Skip to content

ref traefik

Jump to bottom
Springcomp edited this page Feb 8, 2026 · 2 revisions

This project uses Traefik as its reverse-proxy.

Traefik handles certificate requests and renewals from LetsEncrypt and routes network traffic to the appropriate service.

HSTS

From Wikipedia https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

HTTP Strict Transport Security is an extra step you can take to protect your web app from certain man-in-the-middle attacks. It does this by specifying an amount of time (usually a really long one) for which you should only accept HTTPS connections, not HTTP ones.

This repository already enables HSTS, thanks to the traefik configuration for the simplelogin container

Certificate requests and renewals

erDiagram
  LetsEncrypt }o--|| traefik : "Requests Certs"
  traefik ||--o{ ACME : "Writes JSON"
  cert-exporter ||--o{ ACME : "Reads JSON"
  cert-exporter ||--o{ CERTS : "Exports PEM"
  CERTS }o--|| postfix : Uses
  cert-exporter ||--o{ postfix : "Restarts Container"

  style ACME fill:#f9f,stroke:#333,stroke-width:4px
  style CERTS fill:#f9f,stroke:#333,stroke-width:4px
  style LetsEncrypt fill:#9f9
Loading

The traefik container requests ("reads") certificates from Letsencrypt and then stores ("writes") certificates in a JSON file inside the traefik-acme volume.

Postfix can't read/use this format, therefore we need cert-exporter to read the certificates from the traefik-acme volume and writes the same certificates (but in crt/key/pem format, as readable by postfix container) to the certs volume.

The traefik-acme volume is shared between the traefik container (write/read) and the cert-exporter container (read / watch). The certs volume is shared between cert-exporter (write) and the postfix container (read).

Every time cert-exporter updates the certificates, it restarts the postfix container, because Postfix reads certificates only once at startup. After renewal, it needs to be restarted to pick up and use the new ones.

Clone this wiki locally