Traefik 3 and FREE Wildcard Certificates with Docker
HTML-код
- Опубликовано: 28 май 2024
- Save 20% on UptimeRobot today! l.technotim.live/uptime-robot...
In today's Traefik tutorial we'll get FREE Wildcard certificates to use in our HomeLab and with all of our internal self-hosted services. We're going to set up Traefik 3 in Docker and get Let's Encrypt certificates using Cloudflare as our DNS Provider (we'll cover how to set up others too). Then we'll configure local DNS using PiHole (or any other local DNS) to route to our services that are now protected with secure certificates!
Thanks to UptimeRobot for sponsoring today's video!
Video Notes: technotim.live/posts/traefik-...
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a RUclips member: / @technotim
Merch Shop 🛍️: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
Tinkers channel: / @technotimtinkers
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - Getting Wildcard Certificates with Traefik
00:54 - Monitoring with UptimeRobot (sponsor)
02:12 - Requirements
03:02 - Diagram for Visual Learners
04:11 - Traefik Docker Compose
06:12 - Docker Secrets Rant
07:30 - Explaining Traefik Compose
10:45 - Docker Container Tasks
14:59 - DNS Resolvers
16:07 - Creating Secrets
16:57 - Cloudflare API Token
19:21 - Docker Network
19:36 - Basic Auth Credentials for Traefik Dashboard
21:50 - Starting the Traefik Container
22:44 - Troubleshooting
25:17 - Traefik Dashboard Local DNS
27:03 - Viewing the Traefik Dashboard
27:57 - Getting Production Certificates from Let's Encrypt
31:08 - Creating a New Workload with Certificates
35:03 - Using Traefik for Workloads Running Outside of Docker
39:11 - Networking Considerations
Thank you for watching! - Наука
Baby, wake up techno tim uploaded about traefik. It's time to update your homelab
I felt this so hard 🤣🤣🤣🤣
I am a simple man. I see Techno Tim , I watch , I like.
I share
I simp
HAHAHA you gotta be kidding me.
I spent the 2 last weeks with your previous video and other resources trying to set up Traefik and the rest of my homelab.
I literally closed the YT video minutes ago as I was finally able to make everything work.
Before going to bed, I decided to check a video from my feed to cool down and what do I see if its not this taunting title XD.
Anyway, I'll watch it later as it may allow me to enhance my fresh configuration. Thanks for that 😊
Fantastic video. Love the section on verifying things were working.
Just finished your traefik series when I saw you posted this, thank you for answering my subconscious prayer 🙏🏼 Keep up the great work!
It's a shame that RUclips only allows for me to like this video once. This was a big upgrade from your last "SSL Everywhere" video. Thanks for taking us on your journey.
I can't fathom how easy you made this process, which I have been unable to do with other tutorials. You're doing great work Tim!
Greatly appreciate the little detail explanations. I’d done the wild card certs before on my home lab, but this is filling in several little knowledge holes in my mind.
Excellent content
this is perfect timing i just rewatched your old traefik video yesterday cuz i’m having some weird connection issues with my traefik server that i setup last year that has been working great for me. i might re-spin up my server with traefik 3 this weekend to see if resolves my issues. thanks tim!
Sweet, I used most of your last Traefik video (never got external access working, but internal worked just fine, and that's all I needed, really)
Everything worked and now I have TLS on all my connections to my services. Thank you Tim
Thanks Tim! finally managed to get Traefik fully working in my homelab, great tutorial as always
Thank you. I've been meaning to do this in my homelab for some time. Now I have everything I need.
compare to the last video of Traefik , i had 0 issue
love how you explain things very easy and in simple way 😍
Had to say this... It's got to be absolutely one the best well rounded , well thought, in depth traefik install walk-throughd I have come accross thus far,.., thanks and well done Tim..
Very comprehensive Tim, well done.
This was fantastic! I was literally looking at how to do this the other day and you've come up trumps yet again. Thank you 😊
Glad I could help!
Thanks for the demo and info, once again super helpful documentation. Have a great day Techno Tim
Anonymous window in browser is always the good way for testing changes.
Thank you so much for the updated tutorial. Not sure if you got my email about the last one not working but this one works now. Tip for anyone with the certs not loading: just force recreate the container and it should load. I think this happens because the first time the certs are getting created but not read, and the second time it can actually read them.
Tim, you make super great video's, in one word PERFECT!!
Have been running this setup for ages and can recommend it. you can add a star cname in your DNS server so you don't have to add entries every time
Perfect timing! I've been intersted in Traefik and leaving NPM. Thank you Tim!
