Traefik 3 and FREE Wildcard Certificates with Docker
ฝัง
- เผยแพร่เมื่อ 12 มิ.ย. 2024
- Save 20% on UptimeRobot today! l.technotim.live/uptime-robot...
In today's Traefik tutorial we'll get FREE Wildcard certificates to use in our HomeLab and with all of our internal self-hosted services. We're going to set up Traefik 3 in Docker and get Let's Encrypt certificates using Cloudflare as our DNS Provider (we'll cover how to set up others too). Then we'll configure local DNS using PiHole (or any other local DNS) to route to our services that are now protected with secure certificates!
Thanks to UptimeRobot for sponsoring today's video!
Video Notes: technotim.live/posts/traefik-...
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a TH-cam member: / @technotim
Merch Shop 🛍️: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
Tinkers channel: / @technotimtinkers
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - Getting Wildcard Certificates with Traefik
00:54 - Monitoring with UptimeRobot (sponsor)
02:12 - Requirements
03:02 - Diagram for Visual Learners
04:11 - Traefik Docker Compose
06:12 - Docker Secrets Rant
07:30 - Explaining Traefik Compose
10:45 - Docker Container Tasks
14:59 - DNS Resolvers
16:07 - Creating Secrets
16:57 - Cloudflare API Token
19:21 - Docker Network
19:36 - Basic Auth Credentials for Traefik Dashboard
21:50 - Starting the Traefik Container
22:44 - Troubleshooting
25:17 - Traefik Dashboard Local DNS
27:03 - Viewing the Traefik Dashboard
27:57 - Getting Production Certificates from Let's Encrypt
31:08 - Creating a New Workload with Certificates
35:03 - Using Traefik for Workloads Running Outside of Docker
39:11 - Networking Considerations
Thank you for watching! - วิทยาศาสตร์และเทคโนโลยี
Baby, wake up techno tim uploaded about traefik. It's time to update your homelab
I felt this so hard 🤣🤣🤣🤣
I am a simple man. I see Techno Tim , I watch , I like.
I share
I simp
HAHAHA you gotta be kidding me.
I spent the 2 last weeks with your previous video and other resources trying to set up Traefik and the rest of my homelab.
I literally closed the YT video minutes ago as I was finally able to make everything work.
Before going to bed, I decided to check a video from my feed to cool down and what do I see if its not this taunting title XD.
Anyway, I'll watch it later as it may allow me to enhance my fresh configuration. Thanks for that 😊
Just finished your traefik series when I saw you posted this, thank you for answering my subconscious prayer 🙏🏼 Keep up the great work!
It's a shame that TH-cam only allows for me to like this video once. This was a big upgrade from your last "SSL Everywhere" video. Thanks for taking us on your journey.
I can't fathom how easy you made this process, which I have been unable to do with other tutorials. You're doing great work Tim!
Greatly appreciate the little detail explanations. I’d done the wild card certs before on my home lab, but this is filling in several little knowledge holes in my mind.
Excellent content
this is perfect timing i just rewatched your old traefik video yesterday cuz i’m having some weird connection issues with my traefik server that i setup last year that has been working great for me. i might re-spin up my server with traefik 3 this weekend to see if resolves my issues. thanks tim!
I am finally tackling the project of my homelab again and I am so grateful to see a new video for Traefik. These types of videos are such a huge help.
One of the best tutorials I've followed on youtube, perfect pacing and everything worked first time. Thank you!
Had to say this... It's got to be absolutely one the best well rounded , well thought, in depth traefik install walk-throughd I have come accross thus far,.., thanks and well done Tim..
Anonymous window in browser is always the good way for testing changes.
Sweet, I used most of your last Traefik video (never got external access working, but internal worked just fine, and that's all I needed, really)
Thanks Tim! finally managed to get Traefik fully working in my homelab, great tutorial as always
Thanks Tim! this video really helpful as I was looking for your previous video to troubleshoot certificate error I encountered since last week, then manage to replace with this setup 👍
compare to the last video of Traefik , i had 0 issue
love how you explain things very easy and in simple way 😍
Everything worked and now I have TLS on all my connections to my services. Thank you Tim
Thank you. I've been meaning to do this in my homelab for some time. Now I have everything I need.
