services: traefik: image: traefik:3.0 ports: # Listen on port 80, default for HTTP, necessary to redirect to HTTPS - 80:80 # Listen on port 443, default for HTTPS - 443:443 restart: always labels: # Enable Traefik for this service, to make it available in the public network - traefik.enable=true # Use the traefik-public network (declared below) - traefik.docker.network=traefik-public # Define the port inside of the Docker service to use - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080 # Make Traefik use this domain (from an environment variable) in HTTP - traefik.http.routers.traefik-dashboard-http.entrypoints=http - traefik.http.routers.traefik-dashboard-http.rule=Host(`traefik.${DOMAIN?Variable not set}`) # traefik-https the actual router using HTTPS - traefik.http.routers.traefik-dashboard-https.entrypoints=https - traefik.http.routers.traefik-dashboard-https.rule=Host(`traefik.${DOMAIN?Variable not set}`) - traefik.http.routers.traefik-dashboard-https.tls=true # Use the "le" (Let's Encrypt) resolver created below - traefik.http.routers.traefik-dashboard-https.tls.certresolver=le # Use the special Traefik service api@internal with the web UI/Dashboard - traefik.http.routers.traefik-dashboard-https.service=api@internal # https-redirect middleware to redirect HTTP to HTTPS - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true # traefik-http set up only to use the middleware to redirect to https - traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect # admin-auth middleware with HTTP Basic auth # Using the environment variables USERNAME and HASHED_PASSWORD - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set} # Enable HTTP Basic auth, using the middleware created above - traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth volumes: # Add Docker as a mounted volume, so that Traefik can read the labels of other services - /var/run/docker.sock:/var/run/docker.sock:ro # Mount the volume to store the certificates - traefik-public-certificates:/certificates command: # Enable Docker in Traefik, so that it reads labels from Docker services - --providers.docker # Do not expose all Docker services, only the ones explicitly exposed - --providers.docker.exposedbydefault=false # Create an entrypoint "http" listening on port 80 - --entrypoints.http.address=:80 # Create an entrypoint "https" listening on port 443 - --entrypoints.https.address=:443 # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set} # Store the Let's Encrypt certificates in the mounted volume - --certificatesresolvers.le.acme.storage=/certificates/acme.json # Use the TLS Challenge for Let's Encrypt - --certificatesresolvers.le.acme.tlschallenge=true # Enable the access log, with HTTP requests - --accesslog # Enable the Traefik log, for configurations and errors - --log # Enable the Dashboard and API - --api networks: # Use the public network created to be shared between Traefik and # any other service that needs to be publicly available with HTTPS - traefik-public volumes: # Create a volume to store the certificates, even if the container is recreated traefik-public-certificates: networks: # Use the previously created public network "traefik-public", shared with other # services that need to be publicly available via this Traefik traefik-public: external: true