Traefik 2.0 With Docker Compose
In this article I will discuss using Traefik in conjunction with docker-compose to set up a multi-domain server, both with and without HTTPS support.
Traefik is a reverse proxy and load balancer that makes the following things easy to set up:
- Multiple domains/subdomains served from one server, serving different applications
- Balancing a load across multiple app servers
- Automatic SSL/HTTPS with LetsEncrypt or other certificate authorities
I use Traefik both on my personal site, serving the following domains, among others:
However, I also use Traefik on my personal NAS. By using a PiHole as a DNS server on my LAN, I can create custom domains only visible in my network, which then are routed to the same server (my NAS). Traefik on the NAS automatically routes the different subdomains to the correct docker containers, serving several apps:
- Heimdall (a web app dashboard)
- Jellyfin (a media server)
- Bookstack (a Markdown document app)
- VS Code Server (a web IDE)
- A static site I use for journal entries (served by hugo)
- WikiJS (a wiki site for my personal documentation)
- Whoami (just to test if the reverse proxy is working)
To my knowledge, there are two main ways to configure a server running Traefik:
- Install Traefik on the bare-metal server, and configure it using the TOML files as shown here
- Use docker-compose, and configure Traefik through the docker-compose.yml. The advantage of this is the applications can be configured in the same place as the reverse proxy, and various advantages like auto-discovery of new docker-containers allowing for easily expanding the number of apps run on a server.
For simplicity, I will go over option (2). I will start with a simple HTTP-only setup like I use on my NAS, and then expand on that with an HTTPS setup which is suitable for serving applications on the open web.
I have a pihole on my network, and on my router I have set the LAN DNS to the pihole’s IP. Then, in the pihole DNS settings, I have added the following entries. Note even if you don’t set up a dedicated DNS server, this may also be done by editing the Hosts file on your OS:
Where 192.168.1.111 is the local IP of the NAS (modified here for demonstration purposes).
Once that is set up, we can start to configure the docker containers running on the NAS for all of the application containers, and for Traefik. I have a folder set up for each app, as follows:
In ./traefik, I create a docker-compose.yml with the following contents and run
docker-compose up -d:
At this point, you should be able to test that the reverse proxy is working by navigating to whoami.nas.lan/, since we included that small app in this main docker-compose.yml file.
At this point, you can add subdomains and apps however you want, and the only thing to note is to include the traefik labels, and the “discovery” external network, as shown in the example below of my heimdall configuration:
Traefik should automatically discover new containers with these labels as they are spun up, and it will also find the right server port to redirect the specified subdomain.
There are some differences in configuration to get this to work with HTTPS, though the main idea is fundamentally the same. Modify the ./traefik/docker-compose.yml to have the following contents:
Then, your application docker-compose.yml files will look something like:
Note that there is a way with Traefik to turn on HTTP->HTTPS redirecting, though not covered here yet.