Put Wildcard Certificates and SSL on EVERYTHING - Traefik + Portainer Tutorial
Vložit
- čas přidán 20. 05. 2024
- Today, we're going to use SSL for everything. No more self-sign certs. No more http. No more hosting things on odd ports. We're going all in with SSL for our internal services and our external services too. We going to set up a reverse proxy using Traefik, Portainer, and use that to get wildcard certificates from Let's Encrypt. Join me and let's secure all the things.
Video Notes: technotim.live/posts/traefik-...
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a CZcams member: / @technotim
Merch Shop 🛍️: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
2nd channel: / @technotimtalks
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - What are we doing today?
01:03 - What do we need?
02:51 - What is Traefik?
03:51 - Setting up Traefik
04:27 - Traefik configuration
06:18 - Traefik with Docker Compose
07:00 - Traefik Docker Compose File with Wildcards
10:46 - Spinning Up Traefik
12:09 - Traefik Dashboard
12:34 - We have Wildcards!
13:01 - Portainer Docker Compose
15:19 - Spinning up Portainer
15:41 - Portainer in Traefik Dashboard
15:58 - Portainer now has SSL
16:39 - Proxy Through Traefik to External Services (Proxmox)'
17:34 - Traefik Routes Config
21:38 - Apply Traefik Route Config
22:26 - See Our New External Route
22:45 - SSL for Proxmox with Traefik Reverse proxy
23:41 - Hosting all of your Homelab Services with SSL
23:59 - Which Reverse Proxy Are You Running?
24:11 - Stream Highlight - "I built my server, not sure where to go from here..."
#Traefik #Portainer #Homelab
"Sun Run" is from Harris Heller's album Breaker.
l.technotim.live/sb-music-lic...
Thank you for watching! - Věda a technologie
What are you using to get your certificates?
Internally Active Directory Certificate Services. Externally Let’s Encrypt.
Using Let's Encrpt via HAProxy on my PFSense machine.
Traefic exposed with lets encrypt direct.
In my setup traefic stays untouched and requests the certs based on the service labels from the other containers
LetsEncrypt and apache proxy... both esxi and proxmox works awesome this way.. also Jellyfin and more....
Haproxy runs on my pfsense box and gets let's encrypt certs to all my hostnames.
Half the views came from me watching it over and over.
😅
I know this is an older video, but I just wanted to drop in and say thank you. I really appreciate all you do for the community
The best video on SSL with Portainer and Træfik, period. Thank you so much for your slow and clear approach with excellent quality of video. Keep up the great work Tim! 🐧
This is literally my first ever comment in 8 years. I really enjoy your content. You keep it simple, relatable, and most importantly you tied different services together not just one by one in all different videos. You show the end game scenario. Patreon it is brother.
Thank you so much! Glad I helped break the seal! Welcome!
@Inu Yasha you can check on CZcams now. Homeboy only has one comment in 10 years.
@@TechnoTim
Tim, Is there a self hosted alternative for sel hosted tunnel to get rid of cloudflare services and do the cloudflare job like providing ssl certificates, hiding ip and protection from ddos attacks etc..?? All it done by myself?
I heard by something like RPoVP? Does it get the job done or there is another better solution replacing cloudflare and our entire network and ip from external world??
Just wanted to say thank you, Tim!!! I've been wanting to set up ssl for a few months now but have been intimidated by it all. After learning how to create a ansible playbook to update,upgrade-dist for my VMs last week . I was like I can do this ssl thing so I bought a domain and watched this video like 10 times but I now have my local services all running with ssl thanks to you. All your videos are great and very infomitve. You and the homelab CZcams community is amazing .. thank you again so much
I was originally soooo frustrated following this tutorial. I went step by step, and took SEVEN hours just to figure out that I had some typos! Thanks @Techno Tim, amazing tutorial. I'm so glad I stuck it out! For anyone else struggling, highly recommend looking over your work even when you copy and paste!
Thank you!!! Nice work!
I got frustrated as well but then I realized that I mistakenly typed a - instead of an = on two lines…Thank you for the great tutorial @TechnoTim!
