Traefik SSL Configuration
Overview
Section titled “Overview”Traefik provides automatic SSL termination, security headers, and reverse proxying for SPEAR deployments. It supports both Let’s Encrypt certificates for production and self-signed certificates for testing/internal use.
Architecture
Section titled “Architecture”┌─────────────────────────────────┐│ Internet │└─────────────┬───────────────────┘ │┌─────────────▼───────────────────┐│ Traefik (ports 80/443) ││ - SSL termination ││ - Security headers ││ - Request routing │└─────────────┬───────────────────┘ │ http://localhost:8090┌─────────────▼───────────────────┐│ SPEAR Backend ││ - PocketBase auth ││ - API endpoints ││ - Static file serving │└─────────────────────────────────┘Integrated Installation (Recommended)
Section titled “Integrated Installation (Recommended)”Install Traefik as part of the SPEAR deployment using the --with-traefik flag:
With Let’s Encrypt (Production)
Section titled “With Let’s Encrypt (Production)”sudo ./scripts/build-and-deploy.sh \ --with-traefik \ --domain example.com \With Self-Signed Certificate (Testing/Internal)
Section titled “With Self-Signed Certificate (Testing/Internal)”sudo ./scripts/build-and-deploy.sh \ --with-traefik \ --domain example.com \ --self-signedThis integrated approach:
- Builds and deploys the SPEAR application
- Downloads and installs Traefik binary
- Generates configuration for your domain
- Sets up SSL certificates
- Creates and starts systemd services
Standalone Installation
Section titled “Standalone Installation”To install Traefik separately from SPEAR:
cd scripts/traefik
# With Let's Encrypt SSL
# With self-signed certificatesudo ./install.sh --domain example.com --self-signed
# Custom backend URLsudo ./install.sh --domain example.com --email [email protected] --backend-url http://localhost:8080Installation Options
Section titled “Installation Options”| Option | Description |
|---|---|
-d, --domain DOMAIN | Domain name for SSL certificate (required) |
-e, --email EMAIL | Email for Let’s Encrypt (required unless —self-signed) |
-b, --backend-url URL | Backend URL (default: http://localhost:8090) |
-s, --self-signed | Use self-signed certificate |
-v, --version VERSION | Traefik version (default: latest) |
--uninstall | Remove Traefik installation |
Uninstall
Section titled “Uninstall”sudo ./install.sh --uninstallFile Structure
Section titled “File Structure”After installation, Traefik files are located at:
| Path | Description |
|---|---|
/usr/local/bin/traefik | Traefik binary |
/etc/traefik/traefik.yml | Static configuration |
/etc/traefik/dynamic/ | Dynamic configuration files |
/var/lib/traefik/acme/ | Let’s Encrypt certificates |
/var/lib/traefik/certs/ | Self-signed certificates |
/var/log/traefik/ | Log files |
Service Management
Section titled “Service Management”# Check statussudo systemctl status traefik-spear
# View logssudo journalctl -u traefik-spear -f
# Restartsudo systemctl restart traefik-spear
# Stopsudo systemctl stop traefik-spear
# Startsudo systemctl start traefik-spearConfiguration
Section titled “Configuration”Static Configuration
Section titled “Static Configuration”The static configuration (/etc/traefik/traefik.yml) defines:
- Entry points (HTTP/HTTPS)
- Let’s Encrypt or self-signed TLS
- Logging settings
- Metrics endpoints
Changes to static configuration require a service restart:
sudo systemctl restart traefik-spearDynamic Configuration
Section titled “Dynamic Configuration”The dynamic configuration (/etc/traefik/dynamic/spear.yml) defines:
- Routing rules for your domain
- Backend service URL
- Security headers and middleware
- Large file upload support (500MB)
Changes to dynamic configuration are auto-loaded without restart.
