Configuring HTTPS in Traefik

Overview

This is a simple guide on configuring Traefik to handle HTTPS so that there won’t be a need for an additional reverse proxy service to terminate it before you reach MOPS 4.0.

Certificate

You need to point Traefik to use a certificate, this is done in /conf/ingress/rules.yml:

enable: true
accessLog:
  format: "common"

tls:
  stores:
    default:
      defaultCertificate:
        certFile: "c:/config/cert.pem"
        keyFile: "c:/config/cert.key"

...

Currently, if you specify a custom certificate store for your certificate it doesn’t seem to work, so we override the default certificate store.

Generating a self-signed certificate is a good way testing, you need OpenSSL installed and then you can generate one with Powershell commands:

openssl genrsa -out traefik.key 2048

openssl req -new -key traefik.key -out traefik.csr

openssl x509 -req -days 365 -in traefik.csr -signkey traefik.key -out traefik.crt

You will need to combine key-file and certificate file into a .pem for Traefik:

Get-Content traefik.key, traefik.crt | Set-Content traefik.pem

Setup routes to use HTTPS

You would need to add HTTPS port:

- "443:443"

And volume mapping to /cert:

- ./cert:C:/cert  

Each route will need to change its entrypoint to websecure:

- "traefik.http.routers.mops_dir.entrypoints=websecure"
...
- "traefik.http.routers.mops_dir_sec.entrypoints=websecure" 

They can also be combined:

- "traefik.http.routers.mops_dir.entrypoints=web,websecure"

Enabling tls for Traefik can done by adding this to commands that are passed to Traefik:

- "--entrypoints.websecure.tls=true"

This might sometimes not work, if it doesn’t you will have to add this line for every route, e.g:

- "traefik.http.routers.mops_dir.tls=true"
- "traefik.http.routers.mops_dir.entrypoints=websecure"
- "traefik.http.routers.mops_dir.rule=PathPrefix(`/eav`)"
...

- "traefik.http.routers.mops_dir_sec.tls=true"
- "traefik.http.routers.mops_dir_sec.entrypoints=websecure"    
- "traefik.http.routers.mops_dir_sec.rule=PathPrefix(`/sec`)"
...

That should be all for configuring Traefik to use HTTPS