind of redirect at the CF level with no luck. Each time I remove the redirect in Traefik I seem to break things. Any guidance will be greatly appreciated
Worked like a charm. Took me a while to figure out how to connect another DNS provider, but i got it up and running! Thank you very much
Nice work!
great job man.. you're videos are always solid !! Greetings from Denmark
If you had a network map or diagram of each step you were configuring; that would help a lot.
Great feedback!
I do now ruclips.net/video/Cs8yOmTJNYQ/видео.html
@@TechnoTim
Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally.
With much thanks and appreciation
Heads up. It looks like in the video you create your traefik config.yml in the traefik directory (traefik/config.yml). But it's supposed to be at traefik/data/config.yml. I got hung up on this for a while. The documentation does show it in the right place, however.
Thanks! Yeah, I noticed after the video. the docs should be right. Thank you and sorry!
You're a legend, this is a great match for my setup. Thanks for your research and hard work, saved me some time.
Tim, i think there's a bit of a confusion in commands... there are a bit of "cd .." which you show in video but missing on docs page... also the config.yaml is done in the data folder, not in its parent one, as in video... please share full folders structure for both portainer and traefik, thanks :)
oh, and again, you make a data folder inside portainer one, but you refer to the portainer one in docker-compose.yaml instead of data :)
edit: adding that the user:password (encoded via htpasswd) generates other errors on the docker-compose up -d command, because some "$" in the password which triggers some variable substitution in while running docker-compose, that should be escaped some way... i fixed by removing the initial and final backtick and converting double back-slashes to single ones
oh, and you need just the apache addon package, no need for the apache2 one to just generate password hashes
man, you rock! All working here, after addressed the few problems i reported, thanks a lot!
@@squalazzo Thanks! Docs are open source and have been fixed!
Hello Timothy, thanks for the tutorials. i've followed the documentation. finally it works
Man you are seriously awesome i am still trying to catch up to all the tutorials you post you are great
Great video thx 👍
One question - could this had been done in Rancher ? Why not Rancher if yes, why docker ?
He did a video where he set up Let's Encrypt and Traefik on Rancher, about 8 months before this one... I think this is more of a "because we can" video instead of following along the vein of setting up one holistic infrastructure consistent with the other videos. I landed here first, and realized I probably want to follow along with that video instead. It would have been nice for Tim to call that out, though.
brilliant, amazing work. affordable and very valuable. Tim, you are a great man.
It’s been a year but thank you for being an inspiration, you’re awesome 🎉
Took me a while to get this working, but now everything is up and running thanks to your guide! TYVM!
Thanks a ton for this godly work :) I have completed my setup using AWS Route 53 DNS Provider.
thank for this between you and Christian Lempa I was able to get traefik working the way I wanted.
Duuuuuuuuude, just got this working now! Thanks for the guide Tim!
NP! Nice work!
simple
straight to the point! i am subscribing!
Interesting approach. I was using a domain for my home network but had to issue Lets Encrypt certs for each service I wanted to host on the network. I will need to give this a go. Thanks for the great tutorial (once again!)
Thank you so much sir. I just have so many prerequisite skills that I need to learn to fully understand the concept.
Just watched it again a year later..... amazing material, thank you Tim.
This is an amazing video walkthrough. You are very good at educating and explaining things. Thank you.
Glad you enjoyed it!
You are awesome man!! TXH for sharing your nice stuff!
Tim, you are inspirational. I hope this small token of my appreciation keeps you inspired.
Wow!!!! Thank you!!!!!!
I literally need to rewatch this, thanks TT
This is gold! Thank you for sharing, Tim! 👍🏅
This is exactly what I needed! THANK YOU!!!!
We need more people you! Absolutely great explanations and content!
Thank you so much!
Best tutorial on this topic I have seen. Thank you!
You should check out my others 😅. Thank you!
Nice! I just learn how to config Round Robin and Failover under services in dynamic config file, I will implement this later. With this feature, this thing is even more powerful for home LAB.
Hi Tim,super useful as Always..thank you!!!greetings from Italy.
I patiently followed your guide, and now everything on my homelab is using wildcard certificate from my domain name
thank you, you are my inspiration for building self hosting app
Thanks! Your videos are awesome and are extremely helpful as I start up my own home lab
Great to hear! Thank you so much!!!!!
THANK YOU SO MUCH! it took so long to try to set it up but it worked. THANKS!
Congrats! It’s a great feeling isn’t it???
Congrats on almost 50k subscribers 👏🏼
Almost there!!!