Modifying Configuration
Section titled “Modifying Configuration”- For dynamic config changes: Edit files in
/etc/traefik/dynamic/- changes are auto-loaded - For static config changes: Edit
/etc/traefik/traefik.ymland restart:Terminal window sudo systemctl restart traefik-spear
Security Features
Section titled “Security Features”Traefik provides these security features out of the box:
| Feature | Description |
|---|---|
| HTTPS Only | All HTTP traffic redirects to HTTPS |
| HSTS | HTTP Strict Transport Security enabled |
| Security Headers | XSS protection, frame options, content type sniffing prevention |
| CSP | Content Security Policy configured for SPEAR |
| Auto Renewal | Let’s Encrypt handles certificate renewal automatically |
Access Points
Section titled “Access Points”After successful deployment:
| Service | URL |
|---|---|
| SPEAR Application | https://your-domain.com |
| Health Check | https://your-domain.com/api/health |
Log Locations
Section titled “Log Locations”| Log | Location |
|---|---|
| Traefik main log | /var/log/traefik/traefik.log |
| Access log | /var/log/traefik/access.log |
| Systemd journal | journalctl -u traefik-spear |
Troubleshooting
Section titled “Troubleshooting”Certificate Issues
Section titled “Certificate Issues”# Check ACME logssudo journalctl -u traefik-spear | grep -i acme
# Verify certificate filels -la /var/lib/traefik/acme/acme.json
# Reset certificates (force renewal)sudo rm /var/lib/traefik/acme/acme.jsonsudo systemctl restart traefik-spearBackend Unreachable
Section titled “Backend Unreachable”# Test backend directlycurl http://localhost:8090/api/health
# Check SPEAR servicesudo systemctl status spearPort Conflicts
Section titled “Port Conflicts”# Check what's using ports 80/443sudo netstat -tlnp | grep -E ':80|:443'
# Or with sssudo ss -tlnp | grep -E ':80|:443'DNS Issues
Section titled “DNS Issues”# Verify DNS resolutionnslookup your-domain.comdig your-domain.comSSL Certificate Verification
Section titled “SSL Certificate Verification”# Test SSL certificateopenssl s_client -connect your-domain.com:443 -servername your-domain.com
# Check certificate expiryecho | openssl s_client -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -datesValidation
Section titled “Validation”Run the validation script to check your installation:
cd scripts/traefik./validate.shThis checks:
- Traefik binary installation
- Configuration files
- Service status
- Port availability
- Backend connectivity
Firewall Configuration
Section titled “Firewall Configuration”UFW (Ubuntu/Debian)
Section titled “UFW (Ubuntu/Debian)”sudo ufw allow 80/tcpsudo ufw allow 443/tcpsudo ufw enablefirewalld (RHEL/CentOS)
Section titled “firewalld (RHEL/CentOS)”sudo firewall-cmd --permanent --add-service=httpsudo firewall-cmd --permanent --add-service=httpssudo firewall-cmd --reloadEmergency Procedures
Section titled “Emergency Procedures”Disable Traefik (Direct Backend Access)
Section titled “Disable Traefik (Direct Backend Access)”# Stop Traefiksudo systemctl stop traefik-spear
# Access backend directly on port 8090curl http://localhost:8090/api/healthReset SSL Certificates
Section titled “Reset SSL Certificates”# For Let's Encryptsudo systemctl stop traefik-spearsudo rm -f /var/lib/traefik/acme/acme.jsonsudo systemctl start traefik-spear
# For self-signedsudo systemctl stop traefik-spearsudo rm -f /var/lib/traefik/certs/*.pem# Re-run install.sh with --self-signed to regenerateComplete Reinstall
Section titled “Complete Reinstall”# Uninstallsudo ./install.sh --uninstall
# ReinstallUpdating Traefik
Section titled “Updating Traefik”To update Traefik to a newer version:
# Stop servicesudo systemctl stop traefik-spear
# Reinstall with new version
# Verifytraefik versionTraefik Configuration After Deployment
Section titled “Traefik Configuration After Deployment”After deployment with Traefik:
| Item | Value |
|---|---|
| Domain | https://your-domain.com |
| Status Command | sudo systemctl status traefik-spear |
| Logs Command | sudo journalctl -u traefik-spear -f |