I just found your channel and have binged a few videos as I’m right in the process of upgrading my home Proxmox server and home network. I swear you somehow have a video for exactly each thing I was about to do, with detailed instructions and configs (NUT, Proxmox setup, SSL and FQDM for local services, etc etc). These are fantastic jumping off points for my own custom configs and I love that you go into such detail and explain WHY you do things not just a list of steps, as I usually will want a different configuration and am even more interested in the why than the how. Fantastic channel, I hope to see you continue to grow it!
Thank you so much!!! Welcome!!!
Came across this video just today, and I wanted to leave a comment for the algorithm, along with liking and subscribing. Really appreciate you giving away the hours of trial and error that it had to have taken to get these configs dialed in. I also appreciate your clear and straightforward delivery. Great job with this.
Thank you!
After almost 3 years, this still works like a charm... Save my life... Kudos 👏😎
About to step through this procedure myself. Good to know it still works ha ha.
Just tried this today myself. When my Traefik site comes up its still using the default self-signed cert. Not sure why. I see a cert for my domain in the acme.json, it just doesn't seem to be using it. Not sure how to troubleshoot.
I've watched this video twice fully and a few times in part over a period of several months. You've been a teacher for me and I appreciate you.
I've been looking to do that for over a year and a half and scratching my head because it all seemed far too complicated a setup to bother with it all. Until I finally found your video... Damn, that one is very useful and simple to follow... as well as sufficiently detailed to really understand how it works under. Very well done and useful, thanks!
Love using traefik! It was actually where I started my homelab. A friend showed me traefik and something about it just caught my interest. Started spinning up a bunch of different containers with configs just for the sake of it.
Great video!
I use Nginx proxy manager, but this looks neat. I really need to move to wildcard, my let’s encrypt list is getting a little silly now.
Thanks, Tim for all you do!
Tim thank you so much for this video and tutorial. I got this up and running for my internal services, and it inspired me to also set up a separate process for the stuff I wanted to take external. Keep it up!
Exactly what I needed man, thank you so much! Really enjoy the videos! Super clear and fun to watch!
Nice! I've been running this setup for a few years as well. With one difference: I configured the file provider to watch a directory of .yml files. (see the watch option and the directory option). This allows me to create a .yml file PER site and the watch option makes it so I don't have to restart the container and take down the proxy.
Did not know about the watch option. Great tip and thanks for sharing.
Absolutely love this channel. Incredible editing and great documentation. Just what I need to rebuild my homelab. :)
Thank you so much!
@@TechnoTim :D I’ve got big plans to rebuild my truenas server into a virtualization host for my home services (including truenas itself) and i will continue to refer to your videos.
Awesome tutorial, been using traefik since 1.0 but this video helped me to understand a few things clearly, thanks for your work!
How do you literally upload exactly what i've been looking for, one day after i began reading up on it?!?
As always, awesome video!
I was struggling with setting up a reverse proxy yesterday, today this video pops up in my feed. Great timing! :D
yeah me too
problem?
Oh heck yeah!! Thanks Tim! This was just what I needed, like I mentioned last time!
The k8s focused rancher ones were great, but I have been running portainer with regular docker containers and hoping for inspiration to add traefik. Had been using Caddy for certs and it's really easy, but Traefik supports SSO with Authelia and Caddy doesn't. Any odds on setting up SSO with Authelia next? Thanks very much, you're the best!!
Hi Tim, great tutorial! I've been running SSL on all my homelabs projects for couple months now without any issues. But recently I had some problems renewing certificate. I found that I had to add 'delayBeforeCheck: 5' in traefik.yml file under dnsChallenge section for cert to renew. I guess Cloudflare has changed something on their end and I needed this line to add a delay for a few seconds otherwise I would always get certificate null error. You may want to add this to your documentation to help others encountering this issue. Banged my head for days until I figure this out. Thanks again for all your great tutorials.
Holy Crap man! You've saved me hours of trial and error! I hope this gets the attention it deserves.
love that i found your channel, learning more here than i did at uni
Amazing tutorial. I can't tell you how long I've been annoyed with my homelab services not using SSL or just using the self signed stuff... it's so nice to have these being properly secured now.
Glad it helped!
This seems to be a bit more complex then what I am doing directly with PFSense and its HA Proxy and ACME plugins, but I like the nice dashboard that Traefik provides! Thanks Tim for the nice walk through!
How is that setup going?
It does not go over how this intereact with the regular reverse proxy. I have been stucked for weeks. Since my pfsense forward everything to my main traefik.
