Docker Compose

Docker Compose Template

For those of you running Linux servers or if you use docker-compose then you can install Traefik using our docker-compose.yml file example.

First, ensure that you have created a custom docker network, we will talk about why this is the preferred method further into the guide (see video here if you are unsure). For this example, we will use the custom docker network called "proxy".

docker network create proxy

Let's create the folder to add this compose file too, you might save your app's data in another location so just add your path to this command.

mkdir -p /opt/appdata/traefik

Traefik needs a file called acme.json to store the SSL certificate information too and this needs to be secure. So, we will create this file and change the permissions to suit.

touch /opt/appdata/traefik/acme.json; chmod 600 /opt/appdata/traefik/acme.json

Now let's create the docker-compose file with the nano text editor

nano /opt/appdata/traefik/docker-compose.yml

Paste in the following and edit line 15 to add your domain, line 21 with your Cloudflare credentials. If you have already created your own docker network, then you will have to change lines 13 and 27 and replace proxy with your own network name. In our example, we are going to use /opt/appdata as the default location to store the application's data. If you would like to store your app's data in another location, then you can adjust this on line 11.

To get your API token, visit Cloudflare, go to My Profile, select API tokens and then choose Create Token.

Use the template Edit zone DNS.

Change to the following settings, click Continue to Summary and then Create Token.

Zone - Zone Settings - Read
Zone - Zone - Read
Zone - DNS - Edit
Zone Resources - Include - All Zones

Option A - Using Docker Socket Proxy (More Secure)

Giving docker API access to a publicly accessible docker container is a security liability, and so it would be preferred to try to limit the amount of access this container has to the API. We can achieve this by using a proxy container that allows limited access to the Docker API and only allow through what we need to make things work.

PLEASE NOTE

If you are going to use this method please pay extra attention to the "provider" section of the traefik.yml configuration file. You will need to add an extra line to the configuration file.

version: '3'
services:
  traefik:
    container_name: traefik
    image: traefik:2.6
    ports:
      - 80:80
      - 443:443
    #  - 8080:8080 # Dashboard port
    volumes:
      - /opt/appdata/traefik/:/etc/traefik/
    networks:
      - proxy # rename this to your custom docker network
    labels:
      traefik.http.routers.api.rule: Host(`traefik.YOURDOMAIN.COM`)    # Define the subdomain for the traefik dashboard.
      traefik.http.routers.api.entryPoints: https    # Set the Traefik entry point.
      traefik.http.routers.api.service: api@internal    # Enable Traefik API.
      traefik.enable: true   # Enable Traefik reverse proxy for the Traefik dashboard.
    environment:
      DOCKER_HOST: dockersocket
      CF_DNS_API_TOKEN: YOUR_SUPER_SECURE_CLOUDFLARE_API_TOKEN
    restart: unless-stopped
    depends_on:
      - dockersocket

  dockersocket:
    container_name: dockersocket
    image: tecnativa/docker-socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - proxy
    environment:
      CONTAINERS: 1
      POST: 0
    privileged: true
    restart: unless-stopped


networks:
  proxy:
    driver: bridge
    external: true

Option B - Exposing /var/run/docker.sock (Less Secure)

Warning - Insecure Method

Allowing a container direct access to docker.sock is insecure and could make your system vulnerable to attack. Please read the following post to see more about the vulnerabilities of sharing docker.sock with docker containers and how it could compromise your server.

The Danger of Exposing docker.sock

https://dejandayoff.com/the-danger-of-exposing-docker.sock/

docker-compose.yml

version: '3'
services:
  traefik:
    container_name: traefik
    image: traefik:2.5
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # ro = read-only access to the docker.sock
      - /opt/appdata/traefik/:/etc/traefik/
    networks:
      - proxy # rename this to your custom docker network
    labels:
      traefik.http.routers.api.rule: Host(`traefik.YOURDOMAIN.COM`)    # Define the subdomain for the traefik dashboard.
      traefik.http.routers.api.entryPoints: https    # Set the Traefik entry point.
      traefik.http.routers.api.service: api@internal    # Enable Traefik API.
      traefik.enable: true   # Enable Traefik reverse proxy for the Traefik dashboard.
    environment:
      CF_DNS_API_TOKEN: YOUR_SUPER_SECURE_CLOUDFLARE_API_TOKEN
    restart: unless-stopped


networks:
  proxy:    # rename this to your custom docker network.
    driver: bridge
    external: true

Deploy the Container

Close and save this file by pressing ctrl + x, type "y" and then press enter.

Now we want to start up the Traefik container.

If you are in the same directory as the compose file, you can run the following.

docker-compose up -d

If you are in another directory, then you will need to specify the compose file with the -f argument.

docker-compose -f /opt/appdata/traefik/docker-compose.yml up -d

In order to have a fully running Traefik set-up you are going to need to add two config files, traefik.yml and fileConfig.yml explained on the page linked below.

Required Config Files

Config Files Explained

Adding Applications to Traefik

Proxying Your First App

PreviousEnabling Organizr server authentication NextConfig Files Explained

Last updated 6 months ago