Apps

Installing Traefik

Peter

Peter

6 min read

1. Introduction

Traefik is the preferred reverse proxy for use with Truecharts. It can be configured in various ways: to work with a Cloudflare tunnel, as an open reverse proxy facilitating unrestricted internet access, or solely for internal network access. Regardless of your network's specific needs, the initial step is to set up Traefik as a closed reverse proxy for internal use. While it may not be essential to equip a closed network with TLS and SSL certificates, implementing them at this stage is prudent. This approach also prevents issues that may arise when a web browser fails to recognize a certificate for a local host.

2. Prerequisites:

3. Install Traefik

To configure Traefik as a reverse proxy, it must monitor incoming network traffic on both ports 80 and 443. Currently, the TrueNAS Scale GUI is using these ports. The first step is to reassign the ports utilized by the TrueNAS Scale GUI to free up ports 80 and 443 for Traefik. To do this, go to System Settings > General in the TrueNAS Scale GUI and then select Settings in the GUI panel.

A screenshot of a graphical user interface (GUI) settings page, displaying options for themes, SSL certificates, IP addresses, ports, HTTPS protocols, and other system settings such as usage collection and console message display options.

Change the HTTP and HTTPS ports from 80 and 443 to alternative values, such as 81 and 444, respectively. Click Save. Then select Confirm and click Continue.

Screenshot of a graphical user interface for configuring GUI settings, including theme selection, SSL certificate management, IP addresses, HTTP and HTTPS ports, and TLS protocols.
A cartoon mascot of Traefik, a cloud-native networking software, depicted as a smiling traffic controller with elements of network symbolism, such as containers and load balancing, is displayed next to the text "Traefik", which is described as a flexible reverse proxy and Ingress Provider.

To return to the TrueNAS Scale GUI, you may need to refresh the webpage. To access the TrueNAS GUI from the local network in the future, be sure to include the port number in the URL. For instance, use http://192.168.0.20:81 (remember to replace this with your own IP address).

To install the Traefik App in the TrueNAS SCALE GUI, navigate to "Apps" and then "Discover Apps." Enter "Traefik" in the search bar, click on the Truechart Traefik icon, and select "Install."

For this simple instalation of Traefik, you can skip the optional settings. Scroll to the bottom of the panel and click "Install."

After the app has deployed and is running, you can access the Traefik dashboard by navigating to http://192.168.0.20:9000/dashboard/#/ (do not forget to change this to your IP address) or by clicking Open in the Application Info:

Screenshot of an 'Application Info' screen with a mascot resembling a bee in a traffic cone, representing the application named 'traefik'. It shows details like App Version 2.11.2, Chart Version 26.10.19, with sources listed from multiple GitHub repositories. The developer is not available, and the application is listed under the Truecharts catalog marked as premium. An 'Open' button is highlighted at the bottom with a cursor icon indicating a click option, and a 'Delete' button is at the bottom right.

4. Install Cert-manager

The Cert-manager App is equally easy to install. In the TrueNAS SCALE GUI, navigate to "Apps" and then "Discover Apps." Enter "Cert-manager" in the search bar, click on the Truechart Cert-manager icon, and select "Install."

There is no need to change any of the default settings so just click "Install".

A screenshot of a web interface for installing the application "cert-manager" with fields for application name, version, general settings including a global "Stop All" option, credentials, and DNS recursive nameservers configurations.

5. Install Clusterissuer

The final app we need to install is Clusterissuer. This is the app that manages all the SSL certificates.

For the app to work with Cloudflare it needs a Cloudflare API token. To generate this log in to Cloudflare. Click on the appropriate domain. On the right-hand side there is a link to Get your API token click on the link. Next click Create Token.

The homepage of a Cloudflare account management interface displaying the domain 'ryeroxley.co.uk' as active. A search bar and 'Add a site' button are available for further actions.
A screenshot of the Cloudflare analytics dashboard for the domain ryeroxley.co.uk, showing traffic data and quick action settings.
A screenshot of the Cloudflare User API Tokens page showing an option to create a new token and sections for API Tokens and API Keys, with 'No API tokens' listed and buttons to view or change the Global API Key and Origin CA Key.

As we want to edit the A record in the DNS click on the Edit zone DNS, Use Template.

A screenshot of the Cloudflare User API Tokens creation page, offering various pre-configured permission templates for tasks like editing DNS zones, reading billing information, and managing Cloudflare Workers, as well as an option to create a custom API token.

The Zone to edit is DNS and it needs Edit permissions. Also needed is Zone read permissions so click "+ Add more" and set to Zone/Zone/Read. The Resource to include is the specific domain to edit. (if you are hosting more than one domain you may wish to leave this set to All). Optionally you can also restrict to specific IP addresses or time scales. click Continue to summary.

A screenshot of the "Create Token" section in a user API tokens interface, showing various fields for token name, permissions, zone resources, client IP address filtering, and TTL settings.

Check the summary and Create Token. The next screen displays the API Token. Copy and paste the token somewhere safe!

A screenshot of a user interface for creating API tokens, showing options for "DNS:Edit" and "Zone:Read" permissions for an account labeled "Rye@ryeroxley.co.uk".
A confirmation screen showing that an 'Edit zone DNS' API token was successfully created on Cloudflare, with an obscured token displayed and a button to copy it. Instructions are provided to test the token using a CURL command in a terminal.

