Securing Your Web App with Traefik: SSL Certificate & Reverse Proxy Setup Using Docker Compose

Saurav ChapagainSaurav Chapagain
5 min read

Welcome back again, folks!

I'm here with another tutorial, where I'll show you how to set up a free SSL certificate for your web application using Traefik, which will also act as a reverse proxy.

Background
If you followed my previous Docker tutorial, we set up a two-tier application and moved from using Docker run to Docker Compose. Now, we want to host it as a public website with minimal costs. This is just a demo, so be careful if you plan to use it in a production environment because security could be a concern due to the focus on saving costs.

Reverse Proxy????
A reverse proxy is a server (here, Traefik) that receives all incoming web requests from clients and forwards them to the right backend service based on the URL path.

Clients connect only to Traefik on ports 80 (HTTP) and 443 (HTTPS).

Traefik routes requests like:

/ → Django app

/flower → Flower service

/docs → Docs service

It hides backend service ports (like 5555 or 9000) from clients and handles HTTPS with automatic SSL certificates via Let's Encrypt.

Also

Middleware is a small tool or filter that modifies or controls HTTP requests and responses as they pass through the reverse proxy (Traefik) before reaching our backend services like Django, Flower and Docs. Here we have used for : Fixing URLs: For example, if users request /flower, middleware removes that part so Flower sees just / and Security: Adds security headers (like CSRF protection) to protect our app.

To recapitulate: Reverse Proxy (Traefik) = Decides where requests go and hides backend details. Middleware = Fixes and protects requests before they hit the backend services.

Scenario

We have five different microservices to support our web application developed on Jdango, we will not be focusing on the microservices, instead we will be focusing on encrypting our HTTP traffic to our appilcaiton using TLS (successor to SSL) using Let’s Encrypt, a free, automated and open certificate authority (CA). The certificate will have a lifespan of 90 days following an HTTP 01 challenge. It indeed is perfect for a production pilot project.

Task

As you know now, our microservice containers are managed using a Docker Compose file.

Referring to the previous docker-compose file: Our docker compose is some how similar to this

This has to be observed at the celeryworker service/container, a sign (&, < < and \django). In YAML this can be seen often: let’s break down these:
& is called an anchor, saying I marked it as reusable block which I can reference later if it has to be defined first.
my_config: &my_config key1: value1 key2: value2 Alias (\) we refer to an anchor using this symbol. Brings everything from
my_reference: <<: *my_config # This brings in everything from the 'my_config' anchor.

<< is the merge key, which brings all the data from the alias defined with *
app_config:
<<: *my_config # Merges 'my_config' into 'app_config'
additional_key: value3

As I demo earlier we can refer to the individual Docker file for our containers, here you can see there are seperate and several docker file the docker-compose is referring to.

Let’s see how our Traefik docker file looks like.

Traefik Configuration File ):

This is where you define how Traefik should route requests to your services (like Django and Flower).

3. Key Sections in the Traefik Configuration (api-traefik.yml)

  • EntryPoints:

    • Traefik listens on ports 80 (HTTP) and 443 (HTTPS).

    • Redirects: Requests on HTTP (port 80) are automatically redirected to HTTPS (port 443).

  • Routers:

    • Routing Logic:

      • web-secure-router handles requests to staging.domain.com and forwards them to Django.

      • flower-secure-router handles requests to staging.domain.com/flower and forwards them to Flower.

  • Middlewares:

    • CSRF Protection: Ensures requests to Django are protected against Cross-Site Request Forgery by checking headers like X-CSRFToken. Django automatically protects our web application from CSRF attacks by ensuring that each POST request includes a valid CSRF token. It is responsible for creating, verifying, and enforcing CSRF protection.

  • Services:

    • Traefik forwards requests to Django running on port 5000 and Flower on port 5555.

  • TLS (SSL Certificates):

    • Traefik uses Let's Encrypt to automatically issue SSL certificates for secure HTTPS connections.

How does Traefik work in Docker?

  • Traefik container starts up with a custom Dockerfile (ApiDockerfile).

    • It gets the configuration file api-traefik.yml copied to /etc/traefik inside the container.

  • When you run Traefik:

    • It listens for HTTP and HTTPS traffic.

    • It uses routers to decide where to send the traffic based on the host (staging.domain.com) and path (/flower).

    • The traffic is routed to either the Django or Flower service inside the container, which are running on different ports.

  • SSL (TLS): Once traffic reaches the container, Traefik secures it with SSL automatically using Let’s Encrypt.

Once we re-run the docker-compose file. We will verify the URL and details.

Summary:

In this tutorial, we learn how to use Traefik to set up a reverse proxy and automatically secure our web traffic with SSL certificates from Let’s Encrypt.

  1. Traefik Configuration:

    • EntryPoints: Traefik listens on ports 80 (HTTP) and 443 (HTTPS), automatically redirecting HTTP to HTTPS.

    • Routers: Decide where requests go based on domain and path (e.g., staging.mydomain.com/flower → Flower).

    • Middlewares: Add security features like CSRF protection.

    • Services: Direct requests to Django (port 5000) or Flower (port 5555).

    • TLS (SSL): Traefik automatically gets SSL certificates from Let’s Encrypt for secure connections.

  2. How Traefik Works in Docker:

    • Traefik listens for traffic and routes it to the correct backend service.

    • It uses SSL (via Let’s Encrypt) to secure the traffic.

  3. Docker Compose:

    • The docker-compose.yml file manages services like Django, Flower, and Traefik.

    • We use anchors and aliases to simplify and reuse configurations.

Conclusion:

By following the steps, we set up Traefik as a reverse proxy to securely route traffic and protect services like Django and Flower using SSL certificates. Middleware ensures requests are secure and paths are fixed.

0
Subscribe to my newsletter

Read articles from Saurav Chapagain directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Docker#cybersecurityDevops#securitybestpractices

Written by

Saurav Chapagain
Saurav Chapagain

am a Cybersecurity and Cloud Support Professional with over 9 years of experience in securing IT infrastructure, managing cloud environments, and ensuring compliance with industry standards. My expertise spans security operations, incident response, vulnerability management, and cloud infrastructure management across AWS and Azure platforms. Throughout my career, I’ve successfully: Reduced unauthorized access attempts by 40% through IAM best practices and security hardening. Improved incident response times by 30% by implementing automated SIEM alert triaging systems. Conducted security audits and vulnerability assessments to ensure compliance with HIPAA, HiTrust, and SOC 2 standards. Managed hybrid cloud environments, optimizing security policies and reducing attack surfaces by 50%. I hold two Post Graduate Certificates in Cloud Architecture & Administration (Seneca Polytechnic) and Cybersecurity (Canadore College), along with certifications such as ISC2 Cybersecurity, CompTIA Security+, and Red Hat Certified System Administrator (RHCSA). My technical skills include expertise in tools like Microsoft Sentinel, Splunk, Palo Alto, and scripting with PowerShell and Bash. I am passionate about leveraging my skills to protect organizations from cyber threats and ensure the integrity of their systems and data. I thrive in collaborative environments, working with cross-functional teams to deliver secure and reliable IT solutions. Let’s connect and discuss how I can contribute to your organization’s IT operation and cybersecurity goals!