Traefik Configuration
Traefik is the core reverse proxy and load balancer for the dehott.link homelab. It routes incoming HTTP and HTTPS traffic to the appropriate Docker containers based on the requested domain name.
Overview
Traefik operates as a Docker container, listening on ports 80 and 443. It automatically discovers other containers on the same Docker network and configures routing rules based on labels defined in their docker-compose.yml files.
Key Features
- Automatic Service Discovery: Traefik dynamically updates its routing configuration when containers start or stop.
- Let's Encrypt Integration: It automatically requests, provisions, and renews SSL/TLS certificates for all configured subdomains using the DNS-01 challenge via Cloudflare.
- Dashboard: A built-in web dashboard provides real-time visibility into active routers, services, and middleware.
Deployment Configuration
Traefik is deployed using a dedicated docker-compose.yml file, typically located at /home/tim/homelab/docker-compose/infrastructure/traefik.yml.
Example Configuration
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- homelab-personal
ports:
- "80:80"
- "443:443"
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_API_KEY=${CF_API_KEY}
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/tim/homelab/data/traefik/traefik.yml:/traefik.yml:ro
- /home/tim/homelab/data/traefik/acme.json:/acme.json
- /home/tim/homelab/data/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.middlewares=authelia@docker"
networks:
homelab-personal:
external: true
Static Configuration (traefik.yml)
The static configuration file (/home/tim/homelab/data/traefik/traefik.yml) defines global settings, entrypoints, and the certificate resolver.
api:
dashboard: true
debug: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: homelab-personal
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
Adding a New Service
To expose a new Docker container through Traefik, add the following labels to its docker-compose.yml definition:
labels:
- "traefik.enable=true"
- "traefik.docker.network=homelab-personal"
- "traefik.http.routers.myservice.rule=Host(`myservice.${DOMAIN}`)"
- "traefik.http.routers.myservice.entrypoints=websecure"
- "traefik.http.routers.myservice.tls=true"
- "traefik.http.routers.myservice.tls.certresolver=letsencrypt"
- "traefik.http.services.myservice.loadbalancer.server.port=8080" # Replace with the container's internal port
Ensure the container is connected to the homelab-personal network (or whichever network Traefik is configured to monitor).
Troubleshooting
- Certificate Errors: If a site shows an invalid certificate, check the Traefik logs (
docker logs traefik) for ACME challenge failures. Ensure the Cloudflare API credentials are correct and the DNS record exists. - 502 Bad Gateway: This usually means Traefik cannot reach the backend container. Verify the container is running, connected to the correct Docker network, and the
loadbalancer.server.portlabel matches the port the application is listening on internally. - 404 Not Found: Traefik doesn't recognize the route. Check the
Hostrule in the container's labels and ensure the domain name matches the request.