Enable HTTP/3 in traefik v3

22-05-2024 3 min read Article

The recent major release v3 of Traefik, brought new features or concretized some. Such as certificates via Tailscale and HTTP3. In this short guide, I want to present an example of configuration to use HTTP3 in Traefik. The change is not drastic, because the functionality already existed as experimental in the old version.

Requirements

Linux machine with docker and compose (otherwise you wouldn’t be here)
a domain
with which a valid TLS certificate (HTTPS) can be obtained.
in the example I use the domain, DNS and certificates from traefik.me

Procedure

create the files docker-compose.yml and tls.yml with the contents of the following chapters
edit the docker-compose.yml file specifically: the folder path for traefik and replace the server IP address (command ip a) with your own
create a cert folder to save TLS certificates from traefik.me
download the certificates with the following command (the -d option is not present):

sudo docker compose up helper

create the traefik and whoami containers.

sudo docker compose up -d traefik

sudo docker compose up -d whoami

test the functioning

Docker compose (docker-compose.yml)

services:

  traefik:
    image: traefik:v3.0
    container_name: traefik
    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.file.filename=/tls.yml"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http3"
      - "--entrypoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
    ports:
      - 80:80
      - 443:443/tcp
      - 443:443/udp
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - PATH/TO/cert:/etc/ssl/traefik
      - PATH/TO/tls.yml:/tls.yml

  whoami:
    image: containous/whoami:latest
    container_name: whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`1-2-3-4.traefik.me`)"  # change 1-2-3-4 with you server IP
      - "traefik.http.routers.whoami.tls.domains[0].main=*.traefik.me"
      - "traefik.http.routers.whoami.entrypoints=websecure"

  helper:
    image: alpine
    command: sh -c "cd /etc/ssl/traefik
      && wget traefik.me/cert.pem -O cert.pem
      && wget traefik.me/privkey.pem -O privkey.pem"
    volumes:
      - PATH/TO/cert:/etc/ssl/traefik

File provider di traefik (tls.yml)

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/ssl/traefik/cert.pem
        keyFile: /etc/ssl/traefik/privkey.pem
  certificates:
    - certFile: /etc/ssl/traefik/cert.pem
      keyFile: /etc/ssl/traefik/privkey.pem

How to test

I recommend that you test the operation with Chrome or a derivative browser (I use Brave). On Firefox I have not yet been able to get HTTP3 to work.

Open developer tools or right-click and choose the inspect option. Open the network tab and reload the page. In the table you can see the various files downloaded, in the protocol column you can seeif your server provides http2= h2 or http3= h3. If you have opened the page before changing the traefik configuration it may be advisable to restart the browser.

Common issues

Invalid or expired certificate: verify that the TLS certificate for our router is active in the traefik dashboard. If the certificate is right but expired, check traefik.me for an updated one. If it cannot wait then use Tailscale or purchase your own domain.
the domain *.traefik.me does not work: traefik.me allows various notations, but for certificates, IP addresses should not be written with a period, but with a line (“-”). You can test that the domain is working properly by trying to access the traefik dashboard with the address http://1-2-3-4.traefik.me:8080 (pay attention to http not https and replace 1-2-3-4 with the correct IP address).
I followed all the steps, but the certificate is always wrong: .pem files must be saved with special rights. Use the helper container to download them with the correct rights.