Traefik-Proxy - with additional Cloudflare support

This repository provides a configuration for setting up Traefik as a reverse proxy for websites. It supports optionally a Cloudflare integration, and can optionally be coupled with a authentik server for user authentication.

Prerequisites

Before you begin, ensure you have the following prerequisites:

• Docker installed and configured on your server.
• Docker Compose installed.
• A registered domain name for your websites.
• (Optional) A Cloudflare account with an API key and email address if you plan to use Cloudflare.

Getting Started

1. Clone this repository to your server:

   git clone https://github.com/erkenes/docker-traefik.git

2. Navigate to the repository directory:

   cd traefik-reverse-proxy

3. Create a .env file and configure your settings. You can use the provided .env.example

   cp .env.example .env

4. Start Traefik

   docker compose -f docker-compose.yml up -d

5. Your Traefik reverse proxy is now up and running, ready to route incoming traffic to your web services.

Optional Cloudflare Integration

You have to follow the upper instructions first.

1. Add your cloudflare api credentials to the secret files

   • secrets/cf_api_key for the api key
   • secrets/cf_email for your email address

   Make sure that there is no empty line at the end of the secret files!

2. Set your email address in the traefik.yml file.

   certificatesResolvers:
     dns-cloudflare:
       acme:
         # ToDo: Change this value with your email address
         email: 'your@mail.com'

3. Start Traefik

   docker compose -f docker-compose.cloudflare.yml up -d

4. Your Traefik reverse proxy is now up and running, ready to route incoming traffic to your web services.

Optional Authentication Server

If you wish to use an authentication server for user authentication, refer to the documentation of this repository for setup instructions.

Usage

o use this Traefik reverse proxy, configure your web services to include the appropriate labels in their Docker Compose files. Consult the Traefik documentation for details on how to configure routing and SSL certificates.

version: '3.9'
services:
  whoami:
    image: traefik/whoami
    networks:
      - traefik-proxy
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$ROOT_DOMAIN_NAME`)"
      - "traefik.http.routers.whoami-rtr.entrypoints=https"
      - "traefik.http.routers.whoami-rtr.tls=true"
networks:
  traefik-proxy:
    external: true

Troubleshooting

If you encounter issues or need further assistance, please check the logs of the Traefik container for error messages. Additionally, refer to the documentation for Traefik for detailed configuration options and troubleshooting tips.

License

This project is licensed under the MIT License.

Acknowledgments

• Traefik: The reverse proxy and load balancer used to manage web traffic.

Contributing

Contributions are welcome! If you have any improvements, bug fixes, or feature requests, please open an issue or submit a pull request.

---

Happy proxying!

---

Use a custom local certificate

Install the RootCA from the directory certs. The wildcard domain *.local.dev and local.dev are now valid.

Create your own RootCA

Install mkcert

sudo apt-get update -y
sudo apt-get install wget libnss3-tools

wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64

sudo mv mkcert-v1.4.4-linux-amd64 /usr/bin/mkcert
sudo chmod +x /usr/bin/mkcert

Setup local Root CA

mkcert -install

# Create a local tls certificate
# You could add any domain you need ending by .local.dev
# *.local.dev will create a wildcard certificate so any subdomain in the form like.local.dev will also work.
# Unfortunately you cannot create *.dev wildcard certificate your browser will not allow it.
mkcert -cert-file certs/local.crt -key-file certs/local.key "local.dev" "*.local.dev"