Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding section to generate SSL certificats with Traefik #41

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+41 −0
Open

Adding section to generate SSL certificats with Traefik #41

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions _docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,6 +579,47 @@ traefik:
entrypoints.otherentrypoint.address: ':9000'
```

## Generate SSL certificates with Letsencrypt
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be "Let's Encrypt" rather than "Letsencrypt"


You can use Traefik to generate SSL certificates automatically with [Letsencrypt](https://letsencrypt.org/):

```yaml
# Deploy to these servers.
servers:
web:
hosts:
- 192.168.0.1
labels:
traefik.http.routers.hey-web.entrypoints: websecure
traefik.http.routers.hey-web.rule: Host(`example.com`)
traefik.http.routers.hey-web.tls.certresolver: letsencrypt

# Configure custom arguments for Traefik
traefik:
options:
publish:
- "443:443"
volume:
- "/letsencrypt/acme.json:/letsencrypt/acme.json"
args:
entryPoints.web.address: ":80"
entryPoints.websecure.address: ":443"
entryPoints.web.http.redirections.entryPoint.to: websecure
entryPoints.web.http.redirections.entryPoint.scheme: https
entryPoints.web.http.redirections.entrypoint.permanent: true
Comment on lines +607 to +609
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These lines will ensure that all http traffic is redirected to https. It feels to me that if we are going to include them as part of this section, we should clearly indicate that this will be the case. What do you think?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If using Rails and config.force_ssl = true, should I still be adding these lines?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work for me with just force_ssl true!

certificatesResolvers.letsencrypt.acme.email: "example@hey.com"
certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
certificatesResolvers.letsencrypt.acme.httpchallenge: true
certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web
```

Also, create the `acme.json` file and give it correct permissions on each hosts:
```bash
$ mkdir -p /letsencrypt && touch /letsencrypt/acme.json && chmod 600 /letsencrypt/acme.json
```
Comment on lines +616 to +619
Copy link

@santiagorodriguez96 santiagorodriguez96 Apr 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be nice to clarify that the file should be created before deploying otherwise we would be mounting a volume on a file that does not exist, which creates a directory and will prevent all of this from working – plus, it's hard to understand why.

I was thinking on something like this:

Finally, _before_ deploying, create the `acme.json` file and give it correct permissions on each hosts:
```bash
$ mkdir -p /letsencrypt && touch /letsencrypt/acme.json && chmod 600 /letsencrypt/acme.json

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you do

volume:
  - "letsencrypt:/letsencrypt"

instead, you do not have to create the file beforehand. Is there a downside to that approach?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm no, I cannot think of any downside 🤔

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can confirm using:

volume:
  - "letsencrypt:/letsencrypt"

in config/deploy.yml worked for me without needing to manually create the directory and file with permissions.


Now you can access your app throught `https`.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

throught

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

through


## Configuring build args for new images

Build arguments that aren't secret can also be configured:
Expand Down