Installing and working with Traefik
First, create the traefik-proxy network in bridge mode docker network create -d traefik-proxy
Remove syslog if you dont have it
Copy name : traefik
services :
traefik :
image : "traefik:latest"
container_name : "traefik"
restart : unless-stopped
logging :
driver : syslog
options :
syslog-address : udp://<syslogserver>:514
tag : traefik-mgmt
# logging:
# driver: "json-file"
# options:
# max-size: 10m
# max-file: "5"
command :
- "--accesslog=true"
#- "--accesslog.filepath=/var/log/traefik/access.log"
#- "--log.filePath=/var/log//traefik/traefik.log"
#- "--log.level=DEBUG"
- "--log.level=INFO"
- "--api.insecure=true"
# Letsencrypt cert mot cloudflare
- "--certificatesresolvers.letsencrypt.acme.email=<email>"
- "--certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json"
- "--certificatesresolvers.letsencrypt.acme.dnsChallenge=true"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=10"
# Staging
#- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
# Enable the Trafik dashboard
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# Entrypoints
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Entrypoint redirect to HTTPS
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
# Dynamic configuration
- "--providers.file.directory=/configuration"
- "--providers.file.watch=true"
ports :
- "80:80"
- "443:443"
volumes :
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- 'traefik-configurations:/configuration'
- 'acme:/acme'
environment :
- "CLOUDFLARE_EMAIL=<CF-Email>"
- "CLOUDFLARE_DNS_API_TOKEN=<CF-Token>"
- TZ=Europe/Stockholm
networks :
- traefik-proxy
labels :
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik-dashboard.domain.com`)"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-dashboard.tls.domains[0].main=domain.com"
- "traefik.http.routers.traefik-dashboard.tls.domains[0].sans=*.domain.com"
volumes :
traefik-configurations :
acme :
networks :
traefik-proxy :
external : true
Letsencrypt wildcard
To use wildcard cert, you first need to use DNS challenge. Then you can simply add these labels to your deployment Of course, replace the routers name with the one you have.
Copy labels :
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.rule=Host(`dashboard.domain.com`)"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.routers.traefik-dashboard.tls.domains[0].main=domain.com"
- "traefik.http.routers.traefik-dashboard.tls.domains[0].sans=*.domain.com" If you use the file provider way, you can do it like this.
Copy http :
routers :
dashboard :
entrypoints :
- "websecure"
- "web"
rule : "Host(`dashboard.domain.com`)"
tls :
certResolver : "letsencrypt"
domains :
main : 'domain.com'
sans : '*.domain.com'
service : dashboard
services :
dashboard :
loadBalancer :
servers :
- url : "https://10.10.10.10:8080" Using non-docker backends
If you have non-docker backends or docker containers on others hosts apart from the traefik one, you can use the file provider.
I would suggest you enter the shell from the traefik container since the permissions can be fucked up and traefik does not like that. As you can see in my configuration, I have my dynamic configurations folder mounted in /configuration
Traefik shell only has vi , so vi /configuration/dashboard.yml (for example)
Copy http :
routers :
dashboard :
entrypoints :
- "websecure"
- "web"
rule : "Host(`dashboard.domain.com`)"
tls :
certResolver : "letsencrypt"
domains :
main : 'domain.com'
sans : '*.domain.com'
service : dashboard
services :
dashboard :
loadBalancer :
servers :
- url : "http://10.10.10.10:8080" So simply change the loadbalancer.servers.url to the IP + port of your non/other docker backend.
Using non docker backends with self signed certificate
Some backends use a self signed certificate, for example synology. If you did not disable self signed certificate check globally you can do this in the file provider
Copy http :
routers :
synology :
entrypoints :
- "websecure"
- "web"
rule : "Host(`synology.domain.com`)"
tls :
certResolver : "letsencrypt"
domains :
main : 'domain.com'
sans : '*.domain.com'
service : synology
services :
synology :
loadBalancer :
servers :
- url : "https://<ip-to-synology>:5001/"
serversTransport : ignore-self-signed
serversTransports :
ignore-self-signed :
insecureskipverify : true Notice the last rows, these lines disables the self signed check
Copy serversTransport : ignore-self-signed
serversTransports :
ignore-self-signed :
insecureskipverify : true Labels
According to https://docs.linuxserver.io/FAQ/#strict-proxy this should also be achievable with
Copy - traefik.http.services.foo.loadbalancer.serverstransport=ignorecert
- traefik.http.services.foo.loadbalancer.server.scheme=https Last updated 4 months ago