Why may I ask? I use NPM and it's so seamless and easy
@@SenorHamburgler I like to tinker and spin up new things quite often, NPM is great for ease of use. Traefik is just more powerful and diverse, especially with docker, kubernetes and promox. Nothing wrong with NPM, just having the knowledge of how traffic work is good on the cv as well. :)
Great video, Tim!
Proxmox has its own ACME integration, so I personally prefer that way (because traefik is running as a VM on my Proxmox, so I want to prevent a race condition when the VM is down, Proxmox is not available through Traefik
But for anything else - Traefik is great
I had the same thought about Proxmox. Any TLS termination with the right certificates should be made directly on Proxmox anyway. If you want to be agressive, this should be the same for most services as well (internal certificates with local CA between internal containers to reverse proxy // letsencrypt certificates on the reverse proxy to the rest of the world)
@@xDrShadowxcan you explain a little more this solution for Proxmox? If It uses its own ACME for talking to Let's Encrypt, then we need to create its CNAME on CF instead of Pihole. Right?
Thank you Tim, this is what I looking for this is best guide
Great video, thank you Tim! Would you recommend switching to Traefik v3 if already have v2 setup working?
wow....thx man!
I will set this up for sure
🔥🔥🔥
Very useful and nice video bro, THX.
New video about OpenSSL self-signed certificate? Hell yeah
Decided to do the video I heard the request from someone on your timtalks channel the other day 👍
**knows he can create/edit file in one step but prefers two steps** Bravo good sir! So satisfying...
anotther great tutorial. you mention difference in Docker Swarm. I am running a docker swarm in my homelab so would love to be pointed to documentation for that config. Also can I setup 2 certs in Traefik?
Great Video, any plans for a video on how to securely expose to the internet?
Just neat and on point! Congrats! Been following your videos for a while. A couple of questions:
1. How about exposing multiple ports on Traefik?
2. How about exposing multiple external services?
3. Can you do a more deep insight tutorial about internal DNS setup?
All the best!
Yes to #2! I was able to add Unifi local access, but can't add Home Assistant or other local services that don't run on HTTPS by default.
Thanks for the local only explanation. Every one of these I've seen before expects you to want to directly expose things externally. Yes I want to access from outside, but only after I've connected to WG/OVPN
One question, can this be done without the local subdomain? Would you just need to remove the . local subdomain from the examples provided?
I just updated to v3 config based on your v2 tutorial, Thank you. I also noticed one more change from traefik: IPWhiteList middleware to IPAllowList... maybe deprecate soon?
Great update. Keep them coming
Great Video, Is there a particular reason you deployed this in docker and not kubernetes?
Great video! But afer watching it, I applied the ideas to configure Caddy. Traefik is excellent, but the configuration file is a bit complex and lengthy.
Just moved and am now motivated to unpack the homelab 😎
Hopefully you can do an updated video for this on Kubernetes as well
Thanks for the new v.3 update of your guide. In my case I use duckdns and I have had no problems. I noticed that in your example with ngix you use fewer Middlewares in the App Label (4) compared to the 12 in your previous Trafik 2 tutorial. Is that the new standard configuration for all the applications that I add to Trafik? Thank you very much for your time that you give to your guides
Thank you for the update. Alongside yours, almost all others with Traefik are about the same age. Be a good idea to link to this new tutorial, on the old one from 2021.
your previous video worked great for me, this looks pretty much identical apart from the format of some of files. is it worth switching to traefik 3? like is it a big update?
Great setup to locally access it, but what if I wanted to access some of these services remotely aswell. Can I use and modify the same setup or do I need to make an entire different setup?
Tim, can you do an updated video on installing and setting up TrueNAS Scale 24.04? A lot of things have changed.
Amazing! Very good content.
Thanks for a great video. Any chance you can help those of us who use local CA certs and no lets-encrypt? Just a home lab no external services. I need to be able to run truly isolated with my cluster. Thanks again. Great content.
Awesome video! Actually, the first time that I was able to get traefik working. Quick question though I’m trying to do like you do in your video. I’m able to get the file provider to show on the traffic dashboard but when I go to the Proxima site, it just downloads a file instead of going to the site. Any ideas?
Hi, first off, thank you so much for this tutorial. Nice and easy to follow! That said I am having an issue I hope you can help with.
I'm using a wildcard A record for my addresses through cloudflare and I'm not using PiHole at all. When I try to configure Traefik for workloads outside of docker using your template with my own information I get "Internal Server Error" when trying to load the webpage. Is this because i'm not using PiHole? If so, what do I need to change to fix the error?
will there be a similar update for the Kubernetes version?
