add ssl doc: traefik

This commit is contained in:
youtous 2020-04-23 15:49:52 +02:00
parent 141db76b55
commit 404ac5a438

View file

@ -1,10 +1,13 @@
There are multiple options to enable SSL: There are multiple options to enable SSL:
* using [letsencrypt](https://letsencrypt.org/) (recommended) * using [letsencrypt](#lets-encrypt-recommended) (recommended)
* using self-signed certificates with the provided tool * using [traefik](#traefik)
* using your own certificates * using [self-signed certificates](#self-signed-certificates-testing-only) with the provided tool
* using [your own certificates](#custom-certificate-files)
After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver). After installation, you can test your setup with:
- [checktls.com](https://www.checktls.com/TestReceiver)
- [testssl.sh](https://github.com/drwetter/testssl.sh)
### Let's encrypt (recommended) ### Let's encrypt (recommended)
@ -211,6 +214,59 @@ environment:
``` ```
DSM-generated letsencrypt certificates get auto-renewed every three months. DSM-generated letsencrypt certificates get auto-renewed every three months.
### Traefik
[Traefik](https://github.com/containous/traefik) is an open-source Edge Router which handles ACME protocol using [lego](https://github.com/go-acme/lego).
Traefik can request certificates for domains trougth the ACME protocol, the router will take care of renewals, challenge negotiations etc.
If you are using traefik you might want to push your certificates in the *mailserver* container.
[youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for [tomav/dockermailserver](https://github.com/tomav/docker-mailserver/) relying on the [traefik acme storage](https://docs.traefik.io/https/acme/).
#### Getting started
Depending of your traefik configuration, certificates could be stored using a *file* or a *KV Store (consul, etcd...)*
_docker-compose example:_
```
services:
cert-renewer-traefik:
image: youtous/mailserver-traefik:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./acme.json:/tmp/traefik/acme.json:ro # link traefik acme.json file (read-only)
environment:
- TRAEFIK_VERSION=2
- CERTS_SOURCE=file
- DOMAINS=mail.localhost.com
mailserver:
image: tvial/docker-mailserver:latest
hostname: mail
domainname: localhost.com
labels:
- "mailserver-traefik.renew.domain=mail.localhost.com" # tag the service
# traefik service declaration (you can use static configuration too)
- "traefik.enable=true"
- "traefik.port=443" # dummy port, required generating certs with traefik
- "traefik.http.routers.mail.rule=Host(`mail.localhost.com`)"
- "traefik.http.routers.mail.entrypoints=websecure"
- "traefik.http.routers.mail.middlewares=redirect-webmail@docker" # /!\ the router must redirect every requests.
- "traefik.http.middlewares.redirect-webmail.redirectregex.regex=.*"
- "traefik.http.middlewares.redirect-webmail.redirectregex.replacement=https://webmail.localhost.com/"
environment:
- SSL_TYPE=manual # enable SSL on the *mailserver* and store certificates in pre-defined paths
- SSL_CERT_PATH=/var/mail-state/manual-ssl/cert # don't change theses paths!
- SSL_KEY_PATH=/var/mail-state/manual-ssl/key
```
Certificates will be renewed by *traefik* then pushed in the *mailserver* by the *cert-renewer* service, finally, dovecot and postfix will be restarted.
<br>
Documentation: https://github.com/youtous/docker-mailserver-traefik.
### Self-signed certificates (testing only) ### Self-signed certificates (testing only)
You can easily generate a self-signed SSL certificate by using the following command: You can easily generate a self-signed SSL certificate by using the following command: