Generic [Traefik][traefik] container for local development

One traefik for all your dev apps

This repository is to demonstrate how to use the external network specification in docker-compose to enable communication between containers defined in different compositions. It also uses the nice auto-discover capabilities of traefik respond to all services that require it without having to touch anything in this directory.

How to use it

DNS

Traefik forward traffic to services based on their hostnames. Since it listens to a local address, there must be a name resolution for the browser to reach the traefik proxy and the various backends. This can be done in two ways:

1. change your /etc/hosts file so that the desired name is resolved to localhost:

   127.0.0.1    www.example.com
   

   This is the only option if you don't have access to the DNS for the domain you intend to use. If you have dnsmasq installed you can probably assign full subdomains like *.dev.local to localhost (not tested in person at least recently).
2. redirect all your domain (or a subdomain) to localhost in the dns of your domain. A line like the following will redirect any request in the subdomain dev to localhost. For example, if your domain were example.com, then mywebapp.dev.example.com would be resolved to localhost.

   *.dev 1800 IN A 127.0.0.1
   

SSL Certificates

For local domains like mywebapp.local, the only choice is to auto-generate the certificates. The good thing is that browsers are more relaxed regarding validity of the certificate in this case. Still the easiest option is to use mkcert automatically as explained below.

For global domains, we cannot use the great feature of traefik of generating the acme certificates from Let's encrypt because the dev machine is not reacheable from the internet. However, there are still two viable options that do not require generating a certificate for each service:

1. Official wildcard certificates: generate a certificate for your dev subdomain and store it in a subdirectory of your CRTDIR. I do this using the procedure described here which uses Let's encrypt and works nicely (and free of charge) for domains registered with gandi.net. The list of subdomains that you want traefik to be aware of have to be listed in the DOMAINS environment variable. So, if the domain is jkldsa.com, anything like myapp.dev.jkldsa.com will point to localhost and reach traefik. Since the certificate is valid forr all hosts in the *.dev.jkldsa.com, traefik will not have to generate a new one and you will avoid complains from the browser.
2. Use mkcert to generate cerificates on the fly for the sub-domains you intend to use. In this case, all you have to do is to list the domains in the MKCERT_DOMAINS environment variable.

Requirements

For this to work, you need to have

• docker installed and running or, if you have a zen attidude, you can also try with podman.
• have any verion of ruby's erb preprocessor. This is needed to fix some issues coming from rancher desktop on mac (at least my mac). This is probably no longer the case but I got rid of rancher desktop. Therefore, I cannot test myself.
• have access to a directory containing the glob ssl certificates (by default /keybase/team/epfl_idevfsd/certs)
• eventually have the [mkcert][mkcert] utility installed

Configuration

1. copy env.example to .env and edit it to suit your needs:

• provide a directory with a valid wildcard certificate and key as the CRTDIR env variable;
• provide DOMAINS and MKCERT_DOMAINS environment variables listing the domains you want to use;

1. make sure that traefik is running: make up;
2. add labels and network to your app's docker-compose.yml file so that it can be added automatically to the list of services. See the example.

Links

• Traefik
• Gandi & LE Certificate Generation
• mkcert
• Traefik 1.7 documentation
• Traefik 2.2 documentation
• Traefik and TLS HowTo blog post, see also
• Discussion about ssh traffik with Traefik
• OpenSSL commands
• socat man page