Hybrid Traefik setup

• 22 February 2025
• traefik

I am not sure if it is because of Traefik is pretty new for me or because its documentation is not perfect, but it was a pain in the ass to configure it so that it would proxy my external service as well as docker services. One extra complexity was that the service external in relation to the docker was https GUI with self-signed certificates.

I must admit that dynamic docker part of Traefik was pretty straightforward and worked out-of-the-box-ish.

Long story short here are working configurations I ended up having:

Docker compose for Traefik

  traefik:
    image: traefik:v3.3
    restart: unless-stopped
    container_name: traefik
    ports:
      - "443:443"
    read_only: true
    security_opt:
      - no-new-privileges=true
    volumes:
      - /host/path/traefik/traefik.yml:/etc/traefik/traefik.yaml:ro
      - /host/path/traefik/configs:/configs:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

Static config: trafik.yaml

---
# accessLog: {}  # uncomment this line to enable access log
log:
  level: WARN  # ERROR, DEBUG, PANIC, FATAL, ERROR, WARN, INFO
providers:
  docker:
    exposedByDefault: false
    endpoint: 'unix:///var/run/docker.sock'
  file:
    directory: "/configs"
    watch: true
api:
  insecure: false
  dashboard: false # if you don't need the dashboard disable it
entryPoints:
  https:
    address: ':443' # https
    http:
      tls: {}
global:
  checkNewVersion: false
  sendAnonymousUsage: false # disable this if you don't want to send anonymous usage data to traefik

Dynamic config: any-name.yaml

tls:
  certificates:
    - certFile: /configs/lets-encrypt/fullchain.pem
      keyFile: /configs/lets-encrypt/key.pem
  options:
    default:
      minVersion: VersionTLS13
      clientAuth: # this sets up mTLS
        caFiles:
          - /configs/your-mtls/ca.crt
        clientAuthType: RequireAndVerifyClientCert
    disableClientAuth: # this can be referenced from docker labels for those services that cannot work with mTLS
        clientAuth:
            clientAuthType: NoClientCert

http:
  routers:
    nonDockerHttpsBackend: # setup service external to the docker
      rule: "Host (`nonDockerService.example.com`)"
      service: nonDockerHttpsBackend

  services:
    nonDockerHttpsBackend:
      loadBalancer:
        serversTransport: nonDockerHttpsBackend
        servers:
          - url: "https://192.168.11.32:4567"
        passHostHeader: true

  serversTransports: # it was hard to figure out how to setup this. It is needed if your proxied backend is using self-signed certificate.
    nonDockerHttpsBackend:
      insecureSkipVerify: true

• ← Updating Sonoff Zigbee Coordinator