Traefik v2 with Lets Encrypt on Amazon’s Elastic Container Service (ECS)

In this post, we will learn how to setup Traefik v2 on ECS with built in LetsEncrypt SSL.

Before I start, I would like to mention that Traefik is awesome reverse proxy & load balancer.

Steps which we will follow:

  1. Build docker image for Traefik on our local machine
  2. Push it on Amazon’s Elastic Container Registry (ECR)
  3. Use pushed image in Task Definition to run Service & Task for Traefik.

Build docker image for Traefik on our local machine

Dockerfile

FROM      alekitto/traefik-alpine

COPY      traefik_ecs.yaml /etc/traefik/traefik.yaml
RUN touch /etc/traefik/acme.json
RUN chmod +x /etc/traefik/acme.json

traefik_ecs.yaml

## Static configuration
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: myresolver

api:
  dashboard: true

providers:
  ecs:
    exposedByDefault: true
    autoDiscoverClusters: false
    clusters:
    - YOUR_ECS_CLUSTER_NAME
    region: YOUR_AWS_REGION
    accessKeyID: "YOUR_AWS_ACCESS_KEY_ID"
    secretAccessKey: "YOUR_AWS_SECRET_ACCESS_KEY"

certificatesResolvers:
  myresolver:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:
      email: "YOUR_EMAIL"
      storage: "acme.json"

      # CA server to use.
      # Uncomment the line to use Let's Encrypt's staging server,
      # leave commented to go to prod.
      #
      # Optional
      # Default: "https://acme-v02.api.letsencrypt.org/directory"
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      # Use a TLS-ALPN-01 ACME challenge.
      #
      # Optional (but recommended)
      #
      # tlsChallenge:
      httpChallenge:

        # EntryPoint to use for the HTTP-01 challenges.
        #
        # Required
        #
        entryPoint: web

Now follow these steps to build docker image and push on Elastic Container Registry(ECR)

* Install AWS CLI https://aws.amazon.com/cli/ to execute these steps

export AWS_REGION='YOUR_AWS_REGION'

export AWS_ACCOUNT_ID='YOUR_ACCOUNT_ID'

export ECR_REPO_NAME='YOUR_REPO_NAME'

(aws ecr create-repository --repository-name $ECR_REPO_NAME) || true

eval $(aws ecr get-login --no-include-email --region eu-central-1)

docker build -t $ECR_REPO_NAME:\latest .

docker tag $ECR_REPO_NAME:\latest $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPO_NAME:\latest

docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPO_NAME:\latest

Create task definition to run task from image pushed on ECR

Alt Text
Alt Text
Alt Text
Alt Text
Alt Text
Alt Text
Alt Text

DOCKER LABELS

traefik.http.routers.dashboard.middlewares auth

traefik.http.middlewares.auth.basicauth.users anilmaurya:$apr1$1ktoln283782378923T43el/

traefik.http.routers.dashboard.rule Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

traefik.http.routers.dashboard.service api@internal

Generate token for basic auth from this site https://hostingcanada.org/htpasswd-generator/

Create one service and run this traefik task definition, after traefik is running we need to add Docker labels to the containers running in same cluster.

Example Docker labels:

traefik.http.routers.app.rule   Host(`example.com`)

traefik.http.services.app.loadbalancer.server.port  3000

Conclusion

Github: source code link.

App can be accessed on https://example.com with SSL certificate from Lets Encrypt

traefik dashboard can be accessed on https://example.com/dashboard

** Replace example with your DNS.

One thought on “Traefik v2 with Lets Encrypt on Amazon’s Elastic Container Service (ECS)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.