CONFIGURING TRAEFIK 2 WITH LOCAL SSL CERTIFICATE

I recently upgraded our local Docker development stacks to use Traefik version 2. Traefik is an edge router application that makes configuring services and routes fairly simple.

I found the process of enforcing HTTPS traffic to be a bit challenging and required much more effort than Traefik version 1. All of our projects use HTTPS only with a self-signed certificate for local development, no HTTP. I hope sharing this information will help some people.

First, in your docker-compose.yml file, we need to update the Traefik service to use 2.0 and new commands:

traefik:
    image: traefik:v2.0
    container_name: "${PROJECT_NAME}_traefik"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.file.directory=/etc/traefik/dynamic_conf
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./tools/certs:/tools/certs
      - ./tools/traefik/config.yml:/etc/traefik/dynamic_conf/conf.yml:ro
      - /var/run/docker.sock:/var/run/docker.sock

The command section provides the container with run-time configuration modifications. Here, we are defining two named entry points on ports 80 and 443. We also tell it that Docker is the provider and to look in a directory in the container for the provider configuration.

Second, we expose ports 80 and 443. Nothing new here.

In the volumes section, I am mounting a directory at the root of my project in the container. This directory contains the local certificate for the project. Second, mount a yaml file in the container, located in the directory we set up to be the provider directory in the command section.

Now, create the config.yml file. It contains the location of the certificate and the key for Traefik:

tls:
  certificates:
    - certFile: /tools/certs/cert.crt
      keyFile: /tools/certs/cert.key

These paths exist in the container as defined in the volumes section.

Now, we need to configure the Apache container (or Nginx if it's your case) for Traefik and define a middleware, and tell Traefik how to route the traffic:

apache:
    ...other config truncated...
    labels:
      - traefik.http.middlewares.${PROJECT_NAME}_apache_https.redirectscheme.scheme=https
      - traefik.http.routers.${PROJECT_NAME}_apache.entrypoints=web
      - traefik.http.routers.${PROJECT_NAME}_apache.rule=Host(`${PROJECT_BASE_URL}`)
      - traefik.http.routers.${PROJECT_NAME}_apache.middlewares=${PROJECT_NAME}_apache_https@docker
      - traefik.http.routers.${PROJECT_NAME}_apache_https.rule=Host(`${PROJECT_BASE_URL}`)
      - traefik.http.routers.${PROJECT_NAME}_apache_https.tls=true
      - traefik.http.routers.${PROJECT_NAME}_apache_https.entrypoints=websecure

The first line creates a middleware that redirects to https. The next lines define a router with an entry point and a rule for HTTP traffic with the project URL. We also attach our middleware to that router, which redirects all traffic to https. The remaining lines define a new router (note the slightly different router name with _https attached) and rule, with the websecure entry point (443) and TLS enabled. This configures that router to accept only HTTPS requests.

Now, any HTTP traffic will be directed to HTTPS. You can then add your self-signed certificate to your browser so that it is recognized and trusted for your local development environment.