Transparent Traefik proxy for Homelab
I've been hosting a few services in my Homelabs for the last couple of months and had some of them exposed over Cloudflare Tunnel. However, I wanted to access them locally if I were at home, have transparent URLs, and have all of the endpoints secure over HTTPs.
I'm using Step-CA for local certificates because some of my services aren't on a valid domain, but I still would like to have a locally trusted certificate.
In this post, I'll share the setup I currently use for Traefik and Step-CA, which will provision certificates over ACME. I'm hosting this on my Docker Swarm cluster, which Portainer manages.
Setting up Traefik on Docker Swarm
Assuming you already have a Docker Swarm cluster set up, the first step is creating a Traefik service. Here's the docker-compose.yml that I'm using:
version: '3.3'
services:
traefik:
# Use the latest v3.0 Traefik image available
image: traefik:v3.0
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- 80:80
# Listen on port 443, default for HTTPS
- 443:443
deploy:
placement:
constraints: [node.role == manager]
labels:
# Enable Traefik for this service, to make it available in the public network
- traefik.enable=true
# Use the traefik-public network (declared below)
- traefik.docker.network=traefik-public
# Use the custom label "traefik.constraint-label=traefik-public"
# This public Traefik will only use services with this label
# That way you can add other internal Traefik instances per stack if needed
- traefik.constraint-label=traefik-public
# https-redirect middleware to redirect HTTP to HTTPS
# It can be re-used by other stacks in other Docker Compose files
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# traefik-http set up only to use the middleware to redirect to https
- traefik.http.routers.traefik-public-http.rule=Host(`traefik.drkr.io`)
- traefik.http.routers.traefik-public-http.entrypoints=http
# traefik-https the actual router using HTTPs
- traefik.http.routers.traefik-public-https.rule=Host(`traefik.drkr.io`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
# Use the special Traefik service api@internal with the web UI/Dashboard
- traefik.http.routers.traefik-public-https.service=api@internal
# Use the "le" (Let's Encrypt) resolver created below
- traefik.http.routers.traefik-public-https.tls.certresolver=le
# Enable HTTP Basic auth, using the middleware created above
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
# Define the port inside of the Docker service to use
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
# Mount the volume to store the certificates
- traefik-public-certificates:/certificates
command:
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Enable Docker Swarm mode
- --providers.docker.swarmmode
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
- --[email protected]
- --certificatesresolvers.le.acme.caServer=https://ca:9001/acme/acme/directory
# Store the Let's Encrypt certificates in the mounted volume
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
# Use the TLS Challenge for Let's Encrypt
- --certificatesresolvers.le.acme.tlschallenge=true
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log
# Enable the Dashboard and API
- --api
- --api.insecure=true
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- traefik-public
volumes:
# Create a volume to store the certificates, there is a constraint to make sure
# Traefik is always deployed to the same Docker node with the same volume containing
# the HTTPS certificates
traefik-public-certificates:
networks:
# Use the previously created public network "traefik-public", shared with other
# services that need to be publicly available via this Traefik
traefik-public:
external: true
After creating the docker-compose.yml file, save it and proceed to the next steps.
Setting up Step-CA on Docker
Let's set up Step-CA on Docker to manage our local certificates. First, create a step-ca directory and then run the following commands to initialize the Step-CA:
$ docker run -it --rm \
-v $(pwd)/step-ca:/home/step smallstep/step-cli:0.23.2 step ca init
This command walks you through initializing your CA certificate. This example uses the DNS record with the name ca which points
to the Step-CA instance, but it's up to you how you name it. Please make sure you set it to listen on port 9001 as these examples
are configured to use it.
Now, create a docker-compose-step-ca.yml file with the following content:
version: '3.3'
services:
ca:
image: smallstep/step-ca:0.23.2
volumes:
- ./step-ca:/home/step
ports:
- 9001:9001
command: step-ca --password-file=/home/step/password.txt /home/step/config/ca.json
networks:
- traefik-public
networks:
traefik-public:
external: true
This configuration sets up Step-CA using the previously created step-ca directory and connects it to the traefik-public network.
Deploying Traefik and Step-CA
Now that we have the Traefik and Step-CA configurations ready, it's time to deploy them to your Docker Swarm cluster.
First, create the traefik-public network:
$ docker network create -d overlay traefik-public
Next, deploy the Traefik service:
$ docker stack deploy -c docker-compose.yml traefik
Finally, deploy the Step-CA service:
$ docker stack deploy -c docker-compose-step-ca.yml step-ca
Wait for a few moments for the services to start and settle.
Testing and Accessing Services
Once both Traefik and Step-CA services are running, you can add your services to the Docker Swarm cluster and configure
them to use Traefik as a proxy. Make sure to add the appropriate Traefik labels to your services and expose them on
the traefik-public network. Don't forget to add the CA certificate to your trust stores.
To access the Traefik dashboard, visit https://traefik.drkr.io in your browser. You should see a secure HTTPS
connection with a locally trusted certificate provided by your Step-CA instance. From the dashboard, you can monitor and
manage your services.
Congratulations! You've successfully set up a transparent Traefik proxy with locally trusted certificates in your Homelab. This configuration allows you to access your services securely over HTTPs and have transparent URLs locally and remotely.
In the next post we'll go over exposing the services over Cloudflare Tunnel and making Cloudflare trust our custom CA certificates.
I hope you found this guide helpful in setting up Traefik and Step-CA for your Homelab. As someone passionate about Homelabbing, it's always exciting to share my experiences and help others achieve a secure and efficient setup.