Giters

nekowinston / traefik-local-nix

Quick HTTPS local proxy on NixOS/nix-darwin with traefik & dnsmasq

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Traefik Local for Nix (nix-darwin/NixOS)

Set up a local Traefik web proxy with DNS resolution on *.test domains.

Also sets up a local trusted Root CA and create a TLS certificate for using HTTPS in local (shout out to mkcert).

0. Prerequisites

1. Setup resolvers

Enable the dnsmasq service, pointing to your localhost.

nix-darwin:

{
  services.dnsmasq = {
    enable = true;
    addresses."test" = "127.0.0.1";
    bind = "127.0.0.1";
  };
}

NixOS:

{
  services.dnsmasq = {
    enable = true;
    extraConfig = ''
      address=/test/127.0.0.1
    '';
  };
}

To verify this worked, cat /etc/resolver/test should return (macOS specific)

port 53
nameserver 127.0.0.1

And ping this.test should get a response from 127.0.0.1 (universal).

Note
I provide a convenience script, install.sh, in this repo, which can handle the remaining steps. The steps below are for the manual installation.

2. Set up a local Root CA, and prepare certificates

Clone this repository

git clone https://github.com/nekowinston/traefik-local-nix.git
cd traefik-local/

We're using nix-shell here, since these are not runtime dependencies.

nix-shell -p mkcert nssTools

Set up the local Root CA

mkcert -install

Local Root CA files are located under ~/Library/Application\ Support/mkcert. Look at the mkcert docs, if you need instructions to install them on another device.

Create a local TLS certificate

You could add any domain you need ending by .lan or .test *.this.test will create a wildcard certificate so any subdomain in the form like.this.test will also work. Unfortunately you cannot create *.test wildcard certificate - your browser will not allow it.

mkcert -cert-file certs/local.crt -key-file certs/local.key "this.test" "*.this.test"

3. Set up a Traefik container with HTTPS

Create an external network called traefik, all future containers which need to be exposed by domain name should use this network.

docker network create traefik

Start Traefik

docker-compose up -d

Go to https://traefik.this.test - You should have the Traefik web dashboard serve via HTTPS

4. Set up your dev containers

In the docker-compose.yml file in your project:

Add the external network web at the end of the file

networks:
  default:
    name: traefik
    external: true

Add these labels on the container(s)

services:
  my-frontend:
    labels:
      - traefik.enable=true
      - traefik.http.routers.my-frontend.entrypoints=http,https
      - traefik.http.routers.my-frontend.rule=Host(`my-frontend.this.test`) # You can use any domain allowed by your TLS certificate
      - traefik.http.routers.my-frontend.tls=true
      - traefik.http.routers.my-frontend.service=my-frontend
      - traefik.http.services.my-frontend.loadbalancer.server.port=3636 # Adapt to the exposed port in the service

Note
For web applications, use the same origin domain for your frontend and backend to avoid cookies sharing issues. Example: https://this.test (frontend) and https://api.this.test (backend)

Credits

SushiFu for their excellent repository using Brew: traefik-local

About

Quick HTTPS local proxy on NixOS/nix-darwin with traefik & dnsmasq

License:GNU General Public License v3.0

Languages

Language:Shell 100.0%