Short example of setting up TLS end to end using traefik & duckdns for free wildcard subdomain & dynamic ip support for a website.
Websites https://*.example.duckdns.org
and https://example.duckdns.org
Useful for
- You want simple certs for an API or website
- Server on a home internet with an ISP that changes your IP.
- Don't want to or can't expose port 80 or even 443.
- This can be useful for a computer on a private network that has internet through NAT or proxy.
- I use it to secure my private internal docker registry
- This can be useful for a computer on a private network that has internet through NAT or proxy.
- copy this repository into the current directory
- Linux -
docker run --rm -v $(pwd):/data -u "${UID}" busybox sh -c "wget -nc -O - https://github.com/KnicKnic/traefik_duckdns/archive/master.zip | unzip - -d /tmp && cp -r /tmp/traefik_duckdns-master/* /data/ && cp -r /tmp/traefik_duckdns-master/.??* /data/"
- Windows -
curl.exe -L -o traefik_duckdns-github.zip https://github.com/KnicKnic/traefik_duckdns/archive/master.zip ; Expand-Archive -DestinationPath . traefik_duckdns-github.zip ; cp -r .\traefik_duckdns-master\* .
- Linux -
- ensure you have docker & docker-compose installed
- get a duckdns subdomain
- go to http://duckdns.org & click one of the sign in options across the top
- sign up for a subdomain
- update .env file with subdomain and token from previous step
- Token is a field you can see when signed in seeing the subdomains
- start everything by running
docker-compose up -d
- be patient it can take up to 5 minutes for certs to get populated (until then you will get untrusted cert)
- test by going to
https://subdomain.duckdns.org
you should see the nginx banner
- ensure web traffic (https port 443, optionally http port 80) can get to your server
- add / modify forwarding rules
- if you just want to change
https://subdomain.duckdns.org
to point to your backend, modify rules/nginx.toml- replace
url = "http://nginx:80"
with your backend url
- replace
- copy and modify sample rules/nginx.toml into rules/copy.toml
- replace every instance of
nginx
withcopy
or some other word - replace
url = "http://nginx:80"
with your backend url - replace
rule = "HostRegexp:www.{subdomain:[^.]+}.duckdns.org,{subdomain:[^.]+}.duckdns.org"
with your new name likerule = "HostRegexp:copy.{subdomain:[^.]+}.duckdns.org"
- read more info from traefik
- replace every instance of
- if you just want to change
- enabled traefik dashboard
- edit rules/traefik.toml
- uncomment everything (only remove 1 # per line)
- update password as explained in the file
- go to
https://traefik.subdomain.duckdns.org
and enter username & password
- edit rules/traefik.toml
- Allow traefik to work in proxied / firewall network
- You will probably want to do 2 things
- Complete cert challenges by purely delaying dns checks.
- in config/traefik.toml uncomment delayBeforeCheck
- Do this if DNS queries are blocked
- Not auto update the IP
- in docker-compose.yml comment out the whole updateDuckDNSIP section
- If you are exposing a private computer that is not routable we do not want to override it with our pubic NAT address
- Useful in scenarios where you only want to access the website inside a corprate network (useful for TLS for private docker registries)
- You must manually set the ip for the domain name in duckdns.org
- Complete cert challenges by purely delaying dns checks.
- You will probably want to do 2 things
- Write a project that extends this one.
- Learn how to have traefik watch new containers so you do not need to update rules
- I only wrote about file based rules, I did this for a few reasons
- It works in non-container scenarios you can reference any ip, or hostname for the backend
- Security / Multiplatform, you do not have to worry about security getting the docker socket, or how to read the docker socket in windows
- read more about adding labels and auto configuring traefik here
- I only wrote about file based rules, I did this for a few reasons