This repository provides a configuration for setting up Traefik as a reverse proxy for websites. It supports optionally a Cloudflare integration, and can optionally be coupled with a authentik server for user authentication.
Before you begin, ensure you have the following prerequisites:
- Docker installed and configured on your server.
- Docker Compose installed.
- A registered domain name for your websites.
- (Optional) A Cloudflare account with an API key and email address if you plan to use Cloudflare.
Copy this repository to your server. The default path is /docker/traefik
, if you use another path you need to change the absolute path in the .env
file.
git clone https://github.com/erkenes/docker-traefik.git /docker/traefik
Navigate to the repository directory:
cd /docker/traefik
Copy the .env
file.
cp .env.example .env
Create a new traefik user on the server to run the traefik container as a non-root user.
You can change the user id to any other value, but make sure that the user id is not already in use, and you change the TRAEFIK_UID
in the .env
file.
Change the ownership of the traefik directory to the new user and set the permissions of the acme.json file.
sudo useradd -u 2000 -M -s /usr/sbin/nologin traefik
chown -R 2000:2000 /docker/traefik
chmod 600 /docker-alpine/lib/traefik/acme/*.json
Change the domain for traefik in the .env
file.
TRAEFIK_DASHBOARD_HOST=traefik.YOUR_DOMAIN.com
Change the absolute path to the traefik configuration in the .env
file.
ROOT_PATH=/docker/traefik
Traefik does not access the docker socket directly, instead it uses a docker-proxy to access the docker socket. The proxy needs the correct docker group.
Get the GID if the docker group with the following command:
cat /etc/group | grep docker
and set the GID in the .env
file.
DOCKER_GID=999
Place all certificates into the folder that is defined in the .env
file.
docker compose up -d
docker compose --profile traefik up -d
To add a new certificate, add the path to the certs.yaml file
. Traefik loads them automatically.
tls:
certificates:
# domain1.de
- certfile: /etc/traefik/certs/domain1.de.crt
keyfile: /etc/traefik/certs/domain1.de.key
# domain2.de
- certfile: /etc/traefik/certs/domain2.de.crt
keyfile: /etc/traefik/certs/domain2.de.key
Install the RootCA from the directory certs
. The wildcard domain *.local.dev
and local.dev
are now valid.
Install mkcert
sudo apt-get update -y
sudo apt-get install wget libnss3-tools
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
sudo mv mkcert-v1.4.4-linux-amd64 /usr/bin/mkcert
sudo chmod +x /usr/bin/mkcert
mkcert -install
# Create a local tls certificate
# You could add any domain you need ending by .local.dev
# *.local.dev will create a wildcard certificate so any subdomain in the form like.local.dev will also work.
# Unfortunately you cannot create *.dev wildcard certificate your browser will not allow it.
mkcert -cert-file certs/local.crt -key-file certs/local.key "local.dev" "*.local.dev"
You have to follow the upper instructions first.
To use the Cloudflare integration, you need to add your Cloudflare API credentials to the secret files.
secrets/cf_api_key
for the api keysecrets/cf_email
for your email address
Make sure that there is no empty line at the end of the secret files!
Set your email address in the traefik.yml file.
certificatesResolvers:
dns-cloudflare:
acme:
# ToDo: Change this value with your email address
email: 'your@mail.com'
Change the cert resolver for the dashboard in the .env
file.
TRAEFIK_DASHBOARD_CERT_RESOLVER=dns-cloudflare
If you wish to use an authentication server for user authentication, refer to the documentation of this repository for setup instructions.
To use this Traefik reverse proxy, configure your web services to include the appropriate labels in their Docker Compose files. Consult the Traefik documentation for details on how to configure routing and SSL certificates.
version: '3.9'
services:
whoami:
image: traefik/whoami
networks:
- traefik
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$ROOT_DOMAIN_NAME`)"
- "traefik.http.routers.whoami-rtr.entrypoints=https"
- "traefik.http.routers.whoami-rtr.tls=true"
networks:
traefik:
external: true
If you encounter issues or need further assistance, please check the logs of the Traefik container for error messages. Additionally, refer to the documentation for Traefik for detailed configuration options and troubleshooting tips.
This project is licensed under the MIT License.
- Traefik: The reverse proxy and load balancer used to manage web traffic.
Contributions are welcome! If you have any improvements, bug fixes, or feature requests, please open an issue or submit a pull request.
Happy proxying!