I’m using Traefik as a reverse proxy for a variety of docker containers that I’m running, and I wanted to use sub-subdomains as I duplicate these services across multiple machines. E.g. machine1 runs service1, service2, service3, and machine2 also runs service1, service2, service3. Ideally, I would want these DNS records, all with SSL:
- service1.machine1.rooday.com → machine1 IP
- service2.machine1.rooday.com → machine1 IP
- service3.machine1.rooday.com → machine1 IP
- service1.machine2.rooday.com → machine2 IP
- service2.machine2.rooday.com → machine2 IP
- service3.machine2.rooday.com → machine2 IP
I tried using something like the following docker compose:
version: "2.1" services: traefik: image: traefik container_name: traefik restart: always volumes: - /home/traefik/letsencrypt:/letsencrypt - /var/run/docker.sock:/var/run/docker.sock:ro ports: - 80:80 - 443:443 environment: - [email protected] - CLOUDFLARE_API_KEY=XXXXXXXXXXXXX command: - --providers.docker=true - --entrypoints.web.address=:80 - --entrypoints.web.http.redirections.entryPoint.to=websecure - --entrypoints.web.http.redirections.entryPoint.scheme=https - --entrypoints.websecure.address=:443 - --certificatesresolvers.cloudflare.acme.dnschallenge=true - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare - [email protected] - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.jsonv02.api.letsencrypt.org/directory tautulli: image: service1image container_name: service1 environment: - PUID=1000 - PGID=1000 - TZ=America/Los_Angeles volumes: - /home/service1:/config ports: - 8080:8080 restart: unless-stopped labels: - traefik.enable=true - traefik.http.routers.service1.rule=Host(`service1.machine1.rooday.com`) - traefik.http.services.service1.loadbalancer.server.port=8080 - traefik.http.routers.service1.entrypoints=websecure - traefik.http.routers.service1.tls.certresolver=cloudflare
I looked up this error and came across this thread: How to add SSL to a sub-subdomain - #3 by melanie, which seems to say that I can’t do this on the Free plan. So I changed my traefik labels for service1 to look like so:
... labels: - traefik.enable=true - traefik.http.routers.service1.rule=(Host(`machine1.rooday.com`) && PathPrefix(`/service1`)) - traefik.http.services.service1.loadbalancer.server.port=8080 - traefik.http.routers.service1.entrypoints=websecure - traefik.http.routers.service1.tls.certresolver=cloudflare ...
The problem with this is that not all the services I’m running allow me to set a basepath, so getting them to run is more complicated with this setup. I then came across this thread: Certificates for sub.subs.domian - Help - Let's Encrypt Community Support which says that Let’s Encrypt does indeed support sub-subdomains for SSL.
So I wanted to take a step back and ask here, is there any way to get Traefik to automatically provision a Let’s Encrypt cert using Cloudflare for sub-subdomains? Or even if it requires me manually using certbot and then running Traefik, that works too, I’m just not sure how to approach this. Any help would be greatly appreciated!