Hi how do you use separate instances of traefik to talk to one another like how you had in your home lab? Could you do a tutorial on it? like connecting docker to kubernetest to another kubernetes cluster.
Whats the biggest new thing here, compared to v2? How bad of an idea would it be to just upgrade? At first glance i haven't noticed that at least the important settings changed that much
Do you use traefik for externally accessible services? How do you typically separate those? Different docker hosts?
How do you do the networking since you don't need to modify the internal DNS?
I am so excited about this video ❤
Awesome video, tim
Do you think it's possible to use this stack together with Cloudflare tunnel?
Are able to use this with two instances of pi-hole running on separate machines. Thanks
By the way, you can use secrets for the traefik dashboard basic auth. Instead of .users tag, use the .usersFile tag.
Also, why do you CTRL+O, ENTER in nano instead of just CTRL+S?
I wanted to mess around with swarm a bit more could we get this in a swarm version?
after all we are homelabbing to simulate production environments?
Can you please give me the name or better yet a link to your cool white cabinet (on wheels, with drawers, etc.)?
Failed one more time :) , I can't understand what I am missing. Thank you for your efforts Tim :)
@Tim, I didn't catch why mix traefik and nginx(specific need, or just showing compatibility?), and also, why pihole instead of cnames on cloudflare(is it a cost thing, security thing? or just having pihole already in the mix?)
Is there a good solution for automatic Split-DNS if I don't want to use a "local"-subdomain?
How do you handle services that should be accessible publicly as well as locally?
I don't think the DNS part tells the CA to check those specific DNS servers. That would be a huge security risk. It simply tells traefik to use those DNS to verify that the TXT records are indeed visible globally before saying the CA to proceed with the next step (ACME protocol). What public DNS the CA queries from is not publicly documented
Hello can you pleas do explanation of how to put custom certificate.
I would love to see a video covering the pros and cons of Traefik 3 vs caddy-proxy-manager vs nginx proxy manager.
I thought Caddy was going to be the bees knees so I went that route for my homeserver.
Pros: the label sections in the docker-compose.yml is self contained and no need for open ports on the host, and you can use any caddy directives you want.
Cons: You have to have the the docker-compose.yml files have a default external network.
For work I have had to use nginx proxy manager (npm).
Pros: All done in a gui, all the configs are centralized in npm. It is easy to setup certs for containers available on the local network by using a duckdns with an IP set to your private netowork and you do not have to have an external network setup.
Cons: You have to have open ports to all the services on the host.
Any reason to use this over nginx proxy manager?
Hi Tim, thanks for the update on Traefik. I followed your first tutorial on Traefik and based on that I set it up and it's worked great for over 2 years now. In that old configuration, you worked with a config.yml file and in that file, you can define all your services based on their IP address and port number. If I want to use this new Traefik 3.X configuration with labels but from what I understand, I can only do so if the services are on the same docker host as Traefik right? If they are on another docker host I must use the configuration file. Is that correct?
Hey! That's all in here too!
I followed your last video and it was awesome thank you for that! If i may ask how would you make this setup high available? One of the issues I found on my setup is in: imagine that you have this in 1 Node and it serves as a front end for 2 or 3 nodes in your proxmox infrastructure.. if Node 1 goes down then .. yeah. Any plans to make a follow up video with High availability?
Thank you! You would have to have HA vms with Proxmox or move to Kubernetes.
Any recommendations to troubleshoot when the cert is from traefik and not from let's encrypt.
wow great video, followed the guide I have treafik setup and certificate working great. But I cant get an external server outside docker to get proxied. My config.yml file has the correct server IP. but when I wget fom inside the Treakif container it resolved the traefik host IP and not the external server IP. Seems it is not using the routers rule.
Hi Tim, the combination of a sub-domain with cloudflare doesn't work for me because cloudflare doesn't support sub-domain wildcard certificates. I have to use my domain directly. Thanks for the cool content. Would be interesting when you add authelia to this content for better privacy and security, too.
Thanks for this, very informative!
At 11:07 you say "we need to create a docker network called proxy", but I couldn't see where it's done... Anything special about it? Which driver does it use?
It’s in there!
@@TechnoTim ah, 19:24 - it was so short, just "docker network create proxy", so I totally missed it... Thank you!
Interesting tutorial! I think it'll really help some people in setting Traefik up, which at first use, can be a bit daunting.
However, Traefik now officially supports HTTP3, so I think you should open both ports 443 tcp as well as udp in your compose file.
Make sure to update your firewall settings / port forwards as well.
- 80:80
- 443:443/tcp
- 443:443/udp
Also, one of the strengths of Traefik is that after adding the "config" volume once, you shouldn't have to run "docker compose up" when changing config.yaml.
