Traefik, the popular load balancing and reverse proxy tool, has added support for Tailscale as a certificate resolver in Traefik Proxy 3.0 beta, the latest release of its forward proxy offering. Today, one of the engineers behind this integration has published a fun deep dive into how it works and how they’re using Tailscale to help with testing at Traefik.
This new feature means you can now access HTTPS-enabled services on your tailnet behind Traefik Proxy, without the headache of separately handling certificates or exposing an endpoint to resolve TLS challenges from Let’s Encrypt. Instead, Tailscale can manage your certificate life cycle and automatically renew your Let’s Encrypt certificate, and will do so under this setup as long as Traefik is running.
Since Tailscale v1.14, Tailscale has made it easy to provision and renew certificates with Let’s Encrypt by handling all of the DNS settings to make the whole process painless. Nevertheless, Tailscale users still had to jump through additional hoops if they wanted to access devices and services behind Traefik Proxy.
No longer! Now, once Traefik Proxy is configured to use Tailscale as its certificate resolver, it can make a quick request to the Tailscale API and provide that certificate to any routers it exposes. In the beta announcement of this feature, Traefik thanked its engineers Kevin and Mathieu for building a solution in their off-work hours — our thanks as well, Kevin and Mathieu.
To use this feature, first enable HTTPS in Tailscale, then, when launching Proxy, add Tailscale as a certificate resolver in your Traefik config as a file or a command-line argument. We’ve got sample config files and more information in our documentation if you’re interested. And make sure to check out Traefik’s new deep dive post and its documentation of this feature for more information.