/ September 29, 2019/ Articles, Docker, Home Assistant, Uncategorized/ 0 comments

In september 2019 Containous launched the new Traefik 2.0. This is radically different from version 1 and code changing is really needed. This my code and how i setup Traefik2.0. It combines LetsEncrypt with Transip DNS challange and Wildcard certificates. It also make sure Home Assistant is available with a File provider instead via the Docker labels, because Home Assistant is in most cases within in the Host network, a file provider is easier to use.  And the ability to user docker provider as well.

First lets run the docker container:

traefik2.0:
    container_name: traefik2.0
    image: traefik
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8181:8181
    networks:
      - websites-backend
    environment:
      - TRANSIP_ACCOUNT_NAME=youraccountname
      - TRANSIP_PRIVATE_KEY_PATH=transip.key
    volumes:
      - /home/docker/traefik2.0/traefik.yml:/etc/traefik/traefik.yaml:ro
      - /home/docker/traefik2.0/acme/acme.json:/acme.json
      - /home/docker/traefik2.0/rules:/rules:ro
      - /home/docker/traefik2.0/transip.key:/transip.key:ro
      - /var/run/docker.sock:/var/run/docker.sock

With the above code we set environment variable to the TransIP API and with the transip.key file we set the API key. You have to save the file within the dir which we set as a volume.
Secondly we set some volumes for the traefik.yaml (settings) and acme.json. I did migration from Traefik1.x of the acme.json with the Traefik Migration Tool but the file should be generated automatically.
At last there is a volume for the rules folder.

Now the traefik.yaml which is in the root, i look like this:

log:
  level: error

entryPoints:
  http:
    address: ":80"

  https:
    address: ":443"

  traefik:
    address: ":8181"

api:
  insecure: true
  dashboard: true

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxynetwork

  file:
    directory: /rules
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: your@emailaddress.com
      storage: ./acme.json
      dnsChallenge:
        provider: transip
        delayBeforeCheck: 0

As we can read above we define some entrypoints for 443, 80 and the traefik web interface (8181), but you can choose one by yourself (do update the docker-compose with the right port also). We define the api enabled and available on http (i just use it only internally). And we create a docker provide and attached to the proxynetwork. Because Home Assistant is not within that proxynetwork, in docker, as this docker container is created with ‘network-mode: host’ option, we create a file provider also. At last the CertificatesResolvers, we define the TransIP DNS challange.

Within the rules folder i prefer to seperate the settings per yaml file, so i created cert.yaml, middlewares.yaml, tls.yaml and a file for hass.yaml.
cert.yaml:

http:
  routers:
    certs:
      entryPoints:
        - http
        - https
      service: service-blank
      rule: Host("about:blank")
      tls:
        certResolver: letsencrypt
        domains:
          - main: "*.yoursite.com"
            sans:
              - yoursite.com
  services:
    service-blank:
      loadBalancer:
        servers:
          - url: "https://about.blank"

Make sure your domain is correct.
middlewares.yaml:

http:
  middlewares:
    redirect:
      redirectScheme:
        scheme: https

    ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "192.168.1.0/24"
        ipStrategy:
          depth: 0

    hsts:
      headers:
        sslRedirect: true
        stsPreload: true
        stsSeconds: 315360000
        stsIncludeSubdomains: true

We do create 3 middlewares within this file. 1 for a redirect, 1 for a ipwhitelist (make shure your local network is in there) and 1 for hsts.

tls:
  options:
    TLSv13:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      sniStrict: true
        
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      sniStrict: true

Within the tls.yaml file i made the correct entries for TLS1.3 and TLS1.2 in the most secure cypher suites and enabled SNI.
Last there is a hass.yaml, especially for Home Assistant which is not in a docker network, mode in the host network.
hass.yaml:

http:
  routers:
    hass:
      entryPoints:
        - https
      service: service-hass
      rule: Host("homeassistant.yoursite.com")
      middlewares:
        - "hsts"
      tls: {}

  services:
    service-hass:
      loadBalancer:
        servers:
          - url: http://192.168.1.2:8123
        passHostHeader: true
        passTLSCert: true

Make sure the url is correct. Within this file we do add the middleware hsts manually and the backend ip address of home assistant.

All done. start the container and all should be ok. You can open the dashboard at http://yourip:yourport, in my situation http on port 8181.

If you want other containers to be proxied by Traefik, you do not need the file provider for it, just label the container in docker-compose as follow:

networks:
  - websites-backend
labels:
      - traefik.enable=true
      - traefik.docker.network=proxynetwork
      - traefik.http.routers.yourwebsite.rule=Host(`www.yourwebsite.com`, `yourwebsite.com`)
      - traefik.http.routers.yourwebsite.entrypoints=http
      - traefik.http.routers.yourwebsite.middlewares=redirect@file
      - traefik.http.routers.yourwebsite-secured.rule=Host(`www.yourwebsite.com`, `yourwebsite.com`)
      - traefik.http.routers.yourwebsite-secured.entrypoints=https
      - traefik.http.routers.yourwebsite-secured.middlewares=hsts@file
      - traefik.http.routers.yourwebsite-secured.tls=true

Remeber, after changing labels, you do have to recreate the specific docker container.

(if you do like to open your traefik dashboard public and want to be available with a hostname, add the following to docker-compose traefik container)

labels: 
  - traefik.enable=true
  - traefik.http.routers.traefik-api.rule=Host("traefik.yoursite.com") 
  - traefik.http.routers.traefik-api.entrypoints=http 
  - traefik.http.routers.traefik-api.middlewares=redirect@file 
  - traefik.http.routers.traefik-api-s.rule=Host("traefik.yoursite.com") 
  - traefik.http.routers.traefik-api-s.entrypoints=https 
  - traefik.http.routers.traefik-api-s.tls=true 
  - traefik.http.services.traefik-api.loadbalancer.server.port=8181
Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*

2 + 17 =