Custom endpoints with traefik

As I’m starting to play with Flask, I had to deal with several backend servers and decided to use traefik proxy for them.

I wanted to use two web servers, one for HTTP/HTTPS for the frontend, and another one on 8000 for some backend work. Everything is done in a Docker composer YAML file, launched by:

docker stack deploy file.yml

Unfortunately, I couldn’t make it work by adding the entry point like this:

--entrypoints='Name:backend Address::8000'

The reason is simple: the default entry points must then be added. As traefik can handle SSL certificate, I decided to let it handle the redirection as well. So the definition needed to add:

--entrypoints='Name:http Address::80 Redirect.EntryPoint:https' \
--entrypoints='Name:https Address::443 TLS' \

Now to the SSL configuration with Let’s Encrypt on traefik. I needed to configure the ACME records. The first part is the command line arguments (like for the entry points).

My servers are just test servers, inside a domain I use as a front for my official projects, but the servers are hosted on my box. I didn’t want to mess up my DNS records for this, except for the new subdomain. So I went for the HTTP challenge. This becomes very easy:

--acme=true \ \
--acme.ondemand=true \
--acme.onhostrule=true \
--acme.entrypoint=https \
--acme.httpchallenge \
--acme.httpchallenge.entrypoint=http \"" \""

Some trick here, the storage location must exist or be available. In my case, I added a volume on the traefik container so that the storage location exists and so that I could reuse this certificate when restarting the server.

- /etc/traefik/acme:/etc/traefik/acme

And this is it.

This is what happens then in the logs:

2019-03-18T17:08:00.848130803Z time="2019-03-18T17:08:00Z" level=info msg="Testing certificate renew..."
2019-03-18T17:08:00.848210687Z time="2019-03-18T17:08:00Z" level=debug msg="Looking for provided certificate(s) to validate [\"\"]..."
2019-03-18T17:08:00.848221064Z time="2019-03-18T17:08:00Z" level=debug msg="Domains [\"\"] need ACME certificates generation for domains \"\"."
2019-03-18T17:08:00.848225816Z time="2019-03-18T17:08:00Z" level=debug msg="Loading ACME certificates []..."
2019-03-18T17:08:00.848230433Z time="2019-03-18T17:08:00Z" level=info msg="The key type is empty. Use default key type 4096."
2019-03-18T17:08:00.848399515Z time="2019-03-18T17:08:00Z" level=debug msg="Configuration received from provider ACME: {}"

Once this is done, you can point your browser to “” and see that it gets redirected to “”. The certificate there is now good. One point to note is that if you get to the server without this address, you get the default/invalid traefik certificate, as it would not have been configured in the ACME commands. And yes, I forgot that point for a while, testing only locally with a local address!

Buy Me a Coffee!
Other Amount:
Your Email Address:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.