How To - Setup Cloudflare, LetsEncrypt and Traefik
We will use Cloudflare DNS because it is reliable and supports the Automatic Certificate Management Environment (ACME).
Log into Cloudflare and go to your profile. Under your profile, you will see your API tokens section. We will use tokens because they allow you to have more control over who, what, and where the service has access to. With Tokens, you would normally hand out one API Token per reverse proxy or service you run within your domain.
We will use a USER API Token Template, specifically “Edit Zone DNS.” This will create a simple TXT record in your Cloudflare DNS, so we won't have to mess around with the permission flags.
NOTE - API Keys are global, and I do not recommend using it unless you absolutely have to.
Under User API Tokens, for simplicity's sake, we will only work in Zone Resources.
You will be prompted to confirm that you want to create the token.
On this next screen, you will see the API token. It is important to read this:
Copy this token to access the Cloudflare API. For security, this will not be shown again.
It is important to test the API token. You should get a “success” message.
Now that we have a working API token, we will need to find out the valid environmental settings. To do this, we will need to go to the Traefik website and find the ACME DNS page. This will show us all of the supported vendors. Since we are using Cloudflare, we will need to find the Cloudflare section and the DNS API environment variables. Specifically, we will need to use the:
CF_DNS_API_TOKEN
To set this up in Traefik, we will need to add a new “.env” file and edit the docker-compose.yaml and the traefik.yaml file.
.env File
This file will need to be made in the same folder as the Traefik docker-compose.yaml file.
There will be a single line.
CF_DNS_API_TOKEN = 'YOUR_API_TOKEN_YOU_COPIED_FROM_CLOUDFLARE_SETUP'Docker-Compose.yaml File
We will need to update two sections:
environment (most likely not yet created)
labels
environment
This file will need to be updated. Under the “PORTS” section, we will need to add two lines: the “environment” section and the DNS API token variable.
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}Basically, in the two lines, we said to read the environmental token variable and automatically enter it here when creating the container.
labels
In addition to the “environment” section, we will need to set up some routers. To do this, we will also need to add 4 labels to the “label section”:
- traefik.http:routers.APP_VAR_NAME.tls=true
- traefik.http:routers.APP_VAR_NAME.tls.certresolver=cloudflare
- traefik.http:routers.APP_VAR_NAME.https.entrypoint=websecure
- traefik.http:routers.APP_VAR_NAME.rule=Host('appName.domain.com')These labels will:
Enable TLS
Make sure traefik uses Cloudflare for its cert resolver
Ensure the traefik entry point uses “websecure”
What hostname rule should look like
Traefik.yaml File
To help keep the docker-compose.yaml file small and precise, I recommend putting most of the config information into the traefik.yaml file.
There are two different sections that you will need to modify/add:
CertificatesResolver info
HTTP redirection (80 to 443)
CertificatesResolver info
We need to add one more section to this file called the “CertificateResolvers” section. This template I will give you here can be used over and over again for any project that uses Cloudflare and LetsEncrypt.
Boilerplate for CertificatesResolvers:
This section goes just under entrypoints and above providers:
certificatesResolvers:
cloudflare:
acme:
email: myemail@domain.com
storage: /var/traefik.certs/cloudflare-acme.json
caServer: 'https://acme_v02.api.letsencrypt.org/directory'
keyType: EC256
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"Boilerplate for HTTP redirection (80 to 443):
You can get this code directly from the traefik website under “Redirection”. I have included it here for ease of use:
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443Hope this helps!