😎
Docs
  • Tamm - Docs
  • Azure
    • Sentinel KQL Samples
    • Managed Identities
    • Deploy Sentinel with Terraform
  • Docker
    • Allow standard user to interact with Docker
    • Install Docker
    • Installing and working with Traefik
    • Installing specific version of Docker
    • Deploy Guacamole
    • Traefik geoblock
    • Unpoller Prometheus UCG Ultra
  • HomeAssistant
    • HAOS install on Proxmox
    • Zigbee2MQTT
    • HAOS Reverse Proxy
    • ZBDongle-E
  • Kali
    • Enable RDP
  • Kubernetes
    • Cert manager with Cloudflare
    • On prem loadbalancer metallb
    • Nginx ingress
    • Cloudinit Rancher ubuntu
    • Rancher Ubuntu 18.04 node template
    • Velero with minio backend
    • vsphere pvc (in-tree)
    • Velero cheat sheet
    • nginx annotations examples
  • Linux
    • Expand lvm disk vmware
    • Expand lvm disk fresh install
    • Disk usage
    • flush-dns
    • Netplan config example
    • Add user in photon OS
    • SSH-Keys
    • Set timezone
    • sudo nopasswd
    • Add custom alias
    • Rocky Linux commands
  • macOS
    • Uninstall System extensions
    • 1Password Github setup
  • Microsoft 365
    • Powershell Cheat sheet
  • Portainer
    • Install Portainer
    • Add docker node
  • Powershell
    • GenericList example
    • Mixed stuff n things
    • Synopsis Template
    • Powershell Oh-my-posh
    • Powershell Sync Profile
    • Cleanup and install MS Graph module
  • Proxmox
    • Disable No Subscription notification
    • Import from vmware error
    • Proxmox commands
    • Proxmox on Intel NUC
    • Proxmox E1000
  • Terraform
    • Getting started
    • Deploy Sentinel
  • Unifi
    • Unifi Network App (migration)
    • Slow vlan throughput
    • interface-explanation
  • Windows
    • Network settings access denied
    • Windows GVLK Keys
    • Windows Server 2025
Powered by GitBook
On this page
  • Installing and working with Traefik
  • Letsencrypt wildcard
  • Using non-docker backends
  • Using non docker backends with self signed certificate
  • Labels

Was this helpful?

  1. Docker

Installing and working with Traefik

Installing and working with Traefik

First, create the traefik-proxy network in bridge mode docker network create -d traefik-proxy

Remove syslog if you dont have it

name: traefik
services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: unless-stopped
    logging:
      driver: syslog
      options:
        syslog-address: udp://<syslogserver>:514
        tag: traefik-mgmt
#    logging:
#     driver: "json-file"
#     options:
#        max-size: 10m
#        max-file: "5"
    command:
      - "--accesslog=true"
      #- "--accesslog.filepath=/var/log/traefik/access.log"
      #- "--log.filePath=/var/log//traefik/traefik.log"
      #- "--log.level=DEBUG"
      - "--log.level=INFO"
      - "--api.insecure=true"
     # Letsencrypt cert mot cloudflare
      - "--certificatesresolvers.letsencrypt.acme.email=<email>"
      - "--certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=10"
      # Staging
      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      # Enable the Trafik dashboard
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      # Entrypoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
     # Entrypoint redirect to HTTPS
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
     # Dynamic configuration
      - "--providers.file.directory=/configuration"
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - 'traefik-configurations:/configuration'
      - 'acme:/acme'
    environment:
      - "CLOUDFLARE_EMAIL=<CF-Email>"
      - "CLOUDFLARE_DNS_API_TOKEN=<CF-Token>"
      - TZ=Europe/Stockholm
    networks:
      - traefik-proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik-dashboard.domain.com`)"
      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
      - "traefik.http.routers.traefik-dashboard.tls=true"
      - "traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080"
      - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-dashboard.tls.domains[0].main=domain.com"
      - "traefik.http.routers.traefik-dashboard.tls.domains[0].sans=*.domain.com"
volumes:
  traefik-configurations:
  acme:
networks:
  traefik-proxy:
    external: true

Letsencrypt wildcard

To use wildcard cert, you first need to use DNS challenge. Then you can simply add these labels to your deployment Of course, replace the routers name with the one you have.

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-dashboard.rule=Host(`dashboard.domain.com`)"
      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
      - "traefik.http.routers.traefik-dashboard.tls=true"
      - "traefik.http.routers.traefik-dashboard.tls.domains[0].main=domain.com"
      - "traefik.http.routers.traefik-dashboard.tls.domains[0].sans=*.domain.com"

If you use the file provider way, you can do it like this.

http:
  routers:
    dashboard:
      entrypoints:
        - "websecure"
        - "web"
      rule: "Host(`dashboard.domain.com`)"
      tls:
        certResolver: "letsencrypt"
        domains:
          main: 'domain.com'
          sans: '*.domain.com'        
      service: dashboard
  services:
    dashboard:
      loadBalancer:
        servers:
          - url: "https://10.10.10.10:8080"

Using non-docker backends

If you have non-docker backends or docker containers on others hosts apart from the traefik one, you can use the file provider.

I would suggest you enter the shell from the traefik container since the permissions can be fucked up and traefik does not like that. As you can see in my configuration, I have my dynamic configurations folder mounted in /configuration

Traefik shell only has vi, so vi /configuration/dashboard.yml (for example)

http:
  routers:
    dashboard:
      entrypoints:
        - "websecure"
        - "web"
      rule: "Host(`dashboard.domain.com`)"
      tls:
        certResolver: "letsencrypt"
        domains:
          main: 'domain.com'
          sans: '*.domain.com'        
      service: dashboard
  services:
    dashboard:
      loadBalancer:
        servers:
          - url: "http://10.10.10.10:8080"

So simply change the loadbalancer.servers.url to the IP + port of your non/other docker backend.

Using non docker backends with self signed certificate

Some backends use a self signed certificate, for example synology. If you did not disable self signed certificate check globally you can do this in the file provider

http:
  routers:
    synology:
      entrypoints:
        - "websecure"
        - "web"
      rule: "Host(`synology.domain.com`)"
      tls:
        certResolver: "letsencrypt"
        domains:
          main: 'domain.com'
          sans: '*.domain.com'        
      service: synology
  services:
    synology:
      loadBalancer:
        servers:
          - url: "https://<ip-to-synology>:5001/"
        serversTransport: ignore-self-signed
  serversTransports:
    ignore-self-signed:
      insecureskipverify: true 

Notice the last rows, these lines disables the self signed check

        serversTransport: ignore-self-signed
  serversTransports:
    ignore-self-signed:
      insecureskipverify: true

Labels

According to https://docs.linuxserver.io/FAQ/#strict-proxy this should also be achievable with

    - traefik.http.services.foo.loadbalancer.serverstransport=ignorecert
    - traefik.http.services.foo.loadbalancer.server.scheme=https
PreviousInstall DockerNextInstalling specific version of Docker

Last updated 10 months ago

Was this helpful?