Custom endpoints with traefik

April 2, 2019 Matt No Comments Web, Python

As I’m starting to play with Flask, I had to deal with several backend servers and decided to use traefik proxy for them.

I wanted to use two web servers, one for HTTP/HTTPS for the frontend, and another one on 8000 for some backend work. Everything is done in a Docker composer YAML file, launched by:

docker stack deploy file.yml

Unfortunately, I couldn’t make it work by adding the entry point like this:

--entrypoints='Name:backend Address::8000'

The reason is simple: the default entry points must then be added. As traefik can handle SSL certificate, I decided to let it handle the redirection as well. So the definition needed to add:

--entrypoints='Name:http Address::80 Redirect.EntryPoint:https' \
--entrypoints='Name:https Address::443 TLS' \

Now to the SSL configuration with Let’s Encrypt on traefik. I needed to configure the ACME records. The first part is the command line arguments (like for the entry points).

My servers are just test servers, inside a domain I use as a front for my official projects, but the servers are hosted on my box. I didn’t want to mess up my DNS records for this, except for the new subdomain. So I went for the HTTP challenge. This becomes very easy:

--acme=true \
--acme.storage=/etc/traefik/acme/acme.json \
--acme.ondemand=true \
--acme.onhostrule=true \
--acme.entrypoint=https \
--acme.httpchallenge \
--acme.httpchallenge.entrypoint=http \
--acme.domains="subdomain.domain.com" \
--acme.email="myemailaddress@server.com"

Some trick here, the storage location must exist or be available. In my case, I added a volume on the traefik container so that the storage location exists and so that I could reuse this certificate when restarting the server.

- /etc/traefik/acme:/etc/traefik/acme

And this is it.

This is what happens then in the logs:

2019-03-18T17:08:00.848130803Z time="2019-03-18T17:08:00Z" level=info msg="Testing certificate renew..."
2019-03-18T17:08:00.848210687Z time="2019-03-18T17:08:00Z" level=debug msg="Looking for provided certificate(s) to validate [\"subdomain.domain.com\"]..."
2019-03-18T17:08:00.848221064Z time="2019-03-18T17:08:00Z" level=debug msg="Domains [\"subdomain.domain.com\"] need ACME certificates generation for domains \"subdomain.domain.com\"."
2019-03-18T17:08:00.848225816Z time="2019-03-18T17:08:00Z" level=debug msg="Loading ACME certificates [subdomain.domain.com]..."
2019-03-18T17:08:00.848230433Z time="2019-03-18T17:08:00Z" level=info msg="The key type is empty. Use default key type 4096."
2019-03-18T17:08:00.848399515Z time="2019-03-18T17:08:00Z" level=debug msg="Configuration received from provider ACME: {}"

Once this is done, you can point your browser to “http://subdomain.domain.com” and see that it gets redirected to “https://subdomain.domain.com”. The certificate there is now good. One point to note is that if you get to the server without this address, you get the default/invalid traefik certificate, as it would not have been configured in the ACME commands. And yes, I forgot that point for a while, testing only locally with a local address!

Buy Me a Coffee!
Other Amount:
Your Email Address:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.