Traefik an easy reverse Proxy

I was a long time user of Swag as reverse proxy, but since I discovered Traefik I started to use it more and more. And it became the core of my project YOC (Your Own Cloud).

GitHub - 2nistechworld/yoc: Your Own Cloud - automatic install script
Your Own Cloud - automatic install script. Contribute to 2nistechworld/yoc development by creating an account on GitHub.

For me the main advantage of Traefik, is all the configuration can be done directly on the docker-compose file and Traefik will automatically discover the services you want to reverse proxy.

Deploy Traefik

Traefik can be deployed with docker-compose, in this case, my domain is using cloudflare DNS, so I use the the Cloudflare API using my API Key to perform a DNS Challenge and get TLS Certificates with Let's Encrypt.

If you don't setup any DNS challenge, Traefik will create a self signed certificate.

---
version: "3"
services:
  traefik:
    container_name: traefik
    image: traefik:v2.10
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entryPoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.myresolver.acme.email=YOUR_EMAIL_ADDRESS
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    environment:
      - CF_DNS_API_TOKEN=YOUR_CLOUDFLARE_API_KEY
    ports:
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /PATH/LOCAL/STORAGE/traefik/letsencrypt:/letsencrypt
    restart: always

Make sure to replace /PATH/LOCAL/STORAGE with your local data folder.

If you want to use Cloudflare (or other) to get TLS Certificate for your domain, make sure to replace:

  • YOUR_EMAIL_ADDRESS with a valid email address for Let's Encrypt
  • YOUR_DOMAIN_NAME with your own domain name
  • YOUR_CLOUDFLARE_API_KEY with your Cloudflare API Key..

If you want to use a self signed certificate with Traefik, you can leave YOUR_EMAIL_ADDRESS and YOUR_CLOUDFLARE_API_KEY empty so Traefik will generate automatically a self signed certificate, and set --certificatesresolvers.letsencrypt.acme.dnschallenge to false.

Running Traefik with Docker Compose


Now that we have our Docker Compose file ready, let's proceed with running Traefik:

Run the following command to start the Traefik service:

docker compose up -d

Once every container started you can access your Traefik instance with http://your_server_ip:8080

You will access the Traefik Dashboard

Adding Vaultwarden as a service.

Ok so now we have Traefik and up and running we need to be able to use it as reverse proxy.

In this example we are going to use Vaultwarden as a service we want to access using Traefik.

Let's start from our previous docker file and let's add the Vaultwarden container.

💡
In this example, I'm using a Self Signed certificate with Traefik, using a domain named my.domain
---
version: "3"
services:
  traefik:
    container_name: traefik
    image: traefik:v2.10
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entryPoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.myresolver.acme.email=YOUR_EMAIL_ADDRESS
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    environment:
      - CF_DNS_API_TOKEN=YOUR_CLOUDFLARE_API_KEY
    ports:
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /PATH/LOCAL/STORAGE/traefik/letsencrypt:/letsencrypt
    restart: always

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      - SIGNUPS_ALLOWED=true
      - DOMAIN=https://vaultwarden.my.domain
    volumes:
      - /PATH/LOCAL/STORAGE/containers/vaultwarden:/data
    ports:
      - 80
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.my.domain`)
      - traefik.http.routers.vaultwarden.entrypoints=websecure
      - traefik.http.routers.vaultwarden.tls.certresolver=myresolver

This is the basic Vaultwarden docker compose configuration, but to make it work with Traefik we added labels:

    labels:
      - traefik.enable=true
      - traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.my.domain`)
      - traefik.http.routers.vaultwarden.entrypoints=websecure
      - traefik.http.routers.vaultwarden.tls.certresolver=myresolver

Those labels allow us to tell Traefik we want Vaultwarden to be accessible from vaultwarden.my.domain, using the entrypoint websecure and using TLS.

Traefik will automatically see Vaultwarden is listening on the port 80 and create reverse proxy rules based on it. You dont' have to restart the Traefik container when adding services.

Now we restart everything with docker compose up -d.

After a few seconds, you can access https://vaultwarden.my.domain

💡
To resolve vaultwarden.my.domain, I added *.my.domain as a DNS Rewrite in my AdGuard Home server. You can also modify your hosts.conf file.

Conclusion

Traefik is really fast and easy to use, but compared to Swag some useful tools are missing, for example Swag natively support Authelia for Authentication / MFA and SSO and also natively support Fail2ban. Traefik don't.