Hosting Multiple Domains and Custom Certificates With Traefik
I got the question how to configure multiple domains in Traefik when one of the domains is a network internal domain without the possibility for a Let’s Encrypt certificate. Actually, it’s pretty easy: Just add your services. Let’s look at an example.
Traefik will discover your services using the method you specified in the configuration file. There are several discovery variants available. Here, we will use auto discovery on docker containers.
When Traefik encounters a Docker container it will read the labels of the container to deduct the domain the service shall run on and wether or not you want to use TLS. When you enable the Let’s Encrypt certificate resolver beforehand and set the right labels, the new domain with TLS will just work.
Entrypoint And Resolver
Traefik wants to know on which IPs and ports it has to listen on. In Traefik terms, such an IP/port combination is called an entrypoint. We need two entrypoints on port 80 and 443. We will use 443 for the TLS traffic and 80 to obtain certificates from Let’s Encrypt. The following snippet must go into the main config file:
Then we have to tell Traefik to store certificates and activate the Let’s Encrypt resolver. The resolver will obtain a certificate for the domains we enable it for. Notice how we reference the web entrypoint that we added before. We tell the resolver to use it to answer the challenges necessary to obtain a certificate. Add this to your Traefik config file:
Docker Compose Configuration
Suppose you want to run two containers. One with a blog from
blog.example.com and a wiki from
wiki.example.com. Add a labels section to each service in your docker compose file and add your configuration. Traefik will read these labels and act accordingly.
The same example as before, just for when you want to use ansible tasks. Here, the labels are actual yaml key/value pairs. So you have to put quotation marks around the boolean values.
- name: Ensure blog
Traefik will automatically use a provided certificate when you tell it to switch TLS on but don’t specify a certificate resolver. You might want to use a custom certificate for extra security or on your local network where you cannot obtain a certificate from Let’s Encrypt.
But Traefik has to know about the certificate first. It will read certificate locations from its dynamic configuration. We configure it to watch the directory
/etc/traefik/dynamic for new or changed dynamic configuration files.
Then we put a list of the locations of our custom certificates into a file and save it to the
/etc/traefik/dynamic directory. Traefik will read the certificate, determine the domain name it is for and use it for our service above.
If you have more certificates later on, just update the file. Traefik will notice and check the new certificate.
Now we can start our service:
Traefik will look up the domain name in in the certificate store and use our custom certificate.