Traefik Reverse Proxy Configuration

This directory contains the Traefik reverse proxy configuration for managing SSL certificates and routing traffic to services.

Services Managed

• Mealie (recipes.pkartchner.com) - Recipe manager
• Gogs (git.pkartchner.com) - Git repository server
• Traefik Dashboard (traefik.pkartchner.com) - Traefik management UI

Features

• ✅ Automatic HTTPS with Let's Encrypt SSL certificates
• ✅ Automatic HTTP to HTTPS redirect
• ✅ Docker service discovery
• ✅ Security headers middleware
• ✅ Traefik dashboard with basic auth

Files

• docker-compose.yml - Traefik container configuration
• traefik.yml - Main Traefik configuration
• config.yml - Dynamic configuration for external services
• acme.json - Let's Encrypt certificate storage (auto-generated)

Setup

1. DNS Configuration

Ensure these DNS records point to your server's public IP:

A    recipes.pkartchner.com    →  YOUR_PUBLIC_IP
A    git.pkartchner.com        →  YOUR_PUBLIC_IP
A    traefik.pkartchner.com    →  YOUR_PUBLIC_IP

2. Start Traefik

cd /srv/docker-compose/traefik
docker compose up -d

3. Check Logs

docker logs traefik -f

Dashboard Access

Access the Traefik dashboard at: https://traefik.pkartchner.com

Default credentials:

• Username: admin
• Password: change-this-password

Change the password:

# Generate new password hash
echo $(htpasswd -nb admin yournewpassword) | sed -e s/\\$/\\$\\$/g

# Update the label in docker-compose.yml:
# traefik.http.middlewares.traefik-auth.basicauth.users=admin:$HASH

SSL Certificates

Traefik automatically obtains and renews SSL certificates from Let's Encrypt.

• Certificates are stored in acme.json
• Auto-renewal happens 30 days before expiration
• Email notifications sent to: pkartch@gmail.com

Staging vs Production

The configuration uses Let's Encrypt production by default.

To use staging (for testing, to avoid rate limits): Uncomment this line in traefik.yml:

caServer: https://acme-staging-v02.api.letsencrypt.org/directory

Port Configuration

• 80 - HTTP (redirects to HTTPS)
• 443 - HTTPS (main entry point)
• 8080 - Traefik dashboard

Adding New Services

Docker Services

Add labels to your service's docker-compose.yml:

services:
  myservice:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.myservice.rule=Host(`myservice.pkartchner.com`)"
      - "traefik.http.routers.myservice.entrypoints=https"
      - "traefik.http.routers.myservice.tls.certresolver=letsencrypt"
      - "traefik.http.services.myservice.loadbalancer.server.port=PORT"
    networks:
      - traefik

External Services

Add to config.yml:

http:
  routers:
    myservice:
      rule: "Host(`myservice.pkartchner.com`)"
      entryPoints:
        - https
      service: myservice
      tls:
        certResolver: letsencrypt

  services:
    myservice:
      loadBalancer:
        servers:
          - url: "http://INTERNAL_IP:PORT"

Troubleshooting

Check Traefik logs

docker logs traefik --tail 100

Verify network

docker network ls | grep traefik

Test certificate

openssl s_client -connect recipes.pkartchner.com:443 -servername recipes.pkartchner.com

Reload configuration

docker compose restart traefik

Security Notes

• Change the default dashboard password immediately
• Keep acme.json permissions at 600
• Regularly update Traefik image
• Monitor access logs
• Consider disabling the dashboard in production

Maintenance

Update Traefik

docker compose pull
docker compose up -d

Backup certificates

cp acme.json acme.json.backup

View certificate info

Check the Traefik dashboard under "HTTP" → "Routers"