Set up Traefik with Cloudflare DNS and Basic Auth

2025-03-15 07:07:26 +00:00 · 2025-03-15 07:07:26 +00:00 · 48101aacf4
commit 48101aacf4
parent b6f31b6a89
5 changed files with 252 additions and 0 deletions
--- a/traefik/.env-example
+++ b/traefik/.env-example
@ -0,0 +1,36 @@
+# Traefik Version
+# Defines the version of Traefik to be used. By default, "latest" is used.
+TRAEFIK_VERSION=latest
+
+# Ports
+# Defines the ports on which Traefik will be available for HTTP and HTTPS traffic.
+# By default, these are 80 (HTTP) and 443 (HTTPS).
+TRAEFIK_HTTP_PORT=80
+TRAEFIK_HTTPS_PORT=443
+
+# Cloudflare API Access
+# Your Cloudflare API credentials that Traefik uses to automatically obtain TLS certificates
+# via the Cloudflare DNS provider.
+# Replace the following placeholders with your actual Cloudflare details:
+# - CLOUDFLARE_MAIL: Your Cloudflare email address
+# - CLOUDFLARE_TOKEN: Your Cloudflare API token
+CLOUDFLARE_MAIL=your-cloudflare-email@example.com
+CLOUDFLARE_TOKEN=your-cloudflare-api-token
+
+# Domain Configuration
+# Defines the domain that Traefik will use for accessing its dashboard.
+# Replace `yourdomain.com` with your actual domain.
+# The following variable is used for the DNS01 challenge to obtain a wildcard SSL certificate from Cloudflare.
+# - TRAEFIK_SAN_DOMAIN_0: The domain that Traefik will use for the DNS01 challenge. 
+#   Typically, this is the wildcard domain, e.g., *.yourdomain.com.
+TRAEFIK_DOMAIN=yourdomain.com
+TRAEFIK_SAN_DOMAIN_0=yourdomain.com
+
+# Basic Auth Configuration
+# Basic authentication credentials for securing the Traefik dashboard.
+# You can generate the password using the following command:
+#   echo $(htpasswd -nB yourusername) | sed -e s/\\$/\\$\\$/g
+# Replace `yourusername` with the desired username.
+# The generated value can then be placed in the `BASICAUTH_PASSWORD` variable.
+TRAEFIK_BASICAUTH_USER=yourusername
+TRAEFIK_BASICAUTH_PASSWORD=yourgeneratedpassword
--- a/traefik/README.md
+++ b/traefik/README.md
@ -0,0 +1,111 @@
+# Traefik Setup with Cloudflare DNS and Basic Auth
+
+This guide provides an example of configuring **Traefik** with **Cloudflare DNS API** for automatic TLS certificate issuance and **Basic Authentication** to secure the Traefik dashboard.
+
+## Prerequisites
+
+Before setting up, make sure you have the following:
+
+1. **Docker and Docker Compose** installed on your machine.
+2. A **Cloudflare account** with an active domain.
+3. **Cloudflare API Token** for DNS-01 challenge validation.
+4. **Apache2-utils** installed on your machine to generate Basic Authentication credentials. You can install it via the following command:
+   - For Debian/Ubuntu: `sudo apt install apache2-utils`
+
+## Configuration Overview
+
+### Docker Compose Setup
+
+The `docker-compose.yml` file sets up the following services:
+
+- **Traefik**: The reverse proxy, which manages routing and SSL certificates.
+- **Cloudflare DNS**: Automatically requests SSL certificates via the Cloudflare DNS provider.
+
+### Basic Authentication
+
+The dashboard is secured using basic authentication. You'll need to generate a user and password for this.
+
+## Setup Instructions
+
+### Step 1: Clone or Download the Files
+
+Clone this repository or download the `docker-compose.yml` and `.env-example` files to your project directory.
+
+### Step 2: Rename and Customize the `.env` File
+
+Rename the `.env-example` file to `.env` and update the file with your specific values. This file contains environment variables used by the Traefik service.