Automation man!! automation....
I definitely prefer your more advanced videos will you show a whole solution like these. Keep it up!!
I had spent two days trying to figure out how to do this, and I finally got it after carefully going through your video. Thank you so much for helping the community like this, I really appreciate it.
Glad it helped!
Dude! Nice work! It's not about the complexity, it's about the way you describe and explain something...you nailed both.
Thank you!
Techno Tim is legit the best. Really motivating and quality IT configuration content
Thank you so much!
Hey Tim, I'm having a hard time. I'm following this tutorial so that I can subsequently follow your pterodactyl tutorial and I think I may be in over my head. For example, @8.40 you say "just make sure you have a DNS entry pointing back to this portainer".
Now, you said that so casually.. but how do I do that? Where do I find this portainers IP? Is it the IP of the server portainer is running on, or do I find that in portainers dashboard? Should I be going further back in your tutorials until I understand the things in this tutorial that do dont fully explain? and if so, where do I start?
Thanks.
Tim! You seem to know what I am working on every time a video comes out. Thank You!!!
Big kudos to you Tim, a great guide and the only one I could find online that explains it so well! Keep on Rockin!!!!
In a more recent video (I think it was the overview of your whole lab) you mentioned you now have two instances of Traefik, one for external traffic, and the one described in this video.
I spent several days trying to set up a second instance to pass external traffic along, and was never able to get it to work. Would you be willing to do a more in depth tutorial about that setup?
I just use you Pihole DNS setting for local DNS (must use as your main DNS), external use Cloudflare, both of them use the same certificate with different subdomains, It's just that the internal subdomains name can only be used on the internal network because this domain name is not exist on public DNS.
Thank's for the video !
What about doing the same thing within and for Rancher ?
I stumbled upon your channel today (started with high availability pihole), and I am amazed by the quality of your videos! It was insta subscribe, and I hope you will continue the excellent work Tim!
Thank you so much! Welcome!
You're a legend, this is a great match for my setup. Thanks for your research and hard work, saved me some time.
How do you decide whether to use Kubernetes or Docker?
Thanks for the video, can i add labels to a stack in another portainer environment (another proxmox host) ? how?
Thank you very much. I am rebuilding my homelab and I was looking for instructions about certificates. Greatly explained, thanks again!
Congrats for the tutorial! Very helpful. One of the best channels for the Home Lab enthusiasts.
Do you have network diagram, it helps some of us understand the flow and config easier.
Great vid as always, well explained. Thanks Tim
I do! czcams.com/video/Cs8yOmTJNYQ/video.html
Hey Tim, this is awesome, I have got everything internally and external, to docker, set up flawlessly. However, I think I might be missing something, as I am a little stuck on how to configure this to allow internet-facing external access.
I have configured the Cloudflare DNS and port forwarded, but I think I am missing some key config on Traefik itself? I would absolutely love it if you could reply (or even make a video!) on how *you* would go about setting up internet facing services through Traefik!
Hi Tim, I'm having the same issues too. I've been able to get everything working while I'm on my local network. Once I'm outside, I get a "too many redirects" error. I'm using Cloudflare tunnels, and I've tried disabling any kind of redirect at the CF level with no luck. Each time I remove the redirect in Traefik I seem to break things. Any guidance will be greatly appreciated
brilliant, amazing work. affordable and very valuable. Tim, you are a great man.
great job man.. you're videos are always solid !! Greetings from Denmark
Tim, i think there's a bit of a confusion in commands... there are a bit of "cd .." which you show in video but missing on docs page... also the config.yaml is done in the data folder, not in its parent one, as in video... please share full folders structure for both portainer and traefik, thanks :)
oh, and again, you make a data folder inside portainer one, but you refer to the portainer one in docker-compose.yaml instead of data :)
edit: adding that the user:password (encoded via htpasswd) generates other errors on the docker-compose up -d command, because some "$" in the password which triggers some variable substitution in while running docker-compose, that should be escaped some way... i fixed by removing the initial and final backtick and converting double back-slashes to single ones
oh, and you need just the apache addon package, no need for the apache2 one to just generate password hashes
man, you rock! All working here, after addressed the few problems i reported, thanks a lot!
@@squalazzo Thanks! Docs are open source and have been fixed!