Seriously the best traefik tutorial on all of youtube. Maybe its copy pasting but holy shit week of banging my head reading confusing documentation solved by this
Very informative video. Thanks to you I finally got this working!
you are a star ! only for the config file you came up with .. I mean it took me 1 whole afternoon to set this up but I finally got the certs and all the subdomains i point to are TLS !
Nice work! Thanks for letting me know!!
Great video! Reverse proxy has always been a pain for me. Would love to see your take on scripting things like toolset installs or container initializations.
thanks for the great content man! you really know your stuff!
Thanks a lot, you helped me to setup Traefik perfectly.
Thank you so much!!!!
Very straightforward and helpful, +1 for this video
i love how you explain things, thank you for that
My pleasure!
I've been using NGINX for about 2 years to setup reverse proxy at home. This method seems ALOT easier in comparison to managing a long .conf file or multiple .conf files for subdomains. I'm gonna have to look into setting this up when I have a long weekend free
Great video, took a about 5 hours to trouble shoot some issues, and when I worked them out felt stupid. For those like me who take a little time (yes a silly pun) to catch on. The txt record error in my case was fixed with adding a 5 minute delay to the letsencrypt request, `delayBeforeCheck: 5` put it after the dnsChallenge provider. Not sure why but I had issues with putting quotes around the ports in the compose file you did not have them, but when looking at Christian Lempa's recent video and compose file he did, once I removed them it fixed one of my issues. :)
WHERE WAS THIS VIDEO TEN YEARS AGO?!?!?!!???! Thanks for publishing it, I did more than like and subscribe. I sent links to several friends.
Thank you so much! Referrals from friends helps more than you know! Commenting and liking does too so thank you!
Thank you for your videos. I use videos like this to learn and I appreciate it so much.
Happy to hear that!
Thanks for great tutorial. Today i finished this and get ssl every container.
What an amazing video. Thank you!
You can do this if have a dynamic IP address from your ISP. I image most non business location are going to have a dynamic IP address from their ISP. There are several DDNS (Dynamic DNS) options, some free some a paid service. I use Cloudflare DNS, for this. In short you run/host a small utility that checks your current IP address at a set interval to your current DNS record. If it doesn't match then with an API key it updates the DNS record at Cloudflare. I use an inbound VPN, host a PBX, cloud storage, ect. and it just works despite having a dynamic IP address. I set it up in pfSense to handle the DDNS since it is at the head of the network. Not everyone is using pfSense, but there is also docker containers out there that do the same thing.
Very helpful, thank you! I did notice that it didn't cover sending traffic via docker (these templates do ip:port), so I am diving in to see if I can find anything!
coming back to this now for the third time, always a pleasure. the traefik documentation for the traefik.yml is really hard to read. implementing on my homelab this week (y)
Tim, I've followed your guides to setup Traefik and love it! I had an issue today where my server stopped and so I couldn't access some of the internally hosted vm's by their fqdn. Can you please do a video on setting up Traefik in HA?
I've been watching your older videos because they seem to always be relevant LMAO, but really good stuff
Recently been testing out on containerizing/dockerizing my home lab/server utilities that were originally installed on host system
What are your thoughts, do you think it's better to install on host system? Or to install via docker(-compose)?
Love these videos on ensuring that SSL is used ubiquitously across services. Is there any chance you can create the same but with NPM as Traefik is a bit of a pain to manage if there's a large count of dunning containers.
Absolutely Brilliant my man. I have containers and servers and more containers and more servers. This is going to help soooo much. I am a 15 year long IT professional and sometimes, just sometimes its nice when someone else does the work....makes a video....uploads config, and takes some of the guesswork out of deploying some stuff. I will be coming back to this video over and over, its the template for how to deploy docker..contaqiners...vm..certs...dns etc. Thank you very very much. Shane.
Awesome tutorial. You can also get a home firewall like Sophos home which is free and it will act like a proxy and keep your network secure. I trust this much more as it is a security appliance and keeps your data safe.
Thanks for the tip!
Thanks so much for the walkthrough, really straightforwards to follow, even for someone newer to self-hosting and linux.
I noticed at 5:17 you suggest binding to the docker socket; I've read on various other Traefik/docker guides that this can be a security liability. Have you ever tried addressing this? I noticed that /var/run/docker.sock was set as read-only in the docker-compose, but I heard this doesn't really get around the security issues.
This is literally what I am struggling with right now. I am glad Google tracks my calls for proper advertisement.