How to deploy teleport behind traefik as reverse proxy

We show you how we deployed a self-hosted Teleport instance on a virtual machine behind a traefik reverse proxy instance.

8. Februar 2023

Requirements

version: '3.8'

services:
  app:
    image: traefik:v2.9.6
    environment:
      - TZ=Europe/Zurich
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host

    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./etc/traefik:/etc/traefik:ro
      - traefik__acme:/letsencrypt

volumes:
  traefik__acme:
    name: stack__traefik__acme

docker-compose.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

api:
  dashboard: true

log:
  level: INFO
  format: json

accessLog:
  format: json

entryPoints:
  web:
    address: ':80'

    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: ':443'

providers:
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    exposedByDefault: false
    swarmMode: true

  file:
    directory: /etc/traefik
    watch: true

traefik:
  docker:
    network: web

certificatesresolvers:
  letsencrypt:
    acme:
      email: info@example.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

etc/traefik/traefik.yml

tcp:
  routers:
    me_squibble__cluster01__teleport:
      entryPoints:
        - websecure
      rule: HostSNI(`*`)
      service: me_squibble__cluster01__teleport@file
      tls:
        passthrough: 'true'

  services:
    me_squibble__cluster01__teleport:
      loadBalancer:
        servers:
          - address: <TELEPORT SERVER IP>:3080

etc/traefik/domains/me_squibble_cluster01_teleport.yml