Very comprehensive Tim, well done.
Fantastic video. Love the section on verifying things were working.
This was fantastic! I was literally looking at how to do this the other day and you've come up trumps yet again. Thank you 😊
Glad I could help!
Thanks for the demo and info, once again super helpful documentation. Have a great day Techno Tim
Another great tutorial, Techno Tim. I even got this to run on my Docker Swarm (once I had the correct DNS name).
Tim, you make super great video's, in one word PERFECT!!
Thank you so much for the updated tutorial. Not sure if you got my email about the last one not working but this one works now. Tip for anyone with the certs not loading: just force recreate the container and it should load. I think this happens because the first time the certs are getting created but not read, and the second time it can actually read them.
Thank you Tim, this is what I looking for this is best guide
Perfect timing! I've been intersted in Traefik and leaving NPM. Thank you Tim!
Why may I ask? I use NPM and it's so seamless and easy
@@SenorHamburgler I like to tinker and spin up new things quite often, NPM is great for ease of use. Traefik is just more powerful and diverse, especially with docker, kubernetes and promox. Nothing wrong with NPM, just having the knowledge of how traffic work is good on the cv as well. :)
wow....thx man!
I will set this up for sure
🔥🔥🔥
A magnific tutorial, thanks!
Have been running this setup for ages and can recommend it. you can add a star cname in your DNS server so you don't have to add entries every time
Great video, thank you Tim! Would you recommend switching to Traefik v3 if already have v2 setup working?
**knows he can create/edit file in one step but prefers two steps** Bravo good sir! So satisfying...
Great update. Keep them coming
Amazing! Very good content.
Very useful and nice video bro, THX.
New video about OpenSSL self-signed certificate? Hell yeah
Awesome video, tim
anotther great tutorial. you mention difference in Docker Swarm. I am running a docker swarm in my homelab so would love to be pointed to documentation for that config. Also can I setup 2 certs in Traefik?
Great Video, any plans for a video on how to securely expose to the internet?
Just neat and on point! Congrats! Been following your videos for a while. A couple of questions:
1. How about exposing multiple ports on Traefik?
2. How about exposing multiple external services?
3. Can you do a more deep insight tutorial about internal DNS setup?
All the best!
Yes to #2! I was able to add Unifi local access, but can't add Home Assistant or other local services that don't run on HTTPS by default.
Decided to do the video I heard the request from someone on your timtalks channel the other day 👍
Thanks for the local only explanation. Every one of these I've seen before expects you to want to directly expose things externally. Yes I want to access from outside, but only after I've connected to WG/OVPN
One question, can this be done without the local subdomain? Would you just need to remove the . local subdomain from the examples provided?
I am so excited about this video ❤
Great Video, Is there a particular reason you deployed this in docker and not kubernetes?
Thank you for this video Tim. Quick question will this work with Nextcloud AiO installing locally?
Thanks for the new v.3 update of your guide. In my case I use duckdns and I have had no problems. I noticed that in your example with ngix you use fewer Middlewares in the App Label (4) compared to the 12 in your previous Trafik 2 tutorial. Is that the new standard configuration for all the applications that I add to Trafik? Thank you very much for your time that you give to your guides
your previous video worked great for me, this looks pretty much identical apart from the format of some of files. is it worth switching to traefik 3? like is it a big update?
Hi Tim, thanks for sharing this amazing video. I only need more help setting up multiple routers in the config file you showed us.
can you explain how I can add more external servers outside docker to my config. like my firewall interface, other homeserver, printers etc
Thank you for the update. Alongside yours, almost all others with Traefik are about the same age. Be a good idea to link to this new tutorial, on the old one from 2021.
I just updated to v3 config based on your v2 tutorial, Thank you. I also noticed one more change from traefik: IPWhiteList middleware to IPAllowList... maybe deprecate soon?
Great video, Tim!
Proxmox has its own ACME integration, so I personally prefer that way (because traefik is running as a VM on my Proxmox, so I want to prevent a race condition when the VM is down, Proxmox is not available through Traefik
But for anything else - Traefik is great
I had the same thought about Proxmox. Any TLS termination with the right certificates should be made directly on Proxmox anyway. If you want to be agressive, this should be the same for most services as well (internal certificates with local CA between internal containers to reverse proxy // letsencrypt certificates on the reverse proxy to the rest of the world)
@@xDrShadowxcan you explain a little more this solution for Proxmox? If It uses its own ACME for talking to Let's Encrypt, then we need to create its CNAME on CF instead of Pihole. Right?
