These steps assume a seperate compose file for Traefik and the other compose services.
For the Traefik docker-compose.yaml file:
---
# Docker compose for Traefik load balancer
version: '3.8'
services:
## Load balancer to send traffic to backends
traefik:
container_name: traefik
image: traefik:latest
restart: unless-stopped
networks:
- ext
- int
ports:
- "80:80"
- "443:443"
- "443:443/udp"
command:
## Enable debug logs
#- "--log.level=DEBUG"
## Enable API
- "--api"
## Enable docker provider
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
## Set inbound connections port for HTTP
- "--entrypoints.web.address=:80"
## Set inbound connections port for HTTPS
- "--entrypoints.websecure.address=:443"
## Trust coudflare forwarded headers
- "--entrypoints.websecure.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2c0f:f248::/32,2a06:98c0::/29"
## Enable ACME certificates from LetsEncrypt
- "--certificatesresolvers.le.acme.email=admin@domain.com"
- "--certificatesresolvers.le.acme.storage=/certificates/acme.json"
- "--certificatesresolvers.le.acme.tlsChallenge=true"
## Enable HTTP3
- "--experimental.http3=true"
- "--entrypoints.websecure.http3=true"
labels:
- "traefik.enable=true"
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`dashboard.domain.com`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certResolver=le"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=admin:$$123$$1234"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=force-https"
# middleware redirect
- "traefik.http.middlewares.force-https.redirectscheme.scheme=https"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
## Preserve certificates in volume
- certificates:/certificates
## Define the named volumes that are used for the above services
volumes:
certificates:
networks:
ext:
int:
attachable: true
These need to be changed:
traefik.http.routers.traefik.rule: The dashboard hostnametraefik.http.middlewares.authtraefik.basicauth.users: The username/password to access the dashboard (generated with htpasswd -nb)certificatesresolvers.le.acme.email: The Lets Encrypt user account email addressThe entrypoints.websecure.forwardedHeaders.trustedIPs config is useful if using CloudFlare.