devydave/traefik
0
0
Fork 0
forked from coop-cloud/traefik
Code Pull Requests Activity
Files
master
traefik/README.md
T
luisb b39bb5adaf feat: disable httpChallenge when DNS challenge is configured (#112) 
As documented in the README's "Configuring wildcard SSL using DNS"
section, the necessary pieces for DNS-01 ACME challenges to work are
already baked into Traefik's recipe, though they were originally
considered for provisioning wildcard certificates. Furthermore, in
environments where the server is not exposed to the internet, the
default HTTP-01 challenge mechanism doesn't work, so, taking advantage
of this alternative method makes complete sense.

This change causes ACME validations to be done always using DNS when
LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard
certificate requests Traefik uses the HTTP-01 challenge method, which
doesn't work in servers behind a firewall.

We should amend the related section in the [operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server)
to make a not about the possibility of using DNS challenges in those
scenarios as well.

* [x] I have deployed and tested my changes
    I tested this with both a server "exposed" to the internet and one behind a firewall. The first one continued to use the HTTP-01 challenge because no DNS-related settings were added to it, and the second one was successfully able to provision certificates (even though it's only reachable within the LAN).
* [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
* [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

Reviewed-on: coop-cloud/traefik#112
Co-authored-by: Luis Barrueco <yo@luisb.xyz>
Co-committed-by: Luis Barrueco <yo@luisb.xyz>
2026-06-19 12:56:52 +00:00

80 lines
3.7 KiB
Markdown
Raw Permalink Blame History

# Traefik
[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/traefik/status.svg)](https://build.coopcloud.tech/coop-cloud/traefik)
> https://docs.traefik.io
<!-- metadata -->
* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
* **Status**: `stable`
* **Category**: Utilities
* **Features**: ?
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
* **Healthcheck**: Yes
* **Backups**: No
* **Email**: N/A
* **Tests**: 2
* **SSO**: ? (Keycloak)
<!-- endmetadata -->
## Basic usage
1. Set up Docker Swarm and [`abra`]
2. `abra app new traefik`
3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
your Docker swarm box
4. `abra app deploy YOURAPPDOMAIN`
## Configuring basic auth
1. Create the usersfile locally: `htpasswd -c usersfile <username>`
2. Uncomment the Basic Auth section in your .env file
3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
4. Redploy your app: `abra app deploy -f <domain>`
## Configuring SSL using DNS
Automatic certificate generation will Just Work™ for most recipes which use a
fixed number of subdomains. If your server can't be reached from the Internet,
or if you're deploying a recipe that needs to work across arbitrary
subdomains, like
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
the use of wildcard certificates,) you can give Traefik access to your DNS provider
so that it can carry out Letsencrypt DNS challenges.
1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
can be easily added, see
[the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
2. Run `abra app config YOURAPPDOMAIN`
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
`SECRET_GANDIV5_API_KEY_VERSION`
4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
4. Generate an API key for your provider, probably using their web interface.
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
`SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
`gandiv5_api_key` and `SECRETVALUE` is the API key.
- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
Access Token, in which case use compose.gandi-personal-access-token.yml.
- See comments for each provider in your env file for specific instructions
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)
Uncomment the lines on the Anubis section of the configuration. Set
a domain name for the cookies and a domain that will serve Anubis
redirection service. Optionally and for [added
security](https://anubis.techaro.lol/docs/admin/configuration/redirect-domains),
set a list of the domain names for the apps that are going to be
protected.
After deploying these changes, go to each recipe that supports Anubis
and follow the process there. **Enabling Anubis here is not enough for
protection your apps.**
## Enabling onion service
Uncomment the line in the config setting `ONION_ENABLED=1`. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the [onion recipe](https://recipes.coopcloud.tech/onion).
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
View Git Blame Copy Permalink