+
+```bash
+mv .env-example .env
+```
+Modify the .env file
+
+### Step 3: Generate Basic Authentication Password
+
+To generate the Basic Authentication password hash, you will need the apache2-utils package. If you haven't installed it yet, run:
+
+```bash
+sudo apt install apache2-utils
+```
+
+Then, use the following command to generate the password hash:
+
+```bash
+echo $(htpasswd -nB yourusername) | sed -e s/\\$/\\$\\$/g
+```
+
+Replace yourusername with your desired username. The generated value should be placed in the TRAEFIK_BASICAUTH_PASSWORD field in the .env file.
+
+### Step 4: Configure the traefik.yml File
+
+Change the traefik.yml under data/traefik/traefik.yml
+
+Add the following configuration and replace "yourmail@example.com" with your email address:
+
+```yaml
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: "yourmail@example.com"
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+```
+
+
+### Step 5: Create the Traefik Network
+
+Before running the docker-compose.yml, you need to create a Docker network that Traefik can use. Run the following command:
+
+```bash
+docker network create traefik
+```
+
+This will create a network named traefik that can be referenced in your docker-compose.yml file. Ensure that your services are connected to this network for Traefik to manage them correctly.
+
+Once you've created the network, you can proceed with the rest of the setup as described in the guide. The services will be able to communicate with Traefik, and your SSL certificates will be automatically handled through Cloudflare.
+
+### Step 6: Start the Services
+
+Run the following command to start Traefik and any associated services using Docker Compose:
+
+```bash
+docker-compose up -d
+```
+
+This will start Traefik with the specified configuration.
+
+### Step 7: Access the Traefik Dashboard
+
+    Open your browser and navigate to the Traefik dashboard at http://<your-traefik-domain>.
+    If you’ve set up Basic Authentication, you’ll be prompted to enter the username and password you configured in the .env file.
+
+### Step 8: Cloudflare DNS-01 Challenge
+
+Traefik will automatically use the Cloudflare DNS API to request a wildcard TLS certificate for your domain using the DNS-01 challenge. Ensure your Cloudflare account has the necessary permissions and API token configured in the .env file.
+Step 7: Customizing Your Traefik Configuration
+
+You can modify the docker-compose.yml file to add more routers, services, and middlewares as per your needs. This setup only includes the Traefik reverse proxy and basic configurations for TLS via Cloudflare and Basic Authentication for the dashboard.
--- a/traefik/data/traefik/config.d/default.yml
+++ b/traefik/data/traefik/config.d/default.yml
@ -0,0 +1,19 @@
+http:
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+
+    default-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
--- a/traefik/data/traefik/traefik.yml
+++ b/traefik/data/traefik/traefik.yml
@ -0,0 +1,47 @@
+---
+api:
+  dashboard: true
+
+log:
+  level: INFO
+  format: json
+  filePath: "/var/log/traefik.log" 
+
+accessLog:
+  filePath: "/var/log/crowdsec/traefik.log"
+  bufferingSize: 50
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+    http:
+      tls:
+        strictSNIHost: true
+
+serversTransport:
+  insecureSkipVerify: false
+  forwardingTimeouts:
+    dialTimeout: 10s
+    responseHeaderTimeout: 10s
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    watch: true
+  file:
+    directory: "/config.d/"
+    watch: true
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: "yourmail@example.com"
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@ -0,0 +1,39 @@
+---
+services:
+  traefik:
+    image: traefik:${TRAEFIK_VERSION:-latest}
+    name: traefik
+    restart: unless-stopped
+    security_opt:
+      - "no-new-privileges:true"
+    networks:
+      traefik:
+    ports:
+      - ${TRAEFIK_HTTP_PORT:-80}:80
+      - ${TRAEFIK_HTTPS_PORT:-443}:443
+    volumes:
+      - ./data/traefik:/etc/traefik
+      - ./data/certs:/etc/certs:ro
+    environment:
+      - "CF_API_EMAIL=${CLOUDFLARE_MAIL:?error}"
+      - "CF_DNS_API_TOKEN=${CLOUDFLARE_TOKEN:?error}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:?error}`)"
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.middlewares.basic-auth.basicauth.users=${TRAEFIK_BASICAUTH_USER}:${TRAEFIK_BASICAUTH_PASSWORD}"
+      - "traefik.http.routers.traefik-secure.middlewares=basic-auth"
+      - "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN:?error}`)"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_SAN_DOMAIN_0?error}"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${TRAEFIK_SAN_DOMAIN_0?error}"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+
+networks:
+  traefik:
+    external: true