Setup Traefik

No Longer Active

Overview

Traefik is a leading modern reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components and configures itself automatically and dynamically.

Traefik is designed to be as simple as possible to operate, but capable of handling large, highly-complex deployments across a wide range of environments and protocols in public, private, and hybrid clouds. It also comes with a powerful set of middlewares that enhance its capabilities to include load balancing, API gateway, orchestrator ingress, as well as east-west service communication and more.

Run Traefik and let it do the work for you!

Important Traefik Files

rules\chains.yml File

chains.yml

http:
  middlewares:
    chain-authelia:
      chain:
        middlewares:
          - middlewares-rate-limit
          - middlewares-https-redirectscheme
          - middlewares-secure-headers
          - middlewares-authelia
          - middlewares-compress
    chain-no-auth:
      chain:
        middlewares:
          - middlewares-rate-limit
          - middlewares-https-redirectscheme
          - middlewares-secure-headers
          - middlewares-compress

rules\hosts.yml File

hosts.yml

http:
  routers:
    synology:
      entryPoints:
        - "https"
      rule: Host(``)
      middlewares:
        - chain-no-auth
      tls: {}
      service: service_name
  services:
    service_name:
      loadBalancer:
        servers:
          - url: ''
        passHostHeader: true

rules\middlewares.yml File

middlewares.yml

http:
  middlewares:
    middlewares-rate-limit:
      rateLimit:
        average: 1000
        burst: 500
    middlewares-https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    middlewares-authelia:
      forwardAuth:
        address: 'http://authelia:9091/api/authz/forward-auth'
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Name"
          - "Remote-Email"
          - "X-Api-Key"
    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https://"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          X-Forwarded-Proto: "https"
          server: ""
    middlewares-compress:
      compress: {}
    middlewares-buffering:
      buffering:
        maxResponseBodyBytes: 2000000
        maxRequestBodyBytes: 10485760  
        memRequestBodyBytes: 2097152  
        memResponseBodyBytes: 2097152
        retryExpression: "IsNetworkError() && Attempts() <= 2"

rules\tls.yml File

chains.yml

tls:
  options:
    TLSv12:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      sniStrict: true
    default:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      sniStrict: true

Important Docker Files

.env file

.env

EMAIL=
DOMAIN=
SUB=hades
CERTRESOLV=cloudflare
API=api@internal
APPDATA=
NAME=traefik
MIDDLEWARES=chain-authelia@file
SOCK=/var/run/docker.sock

docker-compose.yml file

docker-compose.yml

services:
  traefik:
    image: traefik
    container_name: ${NAME}
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 443:443
    environment:
      CF_API_EMAIL_FILE: /secrets/EMAIL
      CF_DNS_API_TOKEN_FILE: /secrets/APIKEY
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${APPDATA}/${NAME}/config/traefik.yml:/traefik.yml
      - ${APPDATA}/${NAME}/config:/data
      - ${APPDATA}/${NAME}/secrets:/secrets
    networks:
      - main
      - internal
    labels:
      traefik.enable: true
      traefik.http.routers.traefik.entrypoints: https
      traefik.http.routers.traefik.rule: "Host(`${SUB}.${DOMAIN}`)"
      traefik.http.routers.traefik.tls: true
      traefik.http.routers.traefik.middlewares: ${MIDDLEWARES}
      traefik.http.routers.traefik.tls.certresolver: ${CERTRESOLV}
      traefik.http.routers.traefik.tls.domains[0].main: "${DOMAIN}"
      traefik.http.routers.traefik.tls.domains[0].sans: "*.${DOMAIN}"
      traefik.http.routers.traefik.service: ${API}
      com.centurylinklabs.watchtower.enable: true
  socket-proxy:
    container_name: ${NAME}-socket-proxy
    image: ghcr.io/tecnativa/docker-socket-proxy
    privileged: true
    restart: unless-stopped
    volumes:
      - ${SOCK}:${SOCK}
    environment:
      CONTAINERS: "1"
    networks:
      - internal
    labels:
      traefik.enable: false
      com.centurylinklabs.watchtower.enable: true
networks:
  main:
    external: true
  internal:
    external: true

Start the Container

Start the Container

docker compose up -d