Great setup to locally access it, but what if I wanted to access some of these services remotely aswell. Can I use and modify the same setup or do I need to make an entire different setup?
Thanks for a great video. Any chance you can help those of us who use local CA certs and no lets-encrypt? Just a home lab no external services. I need to be able to run truly isolated with my cluster. Thanks again. Great content.
Hopefully you can do an updated video for this on Kubernetes as well
Great video! But afer watching it, I applied the ideas to configure Caddy. Traefik is excellent, but the configuration file is a bit complex and lengthy.
Do you use traefik for externally accessible services? How do you typically separate those? Different docker hosts?
How do you do the networking since you don't need to modify the internal DNS?
Just moved and am now motivated to unpack the homelab 😎
will there be a similar update for the Kubernetes version?
Whats the biggest new thing here, compared to v2? How bad of an idea would it be to just upgrade? At first glance i haven't noticed that at least the important settings changed that much
Awesome video! Actually, the first time that I was able to get traefik working. Quick question though I’m trying to do like you do in your video. I’m able to get the file provider to show on the traffic dashboard but when I go to the Proxima site, it just downloads a file instead of going to the site. Any ideas?
Hi how do you use separate instances of traefik to talk to one another like how you had in your home lab? Could you do a tutorial on it? like connecting docker to kubernetest to another kubernetes cluster.
Tim, can you do an updated video on installing and setting up TrueNAS Scale 24.04? A lot of things have changed.
Thank you for your great content. I am trying to get Traefik and Cloudflare running in Proxmox LXC helper scripts. The chalenge I am haveing is getting the cloudflare api token running in the LXC because enviroment variables are a bit different than in docker secrets. Would you consider doing a video on getting this setup and running?
Can you please give me the name or better yet a link to your cool white cabinet (on wheels, with drawers, etc.)?
@Tim, I didn't catch why mix traefik and nginx(specific need, or just showing compatibility?), and also, why pihole instead of cnames on cloudflare(is it a cost thing, security thing? or just having pihole already in the mix?)
Hi Tim, the combination of a sub-domain with cloudflare doesn't work for me because cloudflare doesn't support sub-domain wildcard certificates. I have to use my domain directly. Thanks for the cool content. Would be interesting when you add authelia to this content for better privacy and security, too.
Do you think it's possible to use this stack together with Cloudflare tunnel?
30:00 you can just do >> filename to blank out a filename from the terminal.
Are able to use this with two instances of pi-hole running on separate machines. Thanks
I don't think the DNS part tells the CA to check those specific DNS servers. That would be a huge security risk. It simply tells traefik to use those DNS to verify that the TXT records are indeed visible globally before saying the CA to proceed with the next step (ACME protocol). What public DNS the CA queries from is not publicly documented
Hi Tim, thanks for the update on Traefik. I followed your first tutorial on Traefik and based on that I set it up and it's worked great for over 2 years now. In that old configuration, you worked with a config.yml file and in that file, you can define all your services based on their IP address and port number. If I want to use this new Traefik 3.X configuration with labels but from what I understand, I can only do so if the services are on the same docker host as Traefik right? If they are on another docker host I must use the configuration file. Is that correct?
Hey! That's all in here too!
I wanted to mess around with swarm a bit more could we get this in a swarm version?
after all we are homelabbing to simulate production environments?
By the way, you can use secrets for the traefik dashboard basic auth. Instead of .users tag, use the .usersFile tag.
Also, why do you CTRL+O, ENTER in nano instead of just CTRL+S?
So you added Pihole just for the GUI?
Why not use tags to pass info to Traefik from any running docker image and let it manage the DNS?
Is there a good solution for automatic Split-DNS if I don't want to use a "local"-subdomain?
How do you handle services that should be accessible publicly as well as locally?
Any reason to use this over nginx proxy manager?