Heads up. It looks like in the video you create your traefik config.yml in the traefik directory (traefik/config.yml). But it's supposed to be at traefik/data/config.yml. I got hung up on this for a while. The documentation does show it in the right place, however.
Thanks! Yeah, I noticed after the video. the docs should be right. Thank you and sorry!
I struggled so much with Swag and getting anything running securely. This vid honestly saved my sanity, thank you so much Tim!
Glad it helped!
It’s been a year but thank you for being an inspiration, you’re awesome 🎉
If you had a network map or diagram of each step you were configuring; that would help a lot.
Great feedback!
I do now czcams.com/video/Cs8yOmTJNYQ/video.html
@@TechnoTim
Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally.
With much thanks and appreciation
Great video thx 👍
One question - could this had been done in Rancher ? Why not Rancher if yes, why docker ?
He did a video where he set up Let's Encrypt and Traefik on Rancher, about 8 months before this one... I think this is more of a "because we can" video instead of following along the vein of setting up one holistic infrastructure consistent with the other videos. I landed here first, and realized I probably want to follow along with that video instead. It would have been nice for Tim to call that out, though.
Hello Timothy, thanks for the tutorials. i've followed the documentation. finally it works
Thank you so much sir. I just have so many prerequisite skills that I need to learn to fully understand the concept.
Took me a while to get this working, but now everything is up and running thanks to your guide! TYVM!
thank for this between you and Christian Lempa I was able to get traefik working the way I wanted.
Interesting approach. I was using a domain for my home network but had to issue Lets Encrypt certs for each service I wanted to host on the network. I will need to give this a go. Thanks for the great tutorial (once again!)
Worked like a charm. Took me a while to figure out how to connect another DNS provider, but i got it up and running! Thank you very much
Nice work!
Man you are seriously awesome i am still trying to catch up to all the tutorials you post you are great
Just watched it again a year later..... amazing material, thank you Tim.
Thanks for the great tutorial. After fixing a few of my typos and scratching my head a bunch I got everything to work! Liked and subscribed!
Glad it helped! Thank you!
simple
straight to the point! i am subscribing!
This is gold! Thank you for sharing, Tim! 👍🏅
Thanks a ton for this godly work :) I have completed my setup using AWS Route 53 DNS Provider.
I literally need to rewatch this, thanks TT
This is exactly what I needed! THANK YOU!!!!
We need more people you! Absolutely great explanations and content!
Thank you so much!
Duuuuuuuuude, just got this working now! Thanks for the guide Tim!
NP! Nice work!
Congrats on almost 50k subscribers 👏🏼
Almost there!!!
This is an amazing video walkthrough. You are very good at educating and explaining things. Thank you.
Glad you enjoyed it!
Nice! I just learn how to config Round Robin and Failover under services in dynamic config file, I will implement this later. With this feature, this thing is even more powerful for home LAB.
You are awesome man!! TXH for sharing your nice stuff!
thanks for the great content man! you really know your stuff!
I've been watching your older videos because they seem to always be relevant LMAO, but really good stuff
Recently been testing out on containerizing/dockerizing my home lab/server utilities that were originally installed on host system
What are your thoughts, do you think it's better to install on host system? Or to install via docker(-compose)?
Very informative video. Thanks to you I finally got this working!
Best tutorial on this topic I have seen. Thank you!
You should check out my others 😅. Thank you!
Great video! Reverse proxy has always been a pain for me. Would love to see your take on scripting things like toolset installs or container initializations.
I patiently followed your guide, and now everything on my homelab is using wildcard certificate from my domain name
thank you, you are my inspiration for building self hosting app
I've been using NGINX for about 2 years to setup reverse proxy at home. This method seems ALOT easier in comparison to managing a long .conf file or multiple .conf files for subdomains. I'm gonna have to look into setting this up when I have a long weekend free
i love how you explain things, thank you for that
My pleasure!
Hi Tim,super useful as Always..thank you!!!greetings from Italy.
@Techno Tim
Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally.
With much thanks and appreciation
When you mean everything, Probably can share more on integration of ssh, ldaps, smtps, and etc.
Thanks and appreciated for the knowledge sharing.
Tim, you are inspirational. I hope this small token of my appreciation keeps you inspired.
