Traefik is a reverse proxy and load balancer that can be deployed in Docker. This guide will show you how to install Traefik, and generate trusted TLS certificates automatically using Cloudflare and Lets Encrypt.
1. Install Docker #
On Ubuntu: #
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Install packages
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
On Alpine: #
apk update && apk add docker docker-compose
2. Creating compose file: #
Docker compose is used to deploy containers, while defining properties such as ports, volumes, and networks using YAML.
I would recommend putting all your compose files in /opt, however you may put them wherever you want.
# /opt/traefik/compose.yaml
---
services:
traefik:
image: library/traefik:v3.5.1
container_name: traefik
ports:
- 80:80
- 443:443
volumes:
- /run/docker.sock:/run/docker.sock:ro
- ./config/:/etc/traefik/:ro
- ./certs/:/var/traefik/certs/:rw
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
networks:
- traefik
restart: unless-stopped
networks:
traefik:
external: true
3. Creating Docker network: #
This network will be used by all your applications you wish access through Traefik. This is useful because it means you don’t have to open a port on your machine for every application you deploy.
docker network create traefik
4. Configuring Traefik: #
The folowing config file will
- Disable new version checking
- Telementry data submission
- Enables logs at the INFO level
- Defines the HTTP (80) and HTTPS (443) entrypoints
- Enables HTTP -> HTTPS Redirection.
- Creates a certificate resolver called
letsencrypt-prod - Disables internal SSL Checks
- Creates providers for Docker and files
# /opt/traefik/config/traefik.yaml
---
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: INFO
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
certificatesResolvers:
letsencrypt-prod:
acme:
email: acme@yourdomain.here
storage: /var/traefik/certs/cloudflare-acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
serversTransport:
insecureSkipVerify: true
providers:
docker:
exposedByDefault: false
network: traefik
file:
directory: /etc/traefik
watch: true
5. Get API token from Cloudflare #
You will need an API token from Cloudflare with the DNS edit permission for the zone(s) you will be using in Traefik.
Once you have it, place it in your .env
CF_DNS_API_TOKEN=REPLACE_THIS
6. Start the container #
Now we just have to start our container.
docker compose up -d