Failed one more time :) , I can't understand what I am missing. Thank you for your efforts Tim :)
says video notes are unavailable, but love your work! Keep it up
Check again
Uugh my traefik is causing so much problems when i try to deploy my react app.. so many different header settings that cause weird behavior with no freaking error output 😵
would this work if I am using tailscale internally so I can use cloudflare to point to my tailscale IP's then set local network DNS to use actual local IP's instead so I don't have to use remote services?
I'm confused, what is significantly different between 2.x and 3?
Hello can you pleas do explanation of how to put custom certificate.
Why don't you let out the pihole part and create the DNS records within cloudflare?
wow great video, followed the guide I have treafik setup and certificate working great. But I cant get an external server outside docker to get proxied. My config.yml file has the correct server IP. but when I wget fom inside the Treakif container it resolved the traefik host IP and not the external server IP. Seems it is not using the routers rule.
I would love to see a video covering the pros and cons of Traefik 3 vs caddy-proxy-manager vs nginx proxy manager.
I thought Caddy was going to be the bees knees so I went that route for my homeserver.
Pros: the label sections in the docker-compose.yml is self contained and no need for open ports on the host, and you can use any caddy directives you want.
Cons: You have to have the the docker-compose.yml files have a default external network.
For work I have had to use nginx proxy manager (npm).
Pros: All done in a gui, all the configs are centralized in npm. It is easy to setup certs for containers available on the local network by using a duckdns with an IP set to your private netowork and you do not have to have an external network setup.
Cons: You have to have open ports to all the services on the host.
Any recommendations to troubleshoot when the cert is from traefik and not from let's encrypt.
I followed your last video and it was awesome thank you for that! If i may ask how would you make this setup high available? One of the issues I found on my setup is in: imagine that you have this in 1 Node and it serves as a front end for 2 or 3 nodes in your proxmox infrastructure.. if Node 1 goes down then .. yeah. Any plans to make a follow up video with High availability?
Thank you! You would have to have HA vms with Proxmox or move to Kubernetes.
Hi, first off, thank you so much for this tutorial. Nice and easy to follow! That said I am having an issue I hope you can help with.
I'm using a wildcard A record for my addresses through cloudflare and I'm not using PiHole at all. When I try to configure Traefik for workloads outside of docker using your template with my own information I get "Internal Server Error" when trying to load the webpage. Is this because i'm not using PiHole? If so, what do I need to change to fix the error?
I have this same issue. Did you ever find a solution?
how would you add multiple proxmox or multiple services outside docker
Thank you, It worked very well 🙂. The Traefik dashboard will only open on PC. When I try my iPad or android phone it does not find the service. Anybody with similar problem?
In the traefik.yml file can you point the resolver to unbound (recursive dns in a local docker container)?
I use Duck DNS and NGINX proxy manager which makes doing all these not only easier but also faster. 😎👌
What does traefik bring for a long time Nginx user, i want to try this but i'm not sure what im getting in return other than a pretty UI.
As mentioned before, i followed this video and everything works fine! but i wanted to go further and installed Authentik to securely login on portainer with Oauth.
I'am not able to get this working, been trying for more than a week now, but i can't find what is going wrong.
On another VM i installed Portainer and Authenik and Oauth works fine.
Can you please make a video on how to to this with Traefik / Portainer / Authentik
Whats a good alternative DNS server? Looking for something different then pi hole.
Thanks for this, very informative!
At 11:07 you say "we need to create a docker network called proxy", but I couldn't see where it's done... Anything special about it? Which driver does it use?
It’s in there!
@@TechnoTim ah, 19:24 - it was so short, just "docker network create proxy", so I totally missed it... Thank you!
i was considering moving to traefik for ages, but everytime I look into that it seems so overwhelming its not worth the effort. SWAG works for me like a breeze, does everything I want from it and the setup is like 10% of this.
Great tutorial Tim, As Always. I follow it to the letter but access traefik console I got the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. I tried several solutions, different browsers (use to use brave) but it only work wit safari. Any hint anyone?
Made a record in config.yml for pihole itself, but on accessing it through domain name it gives "Bad Gateway" error. Is it possible to set up pihole for HTTPS?
Awesome! Any recommended specs for the docker host (docker01)?
Honestly anything will do! Starting at 2 core, 2GB RAM and 10 GB disk should be fine and then scale as you ned.