What is Traefik
Traefik is an open-source reverse proxy and load balancer that works well with Docker, automatically detecting services and securing connections with SSL. It adapts in real-time, making it ideal for dynamic homelab setups.
In this guide, we will set up Traefik in Docker, enable automatic Let’s Encrypt SSL via Cloudflare DNS challenge, and test it with a simple service.
Setup Traefik with Docker
Docker
Create the directory and docker-compose.yml:
mkdir traefik
nano traefik/docker-compose.ymlAdd the following configuration to the file:
services:
traefik:
image: traefik:3.6.7
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
environment:
- TZ=Europe/Amsterdam
env_file:
- .env
command:
- "--api.insecure=true"
- "--api=true"
- "--api.dashboard=true"
- "--ping=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=traefik"
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--entryPoints.websecure.http.tls=true"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--certificatesresolvers.le.acme.dnschallenge=true"
- "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.le.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=60s"
- "--certificatesresolvers.le.acme.storage=/certs/acme.json"
- "--log.level=INFO"
networks:
- traefik
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_data:/certs
healthcheck:
test: wget --quiet --tries=1 --spider http://127.0.0.1:8080/ping || exit 1
interval: 5s
timeout: 1s
retries: 3
start_period: 10s
volumes:
traefik_data:
name: traefik_data
networks:
traefik:
name: traefikCloudflare API
This guide uses Cloudflare as the DNS provider for the DNS-01 challenge. You can follow similar steps for other providers — see the lego docs for the full list.
Create an API token in your Cloudflare dashboard with
DNS:Editpermissions.Store your credentials in a
.envfile in the same directory as yourdocker-compose.yml:
nano traefik/.envCF_API_EMAIL=<your-cloudflare-email>
CF_DNS_API_TOKEN=<your-api-token>
DOMAIN=<your-domain>
ACME_EMAIL=<your-email>Start Traefik
docker compose -f traefik/docker-compose.yml up -dAccess the dashboard at http://<server-ip>:8080.
Add a Service
To verify Traefik is working correctly, deploy the whoami test service:
mkdir whoami
nano whoami/docker-compose.ymlservices:
whoami:
container_name: simple-service
image: traefik/whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.tls.certresolver=le"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
- traefik
networks:
traefik:
name: traefikDNS and Testing
- Point
whoami.your-domain.comto your server’s IP address in your DNS settings - Verify DNS propagation with
nslookupor an online DNS checker - Start the service:BASH
docker compose -f whoami/docker-compose.yml up -d - Open
https://whoami.your-domain.com— you should see the whoami response with a valid SSL certificate - Once verified, remove the test service:BASH
docker compose -f whoami/docker-compose.yml down