Traefik 3 and FREE Wildcard Certificates with Docker

Baby, wake up techno tim uploaded about traefik. It's time to update your homelab

I am a simple man. I see Techno Tim , I watch , I like.

HAHAHA you gotta be kidding me.
I spent the 2 last weeks with your previous video and other resources trying to set up Traefik and the rest of my homelab.
I literally closed the YT video minutes ago as I was finally able to make everything work.
Before going to bed, I decided to check a video from my feed to cool down and what do I see if its not this taunting title XD.
Anyway, I'll watch it later as it may allow me to enhance my fresh configuration. Thanks for that 😊

Fantastic video. Love the section on verifying things were working.

Just finished your traefik series when I saw you posted this, thank you for answering my subconscious prayer 🙏🏼 Keep up the great work!

It's a shame that RUclips only allows for me to like this video once. This was a big upgrade from your last "SSL Everywhere" video. Thanks for taking us on your journey.

I can't fathom how easy you made this process, which I have been unable to do with other tutorials. You're doing great work Tim!

Greatly appreciate the little detail explanations. I’d done the wild card certs before on my home lab, but this is filling in several little knowledge holes in my mind.
Excellent content

this is perfect timing i just rewatched your old traefik video yesterday cuz i’m having some weird connection issues with my traefik server that i setup last year that has been working great for me. i might re-spin up my server with traefik 3 this weekend to see if resolves my issues. thanks tim!

Sweet, I used most of your last Traefik video (never got external access working, but internal worked just fine, and that's all I needed, really)

Everything worked and now I have TLS on all my connections to my services. Thank you Tim

Thanks Tim! finally managed to get Traefik fully working in my homelab, great tutorial as always

Thank you. I've been meaning to do this in my homelab for some time. Now I have everything I need.

compare to the last video of Traefik , i had 0 issue
love how you explain things very easy and in simple way 😍

Had to say this... It's got to be absolutely one the best well rounded , well thought, in depth traefik install walk-throughd I have come accross thus far,.., thanks and well done Tim..

Very comprehensive Tim, well done.

This was fantastic! I was literally looking at how to do this the other day and you've come up trumps yet again. Thank you 😊

Thanks for the demo and info, once again super helpful documentation. Have a great day Techno Tim

Anonymous window in browser is always the good way for testing changes.

Thank you so much for the updated tutorial. Not sure if you got my email about the last one not working but this one works now. Tip for anyone with the certs not loading: just force recreate the container and it should load. I think this happens because the first time the certs are getting created but not read, and the second time it can actually read them.

Tim, you make super great video's, in one word PERFECT!!

Have been running this setup for ages and can recommend it. you can add a star cname in your DNS server so you don't have to add entries every time

Perfect timing! I've been intersted in Traefik and leaving NPM. Thank you Tim!

Great video, Tim!
Proxmox has its own ACME integration, so I personally prefer that way (because traefik is running as a VM on my Proxmox, so I want to prevent a race condition when the VM is down, Proxmox is not available through Traefik
But for anything else - Traefik is great

Thank you Tim, this is what I looking for this is best guide

Great video, thank you Tim! Would you recommend switching to Traefik v3 if already have v2 setup working?

wow....thx man!
I will set this up for sure
🔥🔥🔥

Very useful and nice video bro, THX.

New video about OpenSSL self-signed certificate? Hell yeah

Decided to do the video I heard the request from someone on your timtalks channel the other day 👍

**knows he can create/edit file in one step but prefers two steps** Bravo good sir! So satisfying...

anotther great tutorial. you mention difference in Docker Swarm. I am running a docker swarm in my homelab so would love to be pointed to documentation for that config. Also can I setup 2 certs in Traefik?

Great Video, any plans for a video on how to securely expose to the internet?

Just neat and on point! Congrats! Been following your videos for a while. A couple of questions:
1. How about exposing multiple ports on Traefik?
2. How about exposing multiple external services?
3. Can you do a more deep insight tutorial about internal DNS setup?
All the best!

Thanks for the local only explanation. Every one of these I've seen before expects you to want to directly expose things externally. Yes I want to access from outside, but only after I've connected to WG/OVPN
One question, can this be done without the local subdomain? Would you just need to remove the . local subdomain from the examples provided?

I just updated to v3 config based on your v2 tutorial, Thank you. I also noticed one more change from traefik: IPWhiteList middleware to IPAllowList... maybe deprecate soon?

Great update. Keep them coming

Great Video, Is there a particular reason you deployed this in docker and not kubernetes?

Great video! But afer watching it, I applied the ideas to configure Caddy. Traefik is excellent, but the configuration file is a bit complex and lengthy.

