In september 2019 Containous launched the new Traefik 2.0. This is radically different from version 1 and code changing is really needed. This my code and how i setup Traefik2.0. It combines LetsEncrypt with Transip DNS challange and Wildcard certificates. It also make sure Home Assistant is available with a File provider instead via the Docker labels, because Home Assistant is in most cases within in the Host network, a file provider is easier to use. And the ability to user docker provider as well.
First lets run the docker container:
traefik2.0:
container_name: traefik2.0
image: traefik
restart: always
ports:
- 80:80
- 443:443
- 8181:8181
networks:
- websites-backend
environment:
- TRANSIP_ACCOUNT_NAME=youraccountname
- TRANSIP_PRIVATE_KEY_PATH=transip.key
volumes:
- /home/docker/traefik2.0/traefik.yml:/etc/traefik/traefik.yaml:ro
- /home/docker/traefik2.0/acme/acme.json:/acme.json
- /home/docker/traefik2.0/rules:/rules:ro
- /home/docker/traefik2.0/transip.key:/transip.key:ro
- /var/run/docker.sock:/var/run/docker.sock
With the above code we set environment variable to the TransIP API and with the transip.key file we set the API key. You have to save the file within the dir which we set as a volume.
Secondly we set some volumes for the traefik.yaml (settings) and acme.json. I did migration from Traefik1.x of the acme.json with the Traefik Migration Tool but the file should be generated automatically.
At last there is a volume for the rules folder.
Now the traefik.yaml which is in the root, i look like this:
log:
level: error
entryPoints:
http:
address: ":80"
https:
address: ":443"
traefik:
address: ":8181"
api:
insecure: true
dashboard: true
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: proxynetwork
file:
directory: /rules
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: your@emailaddress.com
storage: ./acme.json
dnsChallenge:
provider: transip
delayBeforeCheck: 0
As we can read above we define some entrypoints for 443, 80 and the traefik web interface (8181), but you can choose one by yourself (do update the docker-compose with the right port also). We define the api enabled and available on http (i just use it only internally). And we create a docker provide and attached to the proxynetwork. Because Home Assistant is not within that proxynetwork, in docker, as this docker container is created with ‘network-mode: host’ option, we create a file provider also. At last the CertificatesResolvers, we define the TransIP DNS challange.
Within the rules folder i prefer to seperate the settings per yaml file, so i created cert.yaml, middlewares.yaml, tls.yaml and a file for hass.yaml.
cert.yaml:
http:
routers:
certs:
entryPoints:
- http
- https
service: service-blank
rule: Host("about:blank")
tls:
certResolver: letsencrypt
domains:
- main: "*.yoursite.com"
sans:
- yoursite.com
services:
service-blank:
loadBalancer:
servers:
- url: "https://about.blank"
Make sure your domain is correct.
middlewares.yaml:
http:
middlewares:
redirect:
redirectScheme:
scheme: https
ipwhitelist:
ipWhiteList:
sourceRange:
- "192.168.1.0/24"
ipStrategy:
depth: 0
hsts:
headers:
sslRedirect: true
stsPreload: true
stsSeconds: 315360000
stsIncludeSubdomains: true
We do create 3 middlewares within this file. 1 for a redirect, 1 for a ipwhitelist (make shure your local network is in there) and 1 for hsts.
tls:
options:
TLSv13:
minVersion: VersionTLS13
cipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
sniStrict: true
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
sniStrict: true
Within the tls.yaml file i made the correct entries for TLS1.3 and TLS1.2 in the most secure cypher suites and enabled SNI.
Last there is a hass.yaml, especially for Home Assistant which is not in a docker network, mode in the host network.
hass.yaml:
http:
routers:
hass:
entryPoints:
- https
service: service-hass
rule: Host("homeassistant.yoursite.com")
middlewares:
- "hsts"
tls: {}
services:
service-hass:
loadBalancer:
servers:
- url: http://192.168.1.2:8123
passHostHeader: true
passTLSCert: true
Make sure the url is correct. Within this file we do add the middleware hsts manually and the backend ip address of home assistant.
All done. start the container and all should be ok. You can open the dashboard at http://yourip:yourport, in my situation http on port 8181.
If you want other containers to be proxied by Traefik, you do not need the file provider for it, just label the container in docker-compose as follow:
networks:
- websites-backend
labels:
- traefik.enable=true
- traefik.docker.network=proxynetwork
- traefik.http.routers.yourwebsite.rule=Host(`www.yourwebsite.com`, `yourwebsite.com`)
- traefik.http.routers.yourwebsite.entrypoints=http
- traefik.http.routers.yourwebsite.middlewares=redirect@file
- traefik.http.routers.yourwebsite-secured.rule=Host(`www.yourwebsite.com`, `yourwebsite.com`)
- traefik.http.routers.yourwebsite-secured.entrypoints=https
- traefik.http.routers.yourwebsite-secured.middlewares=hsts@file
- traefik.http.routers.yourwebsite-secured.tls=true
Remeber, after changing labels, you do have to recreate the specific docker container.
(if you do like to open your traefik dashboard public and want to be available with a hostname, add the following to docker-compose traefik container)
labels:
- traefik.enable=true
- traefik.http.routers.traefik-api.rule=Host("traefik.yoursite.com")
- traefik.http.routers.traefik-api.entrypoints=http
- traefik.http.routers.traefik-api.middlewares=redirect@file
- traefik.http.routers.traefik-api-s.rule=Host("traefik.yoursite.com")
- traefik.http.routers.traefik-api-s.entrypoints=https
- traefik.http.routers.traefik-api-s.tls=true
- traefik.http.services.traefik-api.loadbalancer.server.port=8181