====== Traefik + Docker + HTTPS with Let's Encrypt ====== ===== Basic Bringup ===== These steps worked to bring up Traefik + Docker + HTTPS with Let's Encrypt: [[https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/|Docker-compose with Let's Encrypt: HTTP Challenge]] ===== HTTP to HTTPS Redirect ===== Add these to the ''services'' -> ''traefik'' -> ''command'' list: * ''%%--entrypoints.web.address=:80%%'' (may already be present if you used Let's Encrypt HTTP challenge, if so, don't add it again) * ''%%--entrypoints.web.http.redirections.entrypoint.to=websecure%%'' * ''%%--entrypoints.web.http.redirections.entrypoint.scheme=http%%'' * ''%%--entrypoints.web.http.redirections.entrypoint.permanent=true%%'' (optional) You **must** also include the following in ''service'' -> //''whoami''// -> ''labels'': - **Both** web and websecure entrypoints * **Either, define both entrypoints**: ''traefik.http.routers.//whoami//.entrypoints=web,websecure'' * **Or, do not define any entrypoints** and Traefik will bind to all configured entrypoints - do this if you only have one http and https entrypoint each and want a more concise Compose file * //If the service (and it's host) is not bound to the plain HTTP entrypoint, Traefik will not be able to find a valid router for the hostname and return a HTTP 404// - The certificate resolver, **even if it is already defined globally in the entrypoint** * ''traefik.http.routers.//whoami//.tls.certresolver=myresolver'' ===== Pitfalls/Things that Did Not Work for Me ===== * Traefik's Let's Encrypt TLS challenge * I got persistent error 400 due to connection reset, perhaps it has something to do with Docker networking ===== Extras ===== * Add port 8080 to Traefik's ports to make the Traefik web dashboard accessible * HTTP/3 (QUIC) support: * Add this to the ''services'' -> ''traefik'' -> ''command'' list:\\ ''%%--entrypoints.websecure.http3%%'' * Add this to the ''services'' -> ''traefik'' -> ''ports'' list:\\ ''443:443/udp'' * Add 443/udp to your firewall/NAT port forward if required