CloudFlare CDN
Here is a guide I wrote for myself copied and pasted from my Notion. This is a setup where you point your cloudflare tunnel to your traefik reverse proxy Cloudflare Tunnel → Dokploy Reverse Proxy → Service Container. In the guide I have an example dokploy service called coder and domain example.io.
这是我为自己写的指南,从我的 Notion 复制并粘贴。这是一个设置,您可以在其中将 cloudflare 隧道指向您的 traefik 反向代理 Cloudflare Tunnel → Dokploy Reverse Proxy → Service Container .在指南中,我有一个名为 coder 和域 example.io 的 dokploy 服务示例。
HTTPS Setup with Traefik
1: Go to cloudflared and get an Origin Server cert as PEM format
1:前往 cloudflared 获取 PEM 格式的源站证书
- Navigate to your domain (example.io) 导航到您的域 (example.io)
- Go to SSL/TLS → Origin Server 转到 SSL/TLS → 源服务器
2: Save Certificate Files on Your Server
2:在服务器上保存证书文件
- Add .crt and .key files to /etc/dokploy/traefik/dynamic/certificates 将 .crt 和 .key 文件 /etc/dokploy/traefik/dynamic/certificates 添加到
- Set permissions 设置权限
sudo chmod 644 /etc/dokploy/traefik/dynamic/certificates/exampleio.crt
sudo chmod 600 /etc/dokploy/traefik/dynamic/certificates/exampleio.key
3: Update Traefik Config
3:更新 Traefik 配置
- Remove lets encrypt from the main config, we will be using certs from cloudflare 从主配置中删除 lets encrypt,我们将使用 cloudflare 的证书
providers:
swarm:
exposedByDefault: false
watch: true
docker:
exposedByDefault: false
watch: true
network: dokploy-network
file:
directory: /etc/dokploy/traefik/dynamic
watch: true
entryPoints:
web:
address: :80
websecure:
address: :443
http3:
advertisedPort: 443
# http:
# tls:
# certResolver: letsencrypt
api:
insecure: true
# # Disabled because I am using cloudflare origin certificates with cloudflared tunnels
# certificatesResolvers:
# letsencrypt:
# acme:
# email: test@localhost.com
# storage: /etc/dokploy/traefik/dynamic/acme.json
# httpChallenge:
# entryPoint: web
- Create a dynamic config for the new certificates 为新证书创建动态配置
# /etc/dokploy/traefik/dynamic/certificates.yml
tls:
certificates:
- certFile: /etc/dokploy/traefik/dynamic/certificates/exampleio.crt
keyFile: /etc/dokploy/traefik/dynamic/certificates/exampleio.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /etc/dokploy/traefik/dynamic/certificates/exampleio.crt
keyFile: /etc/dokploy/traefik/dynamic/certificates/exampleio.key
# /etc/dokploy/traefik/dynamic/middlewares.yml
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true
4: Set Service Domain
4:设置服务域
- Add the sub domain to the service in dokploy as https 将子域添加到 dokploy 中的服务中,作为 https
- Set Certificate Provider to Custom 将证书提供程序设置为 自定义
- Set Custom Certificate Resolver to file 将自定义证书解析器 设置为 文件
- Add the sub domain to cloudflared tunnel online 在线将子域添加到 cloudflared 隧道
Hostname Config:
subdomain: coder
domain: example.io
path: none
Service:
type: https
URL: localhost:443 ← Change from port 80 to 443
Additional application settings:
TLS → Origin Server Name: coder.example.io ← THIS IS IMPORTANT or get 502 Bad Gateway. THIS MUST ALSO MATCH DOKPLOY DOMAIN SETTING
5: Restart services 5:重启服务
# Restart Traefik to pick up new certificates
docker restart $(docker ps -q --filter "name=traefik")
# Redeploy your coder service in Dokploy (this will apply the HTTPS labels)
Requires manaual re-deploy
6: Verify deploy 6:验证部署
View logs 查看日志
docker logs $(docker ps -q --filter "name=traefik") 2>&1 | grep -i cert
Check cert 检查证书
openssl s_client -connect localhost:443 -servername coder.example.io
Thats it! 就是这样!
