This documentation is under development. Expect changes!
Traefik
Setup Directory Structure
Section titled “Setup Directory Structure”Start by creating a folder to store all Traefik configuration files:
mkdir traefikcd traefikmkdir dynamicConfiguration Files
Section titled “Configuration Files”1. Docker Compose Configuration
Section titled “1. Docker Compose Configuration”Create a compose.yml file with the following content:
services: traefik: image: traefik:v3.6.14 container_name: traefik restart: always volumes: - ./traefik.yml:/etc/traefik/traefik.yml - ./acme.json:/etc/traefik/certs/acme.json - ./dynamic:/etc/traefik/dynamic - /var/run/docker.sock:/var/run/docker.sock ports: - "80:80" - "443:443" networks: - proxy-net labels: traefik.enable: true traefik.http.routers.proxy.entrypoints: web,websecure traefik.http.routers.proxy.tls: true traefik.http.routers.proxy.tls.certresolver: production traefik.http.routers.proxy.rule: Host(`proxy.example.com`) traefik.http.routers.proxy.service: api@internal traefik.http.routers.proxy.middlewares: proxy-auth@file, me@file
networks: proxy-net: name: proxy-network driver: bridge4 collapsed lines
... traefik.http.routers.proxy.entrypoints: web,websecure traefik.http.routers.proxy.tls: true traefik.http.routers.proxy.tls.certresolver: production traefik.http.routers.proxy.rule: Host(`proxy.example.com`)4 collapsed lines
traefik.http.routers.proxy.service: api@internal traefik.http.routers.proxy.middlewares: proxy-auth@file, me@file
...2. Main Traefik Configuration
Section titled “2. Main Traefik Configuration”Create a traefik.yml file with the following content:
################################################################# Global configuration################################################################global: checkNewVersion: true sendAnonymousUsage: false
################################################################# EntryPoints configuration################################################################entryPoints: web: address: :80 http: redirections: entryPoint: to: websecure scheme: https websecure: address: :443 metrics: address: :8082
################################################################# Traefik logs configuration################################################################log: level: INFO
############################################################## Access Log#############################################################accessLog: {}
############################################################### Metrics##############################################################metrics: prometheus: addEntryPointsLabels: true addServicesLabels: true addRoutersLabels: true entryPoint: metrics
############################################################### Plugin##############################################################experimental: plugins: umami-plugin: moduleName: github.com/astappiev/traefik-umami-feeder version: v1.4.1
################################################################# API and dashboard configuration################################################################api: # Disable the API in insecure mode insecure: false
# Enabled Dashboard dashboard: true
################################################################# Ping configuration################################################################
serversTransport: insecureSkipVerify: true
################################################################# Docker configuration backend################################################################providers: # Enable Docker configuration backend docker: exposedByDefault: false file: filename: /etc/traefik/dynamic/conf.yml
################################################################# -- Configure your CertificateResolver here...################################################################certificatesResolvers: staging: acme: email: your-email@example.com storage: /etc/traefik/certs/acme.json caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" #-- (Optional) Remove this section, when using DNS Challenge httpChallenge: entryPoint: web production: acme: email: your-email@example.com storage: /etc/traefik/certs/acme.json caServer: "https://acme-v02.api.letsencrypt.org/directory" #-- (Optional) Remove this section, when using DNS Challenge httpChallenge: entryPoint: webUpdate the Umami Plugin Version: Check the latest plugin version and update accordingly:
...experimental: plugins: umami-plugin: moduleName: github.com/astappiev/traefik-umami-feeder version: v1.4.1...Update Your Email: Change the email address for ACME certificate generation to your email:
...certificatesResolvers: staging: acme: email: your-email@example.com storage: /etc/traefik/certs/acme.json caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" #-- (Optional) Remove this section, when using DNS Challenge httpChallenge: entryPoint: web production: acme: email: your-email@example.com storage: /etc/traefik/certs/acme.json caServer: "https://acme-v02.api.letsencrypt.org/directory" #-- (Optional) Remove this section, when using DNS Challenge httpChallenge: entryPoint: web3. Dynamic Configuration with Middlewares
Section titled “3. Dynamic Configuration with Middlewares”Create the file dynamic/conf.yml with the following content:
http: middlewares: my-umami: plugin: umami-plugin: umamiHost: "https://umami.example.com" umamiUsername: "username" umamiPassword: "password" createNewWebsites: true ignoreUserAgents: ["Uptime-Kuma"]
proxy-auth: basicauth: users: user:password me: ipAllowList: sourceRange: - "1.2.3.4"Understanding Middlewares
Section titled “Understanding Middlewares”The conf.yml file defines several security middlewares that protect and monitor your Traefik instance:
my-umami Middleware
Section titled “my-umami Middleware”Integrates the Umami analytics plugin for traffic tracking:
... middlewares: my-umami: plugin: umami-plugin: umamiHost: "https://umami.example.com" umamiUsername: "username" umamiPassword: "password" createNewWebsites: true ignoreUserAgents: ["Uptime-Kuma"]...What it does: Sends detailed metrics about every request passing through Traefik to your Umami analytics instance. Useful for monitoring traffic patterns and usage statistics.
proxy-auth Middleware
Section titled “proxy-auth Middleware”Protects your Traefik dashboard with HTTP Basic Authentication:
... proxy-auth: basicauth: users: user:password...-
MD5 (deprecated, not recommended):
Terminal window openssl passwd -apr1 password -
SHA1 (good):
Terminal window openssl passwd -1 password -
Bcrypt (most secure, recommended):
Terminal window htpasswd -nbB admin mypassword# Output: admin:$2y$05$abcdef...
Copy the hashed output and replace user:password in your configuration.
me Middleware
Section titled “me Middleware”Restricts access by IP address to enhance security:
... ipAllowList: sourceRange: - "1.2.3.4"...What it does: Only allows traffic from specified IP addresses. Perfect for restricting dashboard access to your local network or specific public IPs.
SSL Certificate Setup
Section titled “SSL Certificate Setup”The acme.json file stores your SSL certificates. Create it with the following command:
touch acme.jsonecho "{}" > acme.jsonchmod 600 acme.jsonVerify Your Setup
Section titled “Verify Your Setup”Your final folder structure should look like this:
Directorytraefik/
Directorydynamic/
- conf.yml
- acme.json
- compose.yaml
- traefik.yml
Start Traefik
Section titled “Start Traefik”Once all configuration files are in place and you’ve updated the necessary values, start Traefik:
docker compose up -dAccess your Traefik dashboard at: https://proxy.your-domain.com/dashboard/ (or your configured domain)
Use your Basic Auth credentials to log in.