Lastly, I personally like to also use logs, so choose to add this volume as well: "- /opt/traefik/logs:/logs:rw" and try to name compose files "compose.yml", as it saves a few keystrokes.
Thanks for the great tips! I will also add this to the docs!
Whats a good alternative DNS server? Looking for something different then pi hole.
would this work if I am using tailscale internally so I can use cloudflare to point to my tailscale IP's then set local network DNS to use actual local IP's instead so I don't have to use remote services?
I'm confused, what is significantly different between 2.x and 3?
Awesome! Any recommended specs for the docker host (docker01)?
Honestly anything will do! Starting at 2 core, 2GB RAM and 10 GB disk should be fine and then scale as you ned.
So you added Pihole just for the GUI?
Why not use tags to pass info to Traefik from any running docker image and let it manage the DNS?
In the traefik.yml file can you point the resolver to unbound (recursive dns in a local docker container)?
Are the dashboard credential optional?
Uugh my traefik is causing so much problems when i try to deploy my react app.. so many different header settings that cause weird behavior with no freaking error output 😵
Great tutorial Tim, As Always. I follow it to the letter but access traefik console I got the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. I tried several solutions, different browsers (use to use brave) but it only work wit safari. Any hint anyone?
What does traefik bring for a long time Nginx user, i want to try this but i'm not sure what im getting in return other than a pretty UI.
@TechnoTim What do you need to change about the config.yml file inorder to add multiple sites? Thanks!
see the docs for examples
@@TechnoTim I looked through them but I am not super familiar with yaml to know for sure were to add additional sites.
says video notes are unavailable, but love your work! Keep it up
Check again
Minor opportunity at 12:22- I always get bogged down setting permissions for family samba shares, docker user, etc. Take a minute to talk through the chmod operation
Made a record in config.yml for pihole itself, but on accessing it through domain name it gives "Bad Gateway" error. Is it possible to set up pihole for HTTPS?
As mentioned before, i followed this video and everything works fine! but i wanted to go further and installed Authentik to securely login on portainer with Oauth.
I'am not able to get this working, been trying for more than a week now, but i can't find what is going wrong.
On another VM i installed Portainer and Authenik and Oauth works fine.
Can you please make a video on how to to this with Traefik / Portainer / Authentik
i was considering moving to traefik for ages, but everytime I look into that it seems so overwhelming its not worth the effort. SWAG works for me like a breeze, does everything I want from it and the setup is like 10% of this.
I keep getting a Let’s Encrypt error 400. Do I need to have any dns records on cloudflare resolved? They currently aren’t any associated with my domain name I’m using for traefik. Thx!
Would one need the .local. Subdomain added in there or would it also work without?
It should work fine without! I do that to distinguish between services that I host internally vs publicly hosted services
@@TechnoTimthanks man! You’ve got the best explanation in video format I’ve come across so far 🤙🏻🙌🏻
@@TechnoTim It's all working! I added
log:
filePath: "/logs/traefik.log"
level: DEBUG
to the traefik.yml to have some more insight in what it's doing though
whats different in this tutorial if i dont use cloudflare since I use DuckDNS?
Took me long nights to get traefik2 going how I wanted it - why change a running system
Hey Tim, there is error on your blog on traefik config - you create *.yml file but edit *.yaml - if someone would copy-pase it into CLI they would have problems :D Anyway, working on setting it up right now.
Thanks for the heads up, just pushed up a fix!
@@TechnoTim Also if you create folder in / and hold all the data there, you should use sudo to run docker compose, otherwise it won't start (or you need to permanently change permissions there).
Just a small info for others, if they have problems with it, which states "no file found".
Someone else had the issue of not being able to log in to the traefik dash? i get prompted but dont get trough.
Should we you docker compose instead of docker-compose? The version at the beginning would be unnecesary then
The version at the start of the docker-compose.yaml designates the spec you're using. This does matter, some properties may behave differently or not exist in older versions, I've run into this particularly with swarm related properties.
@@nospamas8926 when I updated my system I had to install docker compose instead of docker-compose as I was getting errors. After I installed docker compose I got errors 'version is obsolete' so I removed it from all of my docker-compose.yamls
@@nospamas8926 On the newer versions of Docker Compose (2.25+) the version line has been deprecated and will generate a warning if it exists.
Because swarm is the only thing that does not respect the compose spec. And yes, the version should not be used anymore@@nospamas8926
Legend
I have created some automation scripts based on your tutorial to make the entire process (almost) 1-step. Stupid RUclips keeps deleting my comments even though there's no links or no anything at all harmful, and it's 100% related to your video.