If you have access to a Linux shell you can test the token by pasting the code into the shell. You should get a response that includes the text “This API Token is valid and active

To install the Clusterissuer App in the TrueNAS SCALE GUI, navigate to "Apps" and then "Discover Apps." Enter "Clusterissuer" in the search bar, click on the Truechart Traefik icon, and select "Install."

In the App Configuration section click ADD against ACME Issuer. In this block you need to:

  • Give the issuer a name such as "cloudflarecert". This is the name that will be used later in the app ingress configuration
  • Set the DNS provider to "Cloudflare" if it isnt already set
  • Set the Server should be set to "Letsencrypt-Production" if it isnt already set
  • Email is the email Letsencrypt will use
  • Cloudflare API Token is the token from earlier.

Complete this section and click "Install"

A digital interface for configuring a cluster certificate issuer with fields labeled Name, Type or DNS-Provider, Server, Email, CloudFlare API Key, and CloudFlare API Token, filled with specific data.

6. Testing

All the required applications are now set up to use Traefik as a reverse proxy for local network traffic. To ensure it functions correctly, two components are necessary:

  1. An application to test it with.
  2. A DNS entry directing to the application.

First, let's install the Truecommand app for testing purposes. In the TrueNAS SCALE interface, go to "Apps" and then "Discover Apps." Type "Truecommand" into the search bar, click on the Truechart Cert-manager icon, and click "Install."

Next, in the Ingress section, enable Ingress by selecting "Enable Ingress." Click "Add" next to Hosts. In the HostName field, enter a Fully Qualified Domain Name (FQDN) for the application, such as true.ryeroxley.co.uk. Leave the other settings at their default values.

A screenshot of a software interface for configuring network ingress settings. The interface shows an "Enable Ingress" toggle switched on, fields for entering host name and path with the host name 'true.ryeroxley.co.uk' and path '/' set to 'Prefix' type. Additional sections for Traefik integration with enabled status and an option to allow cross-origin requests are also visible.

Scroll down to "certManager" and click to enable it. In the "certificateIssuer" field, enter the name of the ACME Issuer you specified in the Clusterissuer section above. For example, use "cloudflarecert".

Screenshot of software settings showing options for certificate management. The certManager option is enabled, while the certificateIssuer is set to Cloudflare. The homepage is disabled with an additional option to show advanced settings.

Click "Install" to proceed. After the app starts, make sure it is selected and then check the History panel. You should see a confirmation that a certificate has been successfully issued.

Screen capture of a user interface titled "History," displaying a list of Related Kubernetes Events with timestamps indicating events such as an order completion and a certificate retrieval, all dated 2024-05-03 at 10:12:39.

My preferred DNS/DHCP provider is Pi-Hole, running on a Raspberry Pi, which is not supported by Truecharts. I prefer to have a standalone server for DHCP/DNS to ensure it remains operational even when other systems are down. In this example, a DNS record is needed to direct true.ryroxley.co.uk to the IP address used by Traefik, which is 192.168.0.20. If you install and use Blocky, this process is automatic.

If you are using Pi-hole, log in to Pi-hole and select 'Local DNS', then 'DNS Records'. In the 'Domain' field, enter the FQDN (true.ryroxley.co.uk), and in the 'IP Address' field, enter the IP address of the Traefik instance. Don't forget to click 'Add'!

A screenshot of a user interface for adding a new domain/IP combination. The form displays fields for "Domain" and "IP Address", with the domain "true.ryeroxley.co.uk" entered and an IP address of "192.168.0.20". A note below explains the order of DNS records processing.

Once successful the domain should be listed in the "List of local DNS domains":

Webpage displaying a list of local DNS domains with a single entry showing the domain 'true.ryeroxley.co.uk' and its corresponding IP address '192.168.0.20'. An 'Action' column includes a red trash bin icon for deletion.

When you visit the specified subdomain (true.ryeroxley.co.uk), you should be redirected to the TrueCommand login page. Additionally, a padlock icon should appear in the URL bar, indicating that the connection is secure.

A digital sign-up form for TrueCommand, displaying a sleek blue-themed background with swirling designs. The form includes fields for username, password, and password confirmation outlined in red, with checkboxes for agreeing to terms of service and a grey "SIGN UP" button below.

If you choose "Traefik" from the Apps list and click "Open," you will be directed to the Traefik dashboard (http://192.168.0.20:9000/dashboard/#/). This dashboard displays the entry points to Traefik and additional details. By clicking on "HTTP" in the top menu bar, you will see a list of all routes that Traefik recognizes. Notice the green shield under "TLS" for true.ryeroxley.co.uk, indicating that SSL is active.

Screenshot displaying a table with various network routing rules and statuses for an IT dashboard. The table includes columns labeled Status, TLS, Rule, Entrypoints, Name, and Service, each with corresponding icons and texts indicating operational states and configurations.

To enable external access, you must either set up a Cloudflare tunnel or configure Traefik to be exposed to the internet. If you encounter issues at this stage, review the steps provided in this tutorial before progressing.

Next steps may include:

  • Install a Cloudflare Tunnel.
  • Configure Traefik for web access with Authelia and LDAP authentication.
  • Install applications for internal use only.

You can choose to either delete TrueCommand or retain it for future testing.

Read more