<aside> ⚙

This guide details how to deploy Traefik using Docker compose (with Dockge) and Cloudflare as our DNS Challenge provider to generate Let’s Encrypt certificates for local infrastructure (not internet-accessible) and use basic authentication to protect the Traefik Dashboard. The configuration files presented can also be used with other deployment methods, such as Unraid.

</aside>

Revision: 20250210-0 (init: 20240831)

This post details installing the Traefik Proxy using docker compose (with Dockge). We perform a deployment using a traefik.yaml configuration file and dynamic independent configurations to provide proxying for docker containers and external services.

Preamble

Traefik is an open-source reverse proxy and load balancer designed for cloud-native applications. It is particularly suited for microservices and containerized environments like Docker and Kubernetes.

Traefik serves several key functions:

• Automatic Service Discovery for Docker services and routes traffic to them without requiring manual configuration (when enabled)
• Load Balancing for HTTP, TCP, and UDP traffic.
• It supports SSL/TLS termination and automatically generates certificates using ACME providers like Let's Encrypt.
• Dynamic Configuration: It continuously updates its configuration in real-time, eliminating the need for restarts or manual updates when services are added or removed.
• It includes various middleware options for tasks such as authentication or rate limiting.

From Traefik’s documentation: https://doc.traefik.io/traefik/getting-started/configuration-overview/

Traefik is based on the concept of EntryPoints, Routers, Middlewares and Services.

The main features include dynamic configuration, automatic service discovery, and support for multiple backends and protocols.

1. EntryPoints: EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
2. Routers: A router is in charge of connecting incoming requests to the services that can handle them.
3. Middlewares: Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
4. Services: Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.

Acknowledgments

The configuration files for this guide were developed thanks to the many other great primers, in particular:

• Traefik’s official documentation
• Benjamin Rancourt’s “A Complete Traffic Configuration”
• Ibracorp’s Traefik Primer
• Christian Lempa’s HomeLab Github repo

How to use this guide

We will use a set of shared values that we invite you to update to match your setup:

• example.com is our domain (zone), and its DNS provider is Cloudflare.
• 192.168.222.11 is the static IP of the host running the Traefik service (among others).
• [email protected] is the email we will use to register with LE.

Requirement: Cloudflare DNS Challenge Token

<aside> 👉

Please review the Preamble and Prerequisites section of a previous blog post on Reverse Proxy for some of the concepts we will use here.

Reverse Proxy: Nginx Proxy Manager (Rev: 20240730-0)

</aside>

To use this guide, you must have a DNS hosted at Cloudflare.

Pre-requisite:

• An A record for *.example.com (wildcard) setup at Cloudflare pointing to the private IP on the host that will host Traefik: 192.168.22.11

  

  Type: A / Name: * / Content: 192.168.22.11

• A custom Cloudflare Token:

  • From the Cloudflare Dashboard, on the “Overview” section, look for “Get your API token” (on the left side), then “Create Token → Create Custom Token”

  

  Custom Token: Zone Read + Zone DNS Edit + only specific zone

  • Give it a name, for example, traefik (example.com)
  • For “Permissions”, select:
    • “Zone - Zone Settings - Read” and “Zone - Zone - Read” to allow the token to Read DNS Zones
    • “Zone - DNS - Edit” to enable the token to edit DNS records (required for the DNS-01 challenge)
  • For “Zone Resources”, select:
    • “Include - Specific Zone” select the example.com zone.
  • After the token is created, store it in a safe place; it will not be displayed again.

Docker compose setup

<aside> 👉

We will use Dockge to deploy Traefik. Please refer to a previous Dockge post for details on setting it up.

Dockge (Rev: 20250322-0)

</aside>

From the Dockge dashboard, “+Compose” a new traefik stack and “Save” it (do not deploy just yet).

We need to prepare a few files in the /opt/stacks/traefik directory (make sure you can write in the directory):

# Create the configuration base directory (config)
# and the dynamic configuration directory (conf)
mkdir -p config/conf
# Create an empty acme.json file to store our Certificates details
touch config/acme.json
# Change the file permission. An error will occur if this is not done
chmod 600 config/acme.json

<aside> 📁

Most of the files mentioned in the following sections are downloadable from https://github.com/mmartial/geekierblog-artifacts/tree/main/20240831-traefik

</aside>

<aside> ♻️

Although we are deploying this setup using Dockge, it is possible to use the following files with other deployment methods, such as Unraid’s Community Applications — in which case we would not use the provided compose.yaml file and use the Unraid template’s environment variables to pass some values.

</aside>

traefik.yaml

Download our traefik.yaml file and:

• adapt the [email protected] value,
• replace the example.com entries (3 of those), and
• select a resolver.

We added comments to the file to help you review its content and adapt some sections accordingly. Among the settings, the file sets:

• the global: section checks for updates and disables usage reporting
• the api: section enables the dashboard (we will specify its URL on the command line)
• the entrypoints: section sets the http and https ”entrypoints” which will be used by our “routers” configuration.
• the providers: section sets
• the certificatesResolvers: section is where the ACME exchange with Let’s Encrypt using Cloudflare for the DNS Challenge is performed.

Dynamic Configurations (config/conf destination)

<aside> 💡

</aside>

The following files are in the /opt/stacks/traefik/config/conf folder and can be downloaded from the same GitHub repo.

tls.yaml

Download the tls.yaml file. This file contains requirements for minimum supported ciphers and TLS versions to access the services.

middlewares-securityHeaders_light.yaml

The middlewares-securityHeaders_light.yaml file defines a limited number of restrictions. It is usable for HTTPS upgrading of private accessible networks only, as it will, among other things, allow iFrames embedding. It is the default entry used by the https entrypoints.

middlewares-securityHeaders.yaml

The middlewares-securityHeaders.yaml file defines a more restrictive middleware that can be used instead of the light option.

middlewares-gzip.yaml

The middlewares-gzip.yaml file specifies that connections should use the gzip compression.

middlewares-dashboardauth.yaml

In the middlewares-dashboardauth.yaml is a basicAuth configuration that we will use to protect the Traefik Dashboard. Modify the user and password values by using htpasswd (an example command line is in the comments).

middlewares-localonly.yaml

Download the middlewares-localonly.yaml file. It defines another “middleware” to limit access to localhost, the LAN subnet (here 192.168.22.1/24, adapt as needed), and commented is the Tailscale 100. range (CGNAT: 100.64.0.0/10). Add the tunnel's network pool to that list if you have another VPN setup to reach your subnet.

We note that we are not using this middleware in any entrypoint.

compose.yaml

Obtain the compose.yaml file and fill the Dockge entry with it. You will need to replace 2x entries with example.com with your domain's value (for the dashboard and the whoami service).

We need to create an environment variable for this stack (replace with the token you obtained earlier) CF_DNS_API_TOKEN=REPLACE_WITH_YOUR_SECRET_API_KEY

Depending on which guide you follow, you will see most entries we placed in configuration files within the command: section of the compose.yaml (ours is empty). In the labels: section we have added definitions for the Traefik dashboard configuration: its URL (the rule entry) and its middlewares (here the dashboardauth@file , i.e. dashboardauth middleware found in a file placed in the directory set in the file providers:.

The definition of the whoami stack explains how to have Traefik create a reverse proxy for the service, the traefik.enable=true label tells it to make a rule. The URL would use the container’s name by default, but this is overridden by the rule entry that sets the full URL. This also means the router:’s name is whoami: traefik.http.routers.whoami.rule. This name is again used to specify the entrypoint: traefik.http.routers.whoami.entrypoints=https.

Untitled

Untitled