Paul R Kartchner
bd1dc1abed
Configure Traefik v2.10 with: - Automatic HTTPS using Let's Encrypt - HTTP to HTTPS redirect - Docker service discovery - Security headers middleware - Dashboard with basic auth Configured services: - Mealie (recipes.pkartchner.com) - Gogs (git.pkartchner.com) - Traefik Dashboard (traefik.pkartchner.com) Features: - Automatic SSL certificate management - Force HTTPS on all services - Security headers (HSTS, frame options, XSS protection) - Docker network isolation Next steps: Configure DNS records and port forwarding (see SETUP-INSTRUCTIONS.md) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Traefik Reverse Proxy Configuration
This directory contains the Traefik reverse proxy configuration for managing SSL certificates and routing traffic to services.
Services Managed
- Mealie (recipes.pkartchner.com) - Recipe manager
- Gogs (git.pkartchner.com) - Git repository server
- Traefik Dashboard (traefik.pkartchner.com) - Traefik management UI
Features
- ✅ Automatic HTTPS with Let's Encrypt SSL certificates
- ✅ Automatic HTTP to HTTPS redirect
- ✅ Docker service discovery
- ✅ Security headers middleware
- ✅ Traefik dashboard with basic auth
Files
docker-compose.yml- Traefik container configurationtraefik.yml- Main Traefik configurationconfig.yml- Dynamic configuration for external servicesacme.json- Let's Encrypt certificate storage (auto-generated)
Setup
1. DNS Configuration
Ensure these DNS records point to your server's public IP:
A recipes.pkartchner.com → YOUR_PUBLIC_IP
A git.pkartchner.com → YOUR_PUBLIC_IP
A traefik.pkartchner.com → YOUR_PUBLIC_IP
2. Start Traefik
cd /srv/docker-compose/traefik
docker compose up -d
3. Check Logs
docker logs traefik -f
Dashboard Access
Access the Traefik dashboard at: https://traefik.pkartchner.com
Default credentials:
- Username:
admin - Password:
change-this-password
Change the password:
# Generate new password hash
echo $(htpasswd -nb admin yournewpassword) | sed -e s/\\$/\\$\\$/g
# Update the label in docker-compose.yml:
# traefik.http.middlewares.traefik-auth.basicauth.users=admin:$HASH
SSL Certificates
Traefik automatically obtains and renews SSL certificates from Let's Encrypt.
- Certificates are stored in
acme.json - Auto-renewal happens 30 days before expiration
- Email notifications sent to: pkartch@gmail.com
Staging vs Production
The configuration uses Let's Encrypt production by default.
To use staging (for testing, to avoid rate limits):
Uncomment this line in traefik.yml:
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
Port Configuration
- 80 - HTTP (redirects to HTTPS)
- 443 - HTTPS (main entry point)
- 8080 - Traefik dashboard
Adding New Services
Docker Services
Add labels to your service's docker-compose.yml:
services:
myservice:
labels:
- "traefik.enable=true"
- "traefik.http.routers.myservice.rule=Host(`myservice.pkartchner.com`)"
- "traefik.http.routers.myservice.entrypoints=https"
- "traefik.http.routers.myservice.tls.certresolver=letsencrypt"
- "traefik.http.services.myservice.loadbalancer.server.port=PORT"
networks:
- traefik
External Services
Add to config.yml:
http:
routers:
myservice:
rule: "Host(`myservice.pkartchner.com`)"
entryPoints:
- https
service: myservice
tls:
certResolver: letsencrypt
services:
myservice:
loadBalancer:
servers:
- url: "http://INTERNAL_IP:PORT"
Troubleshooting
Check Traefik logs
docker logs traefik --tail 100
Verify network
docker network ls | grep traefik
Test certificate
openssl s_client -connect recipes.pkartchner.com:443 -servername recipes.pkartchner.com
Reload configuration
docker compose restart traefik
Security Notes
- Change the default dashboard password immediately
- Keep
acme.jsonpermissions at 600 - Regularly update Traefik image
- Monitor access logs
- Consider disabling the dashboard in production
Maintenance
Update Traefik
docker compose pull
docker compose up -d
Backup certificates
cp acme.json acme.json.backup
View certificate info
Check the Traefik dashboard under "HTTP" → "Routers"