Docker Compose

Docker Compose Template

For those of you running Linux servers or if you use docker-compose then you can install Traefik using our docker-compose.yml file example.
First, ensure that you have created a custom docker network, we will talk about why this is the preferred method further into the guide (see video here if you are unsure). For this example, we will use the custom docker network called "proxy".
docker network create proxy
Let's create the folder to add this compose file too, you might save your app's data in another location so just add your path to this command.
mkdir -p /opt/appdata/traefik
Traefik needs a file called acme.json to store the SSL certificate information too and this needs to be secure. So, we will create this file and change the permissions to suit.
touch /opt/appdata/traefik/acme.json; chmod 600 /opt/appdata/traefik/acme.json
Now let's create the docker-compose file with the nano text editor
nano /opt/appdata/traefik/docker-compose.yml
Paste in the following and edit line 15 to add your domain, line 21 with your Cloudflare credentials. If you have already created your own docker network, then you will have to change lines 13 and 27 and replace proxy with your own network name. In our example, we are going to use /opt/appdata as the default location to store the application's data. If you would like to store your app's data in another location, then you can adjust this on line 11.
To get your API token, visit Cloudflare, go to My Profile, select API tokens and then choose Create Token.
Use the template Edit zone DNS.
Change to the following settings, click Continue to Summary and then Create Token.
  • Zone - Zone Settings - Read
  • Zone - Zone - Read
  • Zone - DNS - Edit
  • Zone Resources - Include - All Zones

Option A - Using Docker Socket Proxy (More Secure)

Giving docker API access to a publicly accessible docker container is a security liability, and so it would be preferred to try to limit the amount of access this container has to the API. We can achieve this by using a proxy container that allows limited access to the Docker API and only allow through what we need to make things work.
PLEASE NOTE
If you are going to use this method please pay extra attention to the "provider" section of the traefik.yml configuration file. You will need to add an extra line to the configuration file.
version: '3'
services:
traefik:
container_name: traefik
image: traefik:2.6
ports:
- 80:80
- 443:443
# - 8080:8080 # Dashboard port
volumes:
- /opt/appdata/traefik/:/etc/traefik/
networks:
- proxy # rename this to your custom docker network
labels:
traefik.http.routers.api.rule: Host(`traefik.YOURDOMAIN.COM`) # Define the subdomain for the traefik dashboard.
traefik.http.routers.api.entryPoints: https # Set the Traefik entry point.
traefik.http.routers.api.service: [email protected] # Enable Traefik API.
traefik.enable: true # Enable Traefik reverse proxy for the Traefik dashboard.
environment:
DOCKER_HOST: dockersocket
CF_DNS_API_TOKEN: YOUR_SUPER_SECURE_CLOUDFLARE_API_TOKEN
restart: unless-stopped
depends_on:
- dockersocket
​
dockersocket:
container_name: dockersocket
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
environment:
CONTAINERS: 1
POST: 0
privileged: true
restart: unless-stopped
​
​
networks:
proxy:
driver: bridge
external: true

Option B - Exposing /var/run/docker.sock (Less Secure)

Warning - Insecure Method
Allowing a container direct access to docker.sock is insecure and could make your system vulnerable to attack. Please read the following post to see more about the vulnerabilities of sharing docker.sock with docker containers and how it could compromise your server.
​
The Danger of Exposing docker.sock
docker-compose.yml
version: '3'
services:
traefik:
container_name: traefik
image: traefik:2.5
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro # ro = read-only access to the docker.sock
- /opt/appdata/traefik/:/etc/traefik/
networks:
- proxy # rename this to your custom docker network
labels:
traefik.http.routers.api.rule: Host(`traefik.YOURDOMAIN.COM`) # Define the subdomain for the traefik dashboard.
traefik.http.routers.api.entryPoints: https # Set the Traefik entry point.
traefik.http.routers.api.service: [email protected] # Enable Traefik API.
traefik.enable: true # Enable Traefik reverse proxy for the Traefik dashboard.
environment:
CF_DNS_API_TOKEN: YOUR_SUPER_SECURE_CLOUDFLARE_API_TOKEN
restart: unless-stopped
​
​
networks:
proxy: # rename this to your custom docker network.
driver: bridge
external: true

Deploy the Container

Close and save this file by pressing ctrl + x, type "y" and then press enter.
Now we want to start up the Traefik container.
If you are in the same directory as the compose file, you can run the following.
docker-compose up -d
If you are in another directory, then you will need to specify the compose file with the -f argument.
docker-compose -f /opt/appdata/traefik/docker-compose.yml up -d
In order to have a fully running Traefik set-up you are going to need to add two config files, traefik.yml and fileConfig.yml explained on the page linked below.

Required Config Files

Adding Applications to Traefik