Wow!!!! Thank you!!!!!!
Thanks! Your videos are awesome and are extremely helpful as I start up my own home lab
Great to hear! Thank you so much!!!!!
Very straightforward and helpful, +1 for this video
I love the way this skips along the surface of the topic, allowing my brain to see the big picture with just enough anchor points to make it concrete and relatable. I know what a container and a reverse proxy and a DNS server are and how certificates work. I don’t need or want to be distracted by any explanations of those. We need to keep it moving or my buffer will overflow. I can explore sub-topics separately.
You have a perfect style for a top-down learner. Thank you.
Thank you so much!
THANK YOU SO MUCH! it took so long to try to set it up but it worked. THANKS!
Congrats! It’s a great feeling isn’t it???
Great video, took a about 5 hours to trouble shoot some issues, and when I worked them out felt stupid. For those like me who take a little time (yes a silly pun) to catch on. The txt record error in my case was fixed with adding a 5 minute delay to the letsencrypt request, `delayBeforeCheck: 5` put it after the dnsChallenge provider. Not sure why but I had issues with putting quotes around the ports in the compose file you did not have them, but when looking at Christian Lempa's recent video and compose file he did, once I removed them it fixed one of my issues. :)
Hey Man thanks for all your great efforts in this wonderful channel , yet i would ask you if is it worth to use traeffik or nginix only with port forwarding, or using cloudflare zeroTrust without port forwarding, or use them both.. In order to get optimum security for local network ?
Which is the best solution ?
Also, im confused if we could trust cloudflare for securing our network?
Thanks a lot, you helped me to setup Traefik perfectly.
Thank you so much!!!!
You can do this if have a dynamic IP address from your ISP. I image most non business location are going to have a dynamic IP address from their ISP. There are several DDNS (Dynamic DNS) options, some free some a paid service. I use Cloudflare DNS, for this. In short you run/host a small utility that checks your current IP address at a set interval to your current DNS record. If it doesn't match then with an API key it updates the DNS record at Cloudflare. I use an inbound VPN, host a PBX, cloud storage, ect. and it just works despite having a dynamic IP address. I set it up in pfSense to handle the DDNS since it is at the head of the network. Not everyone is using pfSense, but there is also docker containers out there that do the same thing.
I think I'm getting myself confused on what to put in on the host sections. Is it the domain that I set up internally via pihole or is it the domain through cloud fare? I'm still getting familiar with things to setup my pterodactyl server. 😅 Love your videos by the way!
Thank you for your videos. I use videos like this to learn and I appreciate it so much.
Happy to hear that!
Love these videos on ensuring that SSL is used ubiquitously across services. Is there any chance you can create the same but with NPM as Traefik is a bit of a pain to manage if there's a large count of dunning containers.
Thanks so much for the walkthrough, really straightforwards to follow, even for someone newer to self-hosting and linux.
I noticed at 5:17 you suggest binding to the docker socket; I've read on various other Traefik/docker guides that this can be a security liability. Have you ever tried addressing this? I noticed that /var/run/docker.sock was set as read-only in the docker-compose, but I heard this doesn't really get around the security issues.
Very helpful, thank you! I did notice that it didn't cover sending traffic via docker (these templates do ip:port), so I am diving in to see if I can find anything!
Thanks for great tutorial. Today i finished this and get ssl every container.
I prefer nginx for my reverse proxy currently. I do separate my internal records(bind) from my recursive resolver (pi-hole) bind has always been 100% reliable. And because of that it is the fallback for when pihole decides to become brain less (happens more than it should)
This is great video and got me up and running in no time, thanks 😊 I got a question tho, or a video request. How can you use this setup with multiple domains and ex 2 different cloudflare accounts? (I got my personal CF account with domainA, but also want to use a secondary CF account on domainB) is this something you could do a video on? Been all over Reddit/Traefik git issues etc but I can’t wrap my head around it.
Anyways, imma check out your stream and keep up the awesome videos :)
I've been wanting to make the switch from NPM to Traefik for the longest time, but the complexity has always caused be to shy away. This put me over the edge. Thanks so much @TechnoTim. One area I'm not clear about...how would one extend this to services that do need to be reachable externally? Is it as simple as port forwarding 443 to the Docker Host? And if one wanted a separate cert services that are not local, what does that config look like?