Basic traefik setup. Easily enable HTTPS access to services running in separate Docker containers.
- Automatically create SSL certificates using Let's Encrypt with DNS-challenge (link). Cloudflare is used as the default provider in this repo.
- Works well with Tailscale.
Preparing configs
cp .env.sample .env
cp traefik.sample.yml traefik.yml
vim .env
vim traefik.yml #Edit email address for Cloudflare account
Preparing Docker network
# We will use network called "traefik-nw" for traefik and other containers to communicate with each other
docker network create traefik-nw
- Create Cloudflare API token from the dashboard.
- The token should have a permission to edit the DNS
- Override the value for
CLOUDFLARE_DNS_API_TOKEN
in the.env
file
- Add
A
record for your node- e.g.
server001.example.com A 100.0.0.1
- You can even use Tailscale IP address here. The contents will only be available when you are connected to Tailscale.
- Traefik dashboard will be available at this FQDN.
- e.g.
- Add
CNAME
record(s) for your target service(s)- e.g.
your-service-1.example.com CNAME server001.example.com
- e.g.
Here is a sample docker-compose.yml
configuration for the target container that you would like to connect through reverse proxy. In this example, 8080 port of the container will be available at your-service-1.example.com
.
services:
<your_service>:
...
expose:
- 8080 #The target port should be exposed
networks:
- traefik-nw #The target container should be in same network with the traefik
labels:
traefik.enable: true
traefik.docker.network: traefik-nw
traefik.http.routers.foobar.rule: Host(`your-service-1.example.com`) # your_service:8080 will be available at your-service-1.example.com
traefik.http.routers.foobar.service: foobar
traefik.http.routers.foobar.entrypoints: websecure
traefik.http.routers.foobar.tls.certresolver: cloudflare
traefik.http.services.foobar.loadbalancer.server.port: 8080
networks:
traefik-nw:
external: true