This is one of the best reverse-proxy solutions for self-hosting.
Very easy to run & maintain (once you pass the setup).
Traefik can detect docker services and use docker labels to automatically create routes.
However, I prefer to keep my docker-compose files clean and explicitly set routers & services myself, so this solution does exactly that.
Traefik can also be set-up to automatically provide Let's Encrypt certs for your services. However, there are some services that need cert files (AdGuard Home, Mailcow), and because I want to have a single wildcard certificate for my whole domain (and all subdomains) I prefer to generate it manually (i.e. scripts in cron) and just reference it whenever it's required - so this setup reflects that.
Traefik has 2 types of config:
- static - requires restart of the container
- dynamic - refreshes live.
Dynamic config can be provided as a folder, where all toml
files are parsed and configuration from them is applied to the running server.
You can create multiple files and split the dynamic config to your preference. I prefer to keep 1 main file (for tls/cert settings and global middlewares), and then add 1 config file per service (with route & service definition).
It's also good to keep a note with a table of service-port mapping (to quickly see which ports are used by which service).
image: traefik:v2.3
container_name: traefik
restart: unless-stopped
security_opt: ["no-new-privileges"]
- "80:80"
- "443:443"
- "3080:8080"
- /etc/localtime:/etc/localtime:ro
- /path/to/certs:/certs:ro
- ./config:/config:ro
- ./traefik.yml:/traefik.yml:ro
checkNewVersion: true
sendAnonymousUsage: false
dashboard: true
insecure: true
address: ":80"
address: ":443"
insecureSkipVerify: true
directory: /config
watch: true
certFile = "/certs-com/fullchain.cer"
keyFile = "/certs-com/"
stores = [ "default" ]
certFile = "/certs-org/fullchain.cer"
keyFile = "/certs-org/"
stores = [ "default" ]
certFile = "/certs-com/fullchain.cer"
keyFile = "/certs-com/"
scheme = "https"
permanent = true
referrerPolicy = "same-origin"
contentTypeNosniff = true
frameDeny = false
forceSTSHeader = true
stsIncludeSubdomains = true
stsPreload = true
stsSeconds = 15_552_000
url = "" # this is a fake url
rule = "HostRegexp(`{host:(www\\.)?.+}`)"
entryPoints = [ "http" ]
middlewares = [ "redirect-to-https" ]
service = "noop"
address = "http://<SERVER IP>:9091/api/verify?rd="
trustForwardHeader = true
url = "http://<SERVER IP>:9091"
rule ="Host(``)"
service = "authelia"
tls = { }
middlewares = [ "security-headers" ]
permanent = true
regex = "https://(.*)/.well-known/(card|cal)dav"
replacement = "https://${1}/remote.php/dav/"
url = "http://<SERVER IP:3000"
rule = "Host(``)"
service = "nextcloud"
tls = { }
middlewares = [ "security-headers", "nextcloud-redirectregex" ]
url = "http://<SERVER IP>:8989/"
rule = "Host(``)"
service = "sonarr"
tls = { }
middlewares = [ "security-headers", "authelia" ]
url = "http://<SERVER IP>:3080"
rule = "Host(``) && PathPrefix(`/dashboard`)"
service = "traefik"
tls = { }
middlewares = [ "security-headers", "authelia" ]
rule = "Host(``)"
service = "api@internal"
tls = { }
middlewares = [ "security-headers", "authelia" ]