Traefik Reverse-Proxy Setup with Let's Encrypt in Docker
I am using Traefik together with Let's Encrypt to have automatic reverse proxy setup with valid SSL certs for my Docker containers. Here is how I set it up
First, make sure that port 80 and 443 are not being used by any other containers on your Docker host. If they are, switch them to something else.
Next, create a directory for your Traefik config. I went with /media/traefik
sudo mkdir /media/traefik/
Then we need to create some files within
sudo touch /media/traefik/acme.json sudo chmod 600 /media/traefik/acme.json sudo touch /media/traefik/traefik.toml
Then, edit the traefik.toml file, I like to use nano
sudo nano /media/traefik/traefik.toml
Now we want to add the config for traefik. You can see mine below. Be sure to change your domain and contact email. The domain can literally be anything, even jut .local. its just the default domain to use. I have one of my domains in there, but I manually specify other domains just fine
debug = false logLevel = "ERROR" defaultEntryPoints = ["https","http"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [retry] [api] [docker] endpoint = "unix:///var/run/docker.sock" domain = "whateveryourdomainis.com" watch = true exposedByDefault = false [acme] email = "[email protected]" storage = "acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http"
Now we want to deploy the container
docker run -d -p 8080:8080 -p 80:80 -p 443:443 \ -v /media/traefik/acme.json:/etc/traefik/acme.json \ -v /media/traefik/traefik.toml:/etc/traefik/traefik.toml \ -v /var/run/docker.sock:/var/run/docker.sock \ traefik
Now you can go to http://<your-docker-ip>:8080/dashboard/
You should see the traefik Web-UI, but probably with no containers listed. Before we start adding containers, make sure port 80 and 443 are forwarded to your Docker host from your router/firewall, and that any domains you intend to use are pointed at your IP.
In the below example we want to setup PLEX, so I have an external DNS record with my provider (CloudFlare) which is plex.mydomain.com and its pointed to my external IP.
Once you have done that, you just need to add some labels to the container you want to proxy. Add the following options as an example
-l traefik.enable=true -l traefik.frontend.rule=Host:plex.domain.com,anotherifyouwant.domain.com -l traefik.port=32400 -l traefik.protocol=http
You can add multiple hostnames if you want, and be sure to enter the port the application is actually using, not what you have exposed with docker.
If your container is running SSH on port 22, and you have it exposed as port 9000, you would be entering port 22 in the traefik label. Obviously you can't use SSH with this, but its a good example.
If you use Portainer, you can add these after the fact very easily
If you load up the traefik Web-UI, you should see it listed. If not, try just restart the container to speed up the process of seeing it
Now when you go to plex.yourdomain.com, you should be greeted with PLEX with a valid SSL cert
Thats it! Let me know if this was easy enough to follow