Overview
This is a note on how to operate multiple HTTPS-enabled containers with Traefik.
https://github.com/traefik/traefik
Background
Previously, I was using jwilder/nginx-proxy and jrcs/letsencrypt-nginx-proxy-companion with the following configuration.
Proxy
version: '3'
# proxy
services:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- html:/usr/share/nginx/html
- dhparam:/etc/nginx/dhparam
- vhost:/etc/nginx/vhost.d
- certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- /srv/docker/nginx-proxy-with-encrypt/log:/var/log/nginx
labels:
- "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"
restart: always
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-proxy-lets-encrypt
depends_on:
- "nginx-proxy"
volumes:
- certs:/etc/nginx/certs:rw
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
certs:
html:
vhost:
dhparam:
networks:
default:
external:
name: common_link
Container
Below is a Django example.
version: "3"
services:
nginx:
image: nginx:latest
ports:
- "18001:80"
volumes:
- ./default.conf:/etc/nginx/conf.d/default.conf
- ./.htpasswd:/etc/nginx/.htpasswd
depends_on:
- dns
environment:
VIRTUAL_HOST: django.yyy.zzz
LETSENCRYPT_HOST: django.yyy.zzz
LETSENCRYPT_EMAIL: xxx
dns:
build:
context: ../
dockerfile: ./docker/Dockerfile
volumes:
- "../web:/mysite"
container_name: dns
tty: true
working_dir: "/mysite"
networks:
default:
external:
name: common_link
For adding Basic Authentication, I was using nginx:latest in addition to Django.
!
The following library might have been an easier approach.
https://pypi.org/project/wsgi-basic-auth/
Using Traefik
With Traefik, the configuration changed to the following.
Proxy
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
ports:
- 443:443
- 80:80
networks:
- traefik-network
environment:
TZ: Asia/Tokyo
labels:
traefik.enable: true
traefik.http.routers.dashboard.rule: Host(`proxy.yyy.zzz`)
traefik.http.routers.dashboard.entrypoints: websecure
traefik.http.routers.dashboard.tls.certresolver: myresolver
traefik.http.routers.dashboard.middlewares: auth
traefik.http.middlewares.auth.basicauth.users: xxxxxxxxx
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./traefik.yml:/etc/traefik/traefik.yml:ro
networks:
traefik-network:
external: true
log:
# level: DEBUG
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
schema: https
permanent: true
websecure:
address: :443
api:
dashboard: true
providers:
docker:
exposedByDefault: false
certificatesResolvers:
myresolver:
acme:
email: aaa@bbb
storage: /acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
httpChallenge:
entryPoint: web
Container
Traefik middleware is used to implement Basic Authentication.
services:
dns:
build:
context: ../
dockerfile: ./docker/Dockerfile
volumes:
- "../web:/mysite"
ports:
- "18001:8000"
container_name: dns
tty: true
working_dir: "/mysite"
networks:
- traefik-network
restart: always
labels:
traefik.enable: true
traefik.http.routers.dns.rule: Host(`django.yyy.zzz`)
traefik.http.routers.dns.entrypoints: websecure
traefik.http.routers.dns.tls.certresolver: myresolver
traefik.http.routers.dns.middlewares: dns
traefik.http.middlewares.dns.basicauth.users: xxxxxxxxx
networks:
traefik-network:
external: true
By creating this configuration for each container, you can operate multiple containers in a similar environment.
Summary
There may be misunderstandings or insufficient considerations, but I hope this is helpful as a method for operating multiple HTTPS-enabled containers (with Basic Authentication).