Traefik2 reverse proxy with automatic wildcard SSL from cloudflare
Create a DNS entry in your cloudflare: traefik.YOURDOMAIN.com Make sure it is not proxied at first (necessary for creating SSL certificate), you can enable proxy later after everything.
Create a docker network called "proxy" using the following command:
docker network create proxy
This is the network that traefik and all other containers that need to be automatically configured in traefik should use.
Make directories in your homefolder like so:
- ~/traefik
- compose.yml
- data
- acme.json # make sure to change permissions of this file with
chmod 600 acme.json - config.yml
- traefik.yml
- acme.json # make sure to change permissions of this file with
Use mkdir to make the folders and touch to create the json and yml files
Basically:
mkdir traefik
cd traefik
touch compose.yml
mkdir data
cd data
touch acme.json
chmod 600 acme.json
touch config.yml
touch traefik.yml
cd ..
The contents to put inside those files are given here. Except for acme.json, which will be automatically generated.
How to generate a hashed password to put in the compose.yml file
- First install apache2-utils
sudo apt update
sudo apt install apache2-utils
- Next generate your hashed password with the following command
echo $(htpasswd -nB USER) | sed -e s/\\$/\\$\\$/g
- Replace USER with your username
- Enter a password when it prompts
- Copy paste the generated hashed password into the compose.yml file
Run
Go to the directory with the compose.yml
Run it with docker compose up -d
If everything is done right, you will be able to access the traefik dashboard at traefik.YOURDOMAIN.com in a few moments.
How to expose my docker containers to the internet
First make sure you have created a DNS entry in your cloudflare for the service you want to expose
Then all you have to do is add these labels to the compose.yml of all your containers that you want to expose:
labels:
- "traefik.enable=true"
- "traefik.http.routers.CONTAINER_NAME.entrypoints=http"
- "traefik.http.routers.CONTAINER_NAME.rule=Host(`SUBDOMAIN.YOURDOMAIN.COM`)"
- traefik.http.routers.CONTAINER_NAME.middlewares=https-redirect@file # Remove this line if you do not want automatic http to https redirection
- "traefik.http.routers.CONTAINER_NAME.entrypoints=https"
- "traefik.http.routers.CONTAINER_NAME.rule=Host(`SUBDOMAIN.YOURDOMAIN.COM`)"
- "traefik.http.routers.CONTAINER_NAME.tls=true"
- "traefik.http.routers.CONTAINER_NAME.service=CONTAINER_NAME@docker"
- "traefik.http.services.CONTAINER_NAME.loadbalancer.server.port=PORT_OF_CONTAINER_WEBUI"
- "traefik.docker.network=proxy"
Replace CONTAINER_NAME with the name of the docker container
Replace SUBDOMAIN.YOURDOMAIN.COM with the URL you want your container webui to be exposed at.
Replace PORT_OF_CONTAINER_WEBUI with the port of the container's webui
Example compose.yml of Heimdall Dashboard exposed with Traefik
version: "3.9"
services:
heimdall:
image: lscr.io/linuxserver/heimdall:latest
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Riyadh
volumes:
- ./config:/config
networks:
- proxy
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.heimdall.entrypoints=https"
- "traefik.http.routers.heimdall.rule=Host(`dashboard.crsmthw.com`)"
- "traefik.http.routers.heimdall.tls=true"
- "traefik.http.routers.heimdall.service=heimdall@docker"
- "traefik.http.services.heimdall.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
How to expose anything else
By anything else I mean services on other computers or containers that cannot use the proxy network, like home-assistant for example which needs host network.
For this you need to make entries in the config.yml file. An example of home-assistant is already given in the config.yml file.
Credits
Huge thanks to Techno Tim. You can watch his video tutorial here