Unraid Docker Template

Head to the community apps and search for “Traefik”

Now click on the “install” button, and we will fill in the template.

1. We can choose which network to add this container to, we suggest adding this container to the same custom docker network as all your other containers, this will make things simpler down the road.

2. Now we can choose the HTTP port, all you need to do is make sure the port is free on the host. For this example, we will be using 8001.

3. Here we can choose the HTTPS port, all you need to do is make sure the port is free on the host. For this example, we will be using 44301.

4. Traefik has its own dashboard, so here we will be setting the host port to access this dashboard. All you need to do is make sure the port is free on the host. For this example, we will be using 8183.

5. To allow Traefik to use your Cloudflare account to verify your domain is yours, you need to provide your Cloudflare API token. This allows Traefik to automatically get SSL certs for your domain.

   2. Use the template Edit zone DNS.

   3. Change to the following settings, click Continue to Summary and then Create Token.

      • Zone - Zone Settings - Read

      • Zone - Zone - Read

      • Zone - DNS - Edit

      • Zone Resources - Include - All Zones

Docker Socket (API)

In order for Traefik to monitor docker containers, it needs access to the docker socket. There are two methods to achieve this, and one method is more secure than the other because it limits the amount of write permissions it gives Traefik.

Option A - Longer Method but More Secure

Giving docker API access to a publicly accessible docker container is a security liability, and so it would be preferred to try to limit the amount of access this container has to the API. We can achieve this by using a proxy container that allows limited access to the Docker API and only allow through what we need to make things work.

2. Head over to the community apps and search for “dockersocket” and click install.

3. The only part you need to change in this template is to add it to your custom docker network that every other container should also be on.

4. Once you have added it to your docker network, simply click “apply” to install it.

5. Now head over to your Traefik container and edit the template.

6. Once you are in the template, scroll to the bottom and click on the “Add another Path, Port, Variable, Label or Device”.

7. We are now going to select to add a variable and fill in the fields as per the screenshot below.

8. For the key field, we will be using DOCKER_HOST and for the value field, we need to add the container name for the docker socket proxy container, in this example that is dockersocket

Click “Save”, scroll to the bottom of the template and click “Apply” to deploy the container again.

The Traefik container will now be able to retrieve info on other containers (read-only access), but will not be able to spin up other containers or run any commands via the docker API.

Option B - Easy Method but Less Secure

To do this, we need to add a new path mapping (if it does not already exist in the template).

1. In your Traefik container template, scroll to the bottom and select “Add another Path, Port, Variable, Label or Device” and choose “Path” from the drop-down.

2. You will now have to add the following to both the host and container path mappings, as per the screenshot below:

/var/run/docker.sock

Click “Save”, scroll to the bottom of the template and click “apply” to deploy the container again.

The Traefik container will now be able to retrieve info on other containers (read-only access), but will not be able to spin up other containers or run any commands via the docker API.

acme.json File

Traefik needs a file called acme.json to store the SSL certificate information too, and this needs to be secure. So, we will create this file and change the permissions to suit. Let's first create the folder to add this file too, you might save your app's data in another location so just add your path to this command.

mkdir -p /mnt/user/appdata/traefik

Now let's create the blank file and change the permissions.

touch /mnt/user/appdata/traefik/acme.json; chmod 600 /mnt/user/appdata/traefik/acme.json

Required Config Files

Adding Applications to Traefik

Now if we were to put everything together into our dynamic Traefik config file, it would look something like the below. Use your favourite method for adding/editing the file and paste in the below. In our example we will use the simple command line file editor nano. Anywhere you see YOURDOMAIN.COM, make sure to change that out for your own domain.

nano /mnt/user/appdata/traefik/fileConfig.yml

http:

  ## EXTERNAL ROUTING - Only use if you want to proxy something manually ##
  routers:
    # Homeassistant routing - Remove if not used
    homeassistant:
      entryPoints:
        - https
      rule: 'Host(`homeassistant.domain.com`)'
      service: homeassistant
      middlewares:
        - "auth"  
  ## SERVICES ##
  services:
    # Homeassistant service - Remove if not used
    homeassistant:
      loadBalancer:
        servers:
          - url: http://192.168.60.5:8123/

  ## MIDDLEWARES ##
  middlewares:
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange: 
          - 127.0.0.1/32 # localhost
          - 192.168.1.1/24 # LAN Subnet
  
    # Authelia guard
    auth:
      forwardauth:
        address: http://auth:9091/api/verify?rd=https://auth.domain.com/ # replace auth with your authelia container name
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email
  
    # Authelia basic auth guard
    auth-basic:
      forwardauth:
        address: http://auth:9091/api/verify?auth=basic # replace auth with your authelia container name
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
 
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6              
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

At startup, Traefik looks for a file named Traefik.yml. This is the first and key config file that is used in setting up Traefik. This file tells it where any other files might be, what domains to use, and how to get certificates for them. This is a static file, which means that any changes to this file require a restart of Traefik in order to apply those changes.

Global Parameters

In the config file snippet below, we are setting a few global parameters. We are telling Traefik to check for new versions and then within the logs, it will tell us that a newer version is available. We are also opting out of sending anonymous usage information to the developers of Traefik. If you would like to support the project, then we suggest that you enable this by changing the default value from false to true.

global:
  checkNewVersion: true
  sendAnonymousUsage: false

The setting below is to allow insecure backend connections. Usually, these backend connections are done either via the internal docker network or over a secure LAN. This setting allows for Traefik to connect to a that use HTTPS by default but maybe do not have a valid certificate. Allowing for this insecure backend connection allows Traefik to connect to the app and give it a secure frontend connection.

serversTransport:
  insecureSkipVerify: true

EntryPoints

EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP. This configuration is basically telling Traefik where and how to accept incoming connections. For the HTTP incoming request, we are telling Traefik to accept them on the default port 80. You can also see that we have added a redirection rule to forward it by default to the HTTPS EntryPoint.

Added to this section is all of Cloudflare's IP ranges as trusted IP's. Using the forwardHeaders: and trustedIPs: arguments, this will allow HTTP requests to forward their real IP's through Traefik.

Next we are telling Traefik to accept HTTPS requests on the default port 443. For HTTPS requests, we are going to need valid certificates. In this configuration here we are telling Traefik to use lets encrypt to make the certificates and we are also telling Traefik to create those certificates for not only just the root domain but also all of the subdomains too with a wildcard variable.

For all HTTPS requests, we are able to set a few middlewares to use by default. In our example we will just be using the one for secure headers (securityHeaders@file) which will be explained further in the guide. If you would like any other middlewares to be loaded by default for all requests, this is where you will add them. As an example, you could add the Authelia middleware (auth@file) to this location, and then every request will be sent to Authelia first.

entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    forwardedHeaders:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIps
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: letsencrypt
        domains:
          - main: YOURDOMAIN.COM
            sans:
              - '*.YOURDOMAIN.COM'
      middlewares:
        - securityHeaders@file

Providers

Providers discover the services that live on your infrastructure. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.

The next setting is one of the clever features of Traefik and allows us to dynamically and automatically add new apps to Traefik by only adding a few labels to the app. The docker settings below tell Traefik to watch the docker network for new apps. Once it detects a new app, it will look for certain labels (which we will cover later in the guide) and will then use those labels to dynamically create routes to the app. We are telling Traefik which network to monitor (in our example it's proxy) and to also check it every 15 seconds for changes. For new docker containers we have given it a clever rule to take the app name, and add it as a subdomain and to proxy the app with that. Make sure to add your root domain to this rule for it to work correctly.

providers:
  providersThrottleDuration: 2s

  # File provider for connecting things that are outside of docker / defining middleware
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true

  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: proxy    # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.YOURDOMAIN.COM`)"    # Replace with your domain
    swarmModeRefreshSeconds: 15s
    exposedByDefault: false

    endpoint: "tcp://dockersocket:2375"

// Some code
swarmModeRefreshSeconds

Traefik Dashboard

Traefik exposes a good deal of information through an API handler, such as the configuration of all routers, services, middlewares, etc. The dashboard is the central place that shows you the current active routes handled by Traefik. Below we are simply enabling the Traefik dashboard but leaving it insecure as we are going to secure it with let's encrypt certs and Authelia. If you do not think you will use these features, then simply set the dashboard: to false.

# Enable traefik ui
api:
  dashboard: true
  insecure: true

Logs

Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). Here we are setting the log level for Traefik. If you are having issues getting it set up or proxying an app, then it is a good idea to set this to DEBUG and restart the app. You will now see much more detail in the logs. By default, the logs are written to the standard output. You can configure a file path instead using the filePath option.

# Log level INFO|DEBUG|ERROR
log:
  level: INFO

Certificate Resolver

This is where we are going to set up the cert creation. Below, we are telling Traefik here to use let's encrypt to generate certificates for our domain. To make sure that let's encrypt is able to generate certificates, we need to give it some information. You will need to add your email so that you can be notified if your cert is ever going to run out. Traefik by default renews these certificates for you, but if there is ever an issue then you will be emailed notifying you.

We are telling Traefik that we want to use Cloudflare to make the DNS challenge request and also to use Cloudflare as the DNS resolver for these requests. Earlier in the guide when setting up the template for Traefik we already added the Cloudflare API token and email as a global environment variable and so Traefik will be able to pick those credentials up when making these requests.

# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: YOUR@EMAIL.COM
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

This is a dynamic file, meaning that if we make any changes to the file, Traefik will pick them up and load them in automatically. We will use this file to manage all the middlewares and also add any external services like VM's. In the example below, we will be adding Homeassistant.

Routers & Services

The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.

To add an external application we need to give Traefik a router which tells Traefik how to route the requests and which middleware to use along the way and then a matching service which tells Traefik where to point the requests.

http:
    ## EXTERNAL ROUTING ##
  routