Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges
This is my setup using docker-compose
to start Traefik, supporting all major encryption providers. I recommend to create the /opt/traefik
directory and save the following file as /opt/traefik/docker-compose.yml
. This config has the file
and docker
providers enabled by default.
services:
traefik:
image: "traefik:v3.2"
network_mode: "host"
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.file.directory=/etc/traefik/conf"
- "--providers.file.watch=true"
- "--entrypoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.websecure.address=:443"
- "--entryPoints.websecure.http3"
- "--entryPoints.websecure.http3.advertisedport=443"
- "--log.level=info"
- "--serversTransport.insecureSkipVerify=true"
#
- "--certificatesresolvers.cloudflare-ec384.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare-ec384.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare-ec384.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.cloudflare-ec384.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.cloudflare-ec384.acme.email=letsencrypt@mydomain.com"
- "--certificatesresolvers.cloudflare-ec384.acme.KeyType=EC384"
- "--certificatesresolvers.cloudflare-ec384.acme.storage=/letsencrypt/acme.json"
#
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.cloudflare.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.cloudflare.acme.email=letsencrypt@mydomain.com"
- "--certificatesresolvers.cloudflare.acme.KeyType=EC256"
- "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
#
- "--certificatesresolvers.cloudflare-staging.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare-staging.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare-staging.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.cloudflare-staging.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.cloudflare-staging.acme.email=letsencrypt@mydomain.com"
- "--certificatesresolvers.cloudflare-staging.acme.KeyType=EC256"
- "--certificatesresolvers.cloudflare-staging.acme.storage=/letsencrypt/acme.json"
#
- "--certificatesresolvers.alpn-ec384.acme.tlsChallenge=true"
- "--certificatesresolvers.alpn-ec384.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.alpn-ec384.acme.email=letsencrypt@mydomain.com"
- "--certificatesresolvers.alpn-ec384.acme.KeyType=EC384"
- "--certificatesresolvers.alpn-ec384.acme.storage=/letsencrypt/acme.json"
#
- "--certificatesresolvers.alpn.acme.tlsChallenge=true"
- "--certificatesresolvers.alpn.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "[email protected]"
- "--certificatesresolvers.alpn.acme.KeyType=EC256"
- "--certificatesresolvers.alpn.acme.storage=/letsencrypt/acme.json"
#
- "--certificatesresolvers.alpn-staging.acme.tlsChallenge=true"
- "--certificatesresolvers.alpn-staging.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.alpn-staging.acme.email=letsencrypt@mydomain.com"
- "--certificatesresolvers.alpn-staging.acme.KeyType=EC256"
- "--certificatesresolvers.alpn-staging.acme.storage=/letsencrypt/acme.json"
environment:
- [email protected]
- CLOUDFLARE_API_KEY=XYZABC123
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./conf:/etc/traefik/conf:ro"
Replace [email protected]
by the Email address to register certificates to. Also ensure to change
- [email protected]
- CLOUDFLARE_API_KEY=XYZABC123
Optionally, create a Pilot token and set it (don’t forget to un-comment the line) using
# - "--pilot.token=PILOT_TOKEN_HERE"
Now let’s make the service autostart on boot (and start it right now) using the method detailed in docker-compose systemd .service generator: Run the following in /opt/traefik
curl -fsSL https://techoverflow.net/scripts/create-docker-compose-service.sh | sudo bash /dev/stdin
We will detail how to get access to the Traefik API in followup posts.