Just moved and am now motivated to unpack the homelab 😎

Hopefully you can do an updated video for this on Kubernetes as well

Thanks for the new v.3 update of your guide. In my case I use duckdns and I have had no problems. I noticed that in your example with ngix you use fewer Middlewares in the App Label (4) compared to the 12 in your previous Trafik 2 tutorial. Is that the new standard configuration for all the applications that I add to Trafik? Thank you very much for your time that you give to your guides

Thank you for the update. Alongside yours, almost all others with Traefik are about the same age. Be a good idea to link to this new tutorial, on the old one from 2021.

your previous video worked great for me, this looks pretty much identical apart from the format of some of files. is it worth switching to traefik 3? like is it a big update?

Great setup to locally access it, but what if I wanted to access some of these services remotely aswell. Can I use and modify the same setup or do I need to make an entire different setup?

Tim, can you do an updated video on installing and setting up TrueNAS Scale 24.04? A lot of things have changed.

Amazing! Very good content.

Thanks for a great video. Any chance you can help those of us who use local CA certs and no lets-encrypt? Just a home lab no external services. I need to be able to run truly isolated with my cluster. Thanks again. Great content.

Awesome video! Actually, the first time that I was able to get traefik working. Quick question though I’m trying to do like you do in your video. I’m able to get the file provider to show on the traffic dashboard but when I go to the Proxima site, it just downloads a file instead of going to the site. Any ideas?

Hi, first off, thank you so much for this tutorial. Nice and easy to follow! That said I am having an issue I hope you can help with.
I'm using a wildcard A record for my addresses through cloudflare and I'm not using PiHole at all. When I try to configure Traefik for workloads outside of docker using your template with my own information I get "Internal Server Error" when trying to load the webpage. Is this because i'm not using PiHole? If so, what do I need to change to fix the error?

will there be a similar update for the Kubernetes version?

Hi how do you use separate instances of traefik to talk to one another like how you had in your home lab? Could you do a tutorial on it? like connecting docker to kubernetest to another kubernetes cluster.

Whats the biggest new thing here, compared to v2? How bad of an idea would it be to just upgrade? At first glance i haven't noticed that at least the important settings changed that much

Do you use traefik for externally accessible services? How do you typically separate those? Different docker hosts?
How do you do the networking since you don't need to modify the internal DNS?

I am so excited about this video ❤

Awesome video, tim

Do you think it's possible to use this stack together with Cloudflare tunnel?

Are able to use this with two instances of pi-hole running on separate machines. Thanks

By the way, you can use secrets for the traefik dashboard basic auth. Instead of .users tag, use the .usersFile tag.
Also, why do you CTRL+O, ENTER in nano instead of just CTRL+S?

I wanted to mess around with swarm a bit more could we get this in a swarm version?
after all we are homelabbing to simulate production environments?

Can you please give me the name or better yet a link to your cool white cabinet (on wheels, with drawers, etc.)?

Failed one more time :) , I can't understand what I am missing. Thank you for your efforts Tim :)

@Tim, I didn't catch why mix traefik and nginx(specific need, or just showing compatibility?), and also, why pihole instead of cnames on cloudflare(is it a cost thing, security thing? or just having pihole already in the mix?)

Is there a good solution for automatic Split-DNS if I don't want to use a "local"-subdomain?
How do you handle services that should be accessible publicly as well as locally?

I don't think the DNS part tells the CA to check those specific DNS servers. That would be a huge security risk. It simply tells traefik to use those DNS to verify that the TXT records are indeed visible globally before saying the CA to proceed with the next step (ACME protocol). What public DNS the CA queries from is not publicly documented

Hello can you pleas do explanation of how to put custom certificate.

I would love to see a video covering the pros and cons of Traefik 3 vs caddy-proxy-manager vs nginx proxy manager.
I thought Caddy was going to be the bees knees so I went that route for my homeserver.
Pros: the label sections in the docker-compose.yml is self contained and no need for open ports on the host, and you can use any caddy directives you want.
Cons: You have to have the the docker-compose.yml files have a default external network.
For work I have had to use nginx proxy manager (npm).
Pros: All done in a gui, all the configs are centralized in npm. It is easy to setup certs for containers available on the local network by using a duckdns with an IP set to your private netowork and you do not have to have an external network setup.
Cons: You have to have open ports to all the services on the host.

Any reason to use this over nginx proxy manager?

Hi Tim, thanks for the update on Traefik. I followed your first tutorial on Traefik and based on that I set it up and it's worked great for over 2 years now. In that old configuration, you worked with a config.yml file and in that file, you can define all your services based on their IP address and port number. If I want to use this new Traefik 3.X configuration with labels but from what I understand, I can only do so if the services are on the same docker host as Traefik right? If they are on another docker host I must use the configuration file. Is that correct?

I followed your last video and it was awesome thank you for that! If i may ask how would you make this setup high available? One of the issues I found on my setup is in: imagine that you have this in 1 Node and it serves as a front end for 2 or 3 nodes in your proxmox infrastructure.. if Node 1 goes down then .. yeah. Any plans to make a follow up video with High availability?

Any recommendations to troubleshoot when the cert is from traefik and not from let's encrypt.

wow great video, followed the guide I have treafik setup and certificate working great. But I cant get an external server outside docker to get proxied. My config.yml file has the correct server IP. but when I wget fom inside the Treakif container it resolved the traefik host IP and not the external server IP. Seems it is not using the routers rule.

Hi Tim, the combination of a sub-domain with cloudflare doesn't work for me because cloudflare doesn't support sub-domain wildcard certificates. I have to use my domain directly. Thanks for the cool content. Would be interesting when you add authelia to this content for better privacy and security, too.

Thanks for this, very informative!
At 11:07 you say "we need to create a docker network called proxy", but I couldn't see where it's done... Anything special about it? Which driver does it use?

Interesting tutorial! I think it'll really help some people in setting Traefik up, which at first use, can be a bit daunting.
However, Traefik now officially supports HTTP3, so I think you should open both ports 443 tcp as well as udp in your compose file.
Make sure to update your firewall settings / port forwards as well.
- 80:80
- 443:443/tcp
- 443:443/udp
Also, one of the strengths of Traefik is that after adding the "config" volume once, you shouldn't have to run "docker compose up" when changing config.yaml.
Lastly, I personally like to also use logs, so choose to add this volume as well: "- /opt/traefik/logs:/logs:rw" and try to name compose files "compose.yml", as it saves a few keystrokes.

Whats a good alternative DNS server? Looking for something different then pi hole.

would this work if I am using tailscale internally so I can use cloudflare to point to my tailscale IP's then set local network DNS to use actual local IP's instead so I don't have to use remote services?

I'm confused, what is significantly different between 2.x and 3?

Awesome! Any recommended specs for the docker host (docker01)?

So you added Pihole just for the GUI?
Why not use tags to pass info to Traefik from any running docker image and let it manage the DNS?

In the traefik.yml file can you point the resolver to unbound (recursive dns in a local docker container)?

Are the dashboard credential optional?

Uugh my traefik is causing so much problems when i try to deploy my react app.. so many different header settings that cause weird behavior with no freaking error output 😵

Great tutorial Tim, As Always. I follow it to the letter but access traefik console I got the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. I tried several solutions, different browsers (use to use brave) but it only work wit safari. Any hint anyone?

What does traefik bring for a long time Nginx user, i want to try this but i'm not sure what im getting in return other than a pretty UI.

@TechnoTim What do you need to change about the config.yml file inorder to add multiple sites? Thanks!

says video notes are unavailable, but love your work! Keep it up

Minor opportunity at 12:22- I always get bogged down setting permissions for family samba shares, docker user, etc. Take a minute to talk through the chmod operation

Made a record in config.yml for pihole itself, but on accessing it through domain name it gives "Bad Gateway" error. Is it possible to set up pihole for HTTPS?

As mentioned before, i followed this video and everything works fine! but i wanted to go further and installed Authentik to securely login on portainer with Oauth.
I'am not able to get this working, been trying for more than a week now, but i can't find what is going wrong.
On another VM i installed Portainer and Authenik and Oauth works fine.
Can you please make a video on how to to this with Traefik / Portainer / Authentik

i was considering moving to traefik for ages, but everytime I look into that it seems so overwhelming its not worth the effort. SWAG works for me like a breeze, does everything I want from it and the setup is like 10% of this.

I keep getting a Let’s Encrypt error 400. Do I need to have any dns records on cloudflare resolved? They currently aren’t any associated with my domain name I’m using for traefik. Thx!

Would one need the .local. Subdomain added in there or would it also work without?

whats different in this tutorial if i dont use cloudflare since I use DuckDNS?

Took me long nights to get traefik2 going how I wanted it - why change a running system

Hey Tim, there is error on your blog on traefik config - you create *.yml file but edit *.yaml - if someone would copy-pase it into CLI they would have problems :D Anyway, working on setting it up right now.

Someone else had the issue of not being able to log in to the traefik dash? i get prompted but dont get trough.

Should we you docker compose instead of docker-compose? The version at the beginning would be unnecesary then

Legend

I have created some automation scripts based on your tutorial to make the entire process (almost) 1-step. Stupid RUclips keeps deleting my comments even though there's no links or no anything at all harmful, and it's 100% related to your video.