Unraid
Last updated
Last updated
Head to the community apps and search for “Traefik”
Now click on the “install” button, and we will fill in the template.
We can choose which network to add this container to, we suggest adding this container to the same custom docker network as all your other containers, this will make things simpler down the road.
Now we can choose the HTTP port, all you need to do is make sure the port is free on the host. For this example, we will be using 8001.
Here we can choose the HTTPS port, all you need to do is make sure the port is free on the host. For this example, we will be using 44301.
Traefik has its own dashboard, so here we will be setting the host port to access this dashboard. All you need to do is make sure the port is free on the host. For this example, we will be using 8183.
To allow Traefik to use your Cloudflare account to verify your domain is yours, you need to provide your Cloudflare API token. This allows Traefik to automatically get SSL certs for your domain.
To get your API token, visit Cloudflare, go to My Profile
, select API tokens
and then choose Create Token
.
Use the template Edit zone DNS
.
Change to the following settings, click Continue to Summary
and then Create Token
.
Zone - Zone Settings - Read
Zone - Zone - Read
Zone - DNS - Edit
Zone Resources - Include - All Zones
This is telling Traefik what subdomain to use for the Traefik dashboard. Please note that this dashboard is read-only, all configuration is done via docker labels and configuration files. For more information, see the Traefik Dashboard Documentation.
If you would like to use Authelia to protect your Traefik dashboard (which we highly suggest) you will need to add this field. This will protect the Traefik dashboard with a middleware we will set up that will forward all requests through Authelia. Follow this short guide to add the Authelia middleware to the Traefik dashboard.
In order for Traefik to monitor docker containers, it needs access to the docker socket. There are two methods to achieve this, and one method is more secure than the other because it limits the amount of write permissions it gives Traefik.
Giving docker API access to a publicly accessible docker container is a security liability, and so it would be preferred to try to limit the amount of access this container has to the API. We can achieve this by using a proxy container that allows limited access to the Docker API and only allow through what we need to make things work.
PLEASE NOTE
If you are going to use this method please pay extra attention to the "provider" section of the traefik.yml
configuration file. You will need to add an extra line to the configuration file.
For this, we are going to use a docker container by Tecnativa called “docker-socket-proxy”
Head over to the community apps and search for “dockersocket” and click install.
The only part you need to change in this template is to add it to your custom docker network that every other container should also be on.
Once you have added it to your docker network, simply click “apply” to install it.
Now head over to your Traefik container and edit the template.
Once you are in the template, scroll to the bottom and click on the “Add another Path, Port, Variable, Label or Device”.
We are now going to select to add a variable and fill in the fields as per the screenshot below.
For the key field, we will be using DOCKER_HOST
and for the value field, we need to add the container name for the docker socket proxy container, in this example that is dockersocket
Click “Save”, scroll to the bottom of the template and click “Apply” to deploy the container again.
The Traefik container will now be able to retrieve info on other containers (read-only access), but will not be able to spin up other containers or run any commands via the docker API.
Warning - Insecure Method
Allowing a container direct access to docker.sock
is insecure and could make your system vulnerable to attack. Please read the following post to see more about the vulnerabilities of sharing docker.sock with docker containers and how it could compromise your server.
The Danger of Exposing docker.sock
To do this, we need to add a new path mapping (if it does not already exist in the template).
In your Traefik container template, scroll to the bottom and select “Add another Path, Port, Variable, Label or Device” and choose “Path” from the drop-down.
You will now have to add the following to both the host and container path mappings, as per the screenshot below:
Click “Save”, scroll to the bottom of the template and click “apply” to deploy the container again.
The Traefik container will now be able to retrieve info on other containers (read-only access), but will not be able to spin up other containers or run any commands via the docker API.
Traefik needs a file called acme.json to store the SSL certificate information too, and this needs to be secure. So, we will create this file and change the permissions to suit. Let's first create the folder to add this file too, you might save your app's data in another location so just add your path to this command.
Now let's create the blank file and change the permissions.
In order to have a fully running Traefik set-up you are going to need to add two config files, traefik.yml
and fileConfig.yml
explained in the pages below.