Leon Steenkamp
Building small satellites on the tip of Africa. My other ride is a CubeSat.
Traefik Proxy in Docker for home TLS
While watching the DevBeardOps - Containers at home recorded stream I learnt of Traefik Proxy and that it supports something called a DNS-01 challenge type from Lets Encrypt.
I’ve used Nignx as a reverse proxy and TLS end point before on an AWS EC2 instance. This used Let’s Encrypt and Certbot for TLS certificates. But as far as I remember this requires the host to be accessible from the Internet.
As mentioned in the DevBeardOps stream using Traefik and the DNS-01 challenge type allows you to generate certificates relatively easily on a host that is not accessible from the Internet - using one of the supported DNS providers.
I’ve not heard of, or used Traefik Proxy before and this gave me the opportunity to play with Traefik and Docker containers on a Raspberry Pi a bit. Using Traefik Proxy as a reverse proxy and TLS end point would get rid of any Warning: Potential Security Risk Ahead browser warnings for services hosted on your home network. And allow you to use hostnames instead of IP addresses to access locally hosted services.
I documented the project further in this GitHub repository - https://github.com/leonsteenkamp/docker-traefik-intro
More information on Traefik Proxy can be found here - https://doc.traefik.io/traefik/
Pi-hole
The DNS-01 challenge needs access to AWS Route53 (the DNS provider I used in this project) through an AWS IAM user and policy. But you do not have to set your internal (sub) domain names in AWS Route53. The sub domains will have to match the domain you control and listed in AWS Route53.
If you are already using a Pi-hole then you can use that to set local DNS records rather than setting it in AWS Route53. The DNS record for each sub domain points the to local IP address of the Traefik container.
Tailscale
If you are using Tailscale then you can improve this setup further. You will need to have Tailscale installed on the host that runs your Pi-hole.
Using the Pi-hole as one of the Global Nameservers and selecting Override local DNS on the Tailscale management page allows you to enjoy your Pi-hole while not on your home network. This also brings along the local DNS records mentioned above.
If you have Tailscale installed on the host running the Traefik container then you can use its Tailscale IP address instead of the local IP address in the Pi-hole local DNS entries. This will allow you to access the services behind the Traefik proxy while away from your home network.
End notes
A quick way to run a HTTP server to test against is running this from a terminal : python3 -m http.server