Back to DocsTraefik is a modern reverse proxy designed for Docker. Unlike Nginx, it automatically detects launched containers and exposes them without modifying the configuration: just add labels to the container.
File structure
traefik/
├── docker-compose.yml
├── traefik.yml # static configuration
└── data/
├── acme.json # Let's Encrypt certificates (create empty)
└── traefik.log
mkdir -p traefik/data
touch traefik/data/acme.json
chmod 600 traefik/data/acme.json # REQUIRED
Static configuration (traefik.yml)
# traefik/traefik.yml
api:
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: admin@yourdomain.com
storage: /data/acme.json
httpChallenge:
entryPoint: web
providers:
docker:
exposedByDefault: false # containers must explicitly opt-in
file:
filename: /traefik.yml
log:
filePath: /data/traefik.log
level: INFO
docker-compose.yml for Traefik
# traefik/docker-compose.yml
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./data:/data
networks:
- traefik_net
labels:
- "traefik.enable=true"
# Dashboard (protect with authentication in production)
- "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
networks:
traefik_net:
external: true
# Create the shared network
docker network create traefik_net
# Start Traefik
docker compose up -d
Expose an application with Traefik
Add labels to your app container: Traefik reads them automatically:
# app/docker-compose.yml
services:
myapp:
image: nginx:alpine
networks:
- traefik_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(`app.yourdomain.com`)"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
- "traefik.http.services.myapp.loadbalancer.server.port=80"
networks:
traefik_net:
external: true
SSL is automatically issued from Let's Encrypt on first access.
Practical examples
WordPress + MySQL
services:
wordpress:
image: wordpress:latest
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_NAME: wp
WORDPRESS_DB_USER: wpuser
WORDPRESS_DB_PASSWORD: password
networks:
- traefik_net
- internal
labels:
- "traefik.enable=true"
- "traefik.http.routers.wp.rule=Host(`blog.yourdomain.com`)"
- "traefik.http.routers.wp.tls.certresolver=letsencrypt"
- "traefik.http.services.wp.loadbalancer.server.port=80"
db:
image: mariadb:11
environment:
MARIADB_DATABASE: wp
MARIADB_USER: wpuser
MARIADB_PASSWORD: password
MARIADB_ROOT_PASSWORD: rootpassword
volumes:
- db_data:/var/lib/mysql
networks:
- internal
networks:
traefik_net:
external: true
internal:
volumes:
db_data:
Protection with HTTP basic authentication
# Generate password (htpasswd)
apt install apache2-utils -y
htpasswd -nb admin YourPassword
# Output: admin:$apr1$...
labels:
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$..."
- "traefik.http.routers.myapp.middlewares=auth"
In docker-compose.yml files, $ in htpasswd passwords must be doubled ($$) to prevent Docker from interpreting them as variables.
Certificate renewal
Traefik automatically renews Let's Encrypt certificates before expiration. No manual action needed.
To force renewal:
docker stop traefik
rm traefik/data/acme.json
touch traefik/data/acme.json && chmod 600 traefik/data/acme.json
docker start traefik
Related articles
DeluxHost, founded in 2023, offers high-quality hosting solutions for various digital needs. We provide shared hosting, VPS, and dedicated servers with advanced security and global data centers.
