System-wide Traefik Reverse Proxy

.env

EMAIL=
DOMAIN0=
DOMAIN1=
API_EMAIL=
API_TOKEN=

readme.md

System-wide Traefik Reverse Proxy

The idea here is to stand up the Traefik container separately to the rest of your docker-compose files so it can act as a system wide reverse proxy.

You need to create a proxy network before bringing up Traefik

docker network create proxy 

Edit the .env variables file then bring up the traefik instance with the normal docker compose up -d.

Then all you need to do is make sure other docker-compose files have the proxy network included and the labels for Traefik like in this example-docker-compose.yml file.

I usually keep these in different directories so they stay separated.

.
├── traefik
│   └── docker-compose.yml
└── example
    └── docker-compose.yml

example-docker-compose.yml

version: '3'

networks:
  proxy:
    external: true
  internal:
    external: false

services:
  nginx:
    image: nginx
    networks:
      - proxy
      - internal # optional
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.nginx.rule=Host(`nginx.domain.com`)'
      - 'traefik.http.services.nginx.loadbalancer.server.port=80'
      # No SSL
      - 'traefik.http.routers.nginx.entrypoints=web'
      # SSL enabled
      - 'traefik.http.routers.nginx.entrypoints=websecure'

traefik-docker-compose.yml

version: "3.3"

networks:
  proxy:
    external: true
    
services:
  traefik:
    image: "traefik:v2.5"
    container_name: traefik
    restart: always
    network_mode: proxy
    command:
      # - "--accesslog=true"
      - "--api.dashboard=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      # - "--log.level=INFO"
      - "--ping"
      - "--ping.entryPoint=web"
      - "--providers.docker=true"
      - "--global.sendAnonymousUsage"
      - "--providers.docker.network=proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--certificatesresolvers.sslresolver.acme.email=${EMAIL}"
      - "--certificatesresolvers.sslresolver.acme.storage=/letsencrypt/acme.json"
      # ? Prod http challenge
      - "--certificatesresolvers.sslresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.sslresolver.acme.httpchallenge.entrypoint=http"
      #? Cloudflare DNS Challenge
      # - "--certificatesresolvers.sslresolver.acme.dnschallenge=true"
      # - "--certificatesresolvers.sslresolver.acme.dnschallenge.provider=cloudflare"
      # - "--certificatesResolvers.sslresolver.acme.dnsChallenge.delayBeforeCheck=0"
      # - "--certificatesResolvers.sslresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      #? Wildcard domain certs
      # - "--entrypoints.websecure.http.tls.certResolver=sslresolver"
      # - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN0}"
      # - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN0}"
      # - "--entrypoints.websecure.http.tls.domains[1].main=${DOMAIN1}"
      # - "--entrypoints.websecure.http.tls.domains[1].sans=*.${DOMAIN1}"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/opt/traefik/letsencrypt:/letsencrypt"
    ports:
      - "80:80"
      - "443:443"
    environment:
      - "CLOUDFLARE_EMAIL=${API_EMAIL}"
      - "CLOUDFLARE_DNS_API_TOKEN=${API_TOKEN}"
    labels:
      #? Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`dash.${DOMAIN0}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=auth"
      # echo $(htpasswd -nb admin 'Password!') | sed -e s/\\$/\\$\\$/g
      - "traefik.http.middlewares.auth.basicauth.users=admin:INSERT_PASSWORD_HERE"
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-For=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"