Docker intermediate

Traefik Reverse Proxy with Docker Compose

Set up Traefik as a reverse proxy with automatic TLS certificates for your Docker services.

Summary: Configure Traefik as a Docker-aware reverse proxy that automatically obtains and renews TLS certificates from Let’s Encrypt.

Environment: Linux server with Docker and Docker Compose installed. Ports 80 and 443 available.

Requirements:

  • Docker Engine 24+
  • Docker Compose v2
  • A domain name pointed to your server
  • Ports 80 and 443 accessible from the internet

Steps

1. Create the Docker Network

docker network create proxy

2. Directory Structure

/opt/traefik/
├── docker-compose.yml
├── traefik.yml
├── config/
│   └── dynamic.yml
└── letsencrypt/

3. Traefik Static Configuration

Create /opt/traefik/traefik.yml:

api:
  dashboard: true
  insecure: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxy

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

log:
  level: INFO

4. Docker Compose File

Create /opt/traefik/docker-compose.yml:

services:
  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=admin:${HASHED_PASSWORD}"

networks:
  proxy:
    external: true

5. Generate Basic Auth Password

sudo apt install apache2-utils
echo $(htpasswd -nb admin YourSecurePassword) | sed -e s/\\$/\\$\\$/g

6. Deploy

cd /opt/traefik
docker compose up -d

Validation

  • Visit https://traefik.yourdomain.com — should show the dashboard
  • Check logs: docker compose logs traefik
  • Verify TLS certificate issuance: docker compose exec traefik ls /letsencrypt

Rollback

cd /opt/traefik
docker compose down

Notes

  • The traefik.http.middlewares.auth.basicauth.users label requires $$ escaping in the password hash due to YAML/Docker Compose variable expansion.
  • For internal-only services, use traefik.http.routers.service.rule=Host(...) without exposing ports.
  • Always pin image tags (like traefik:v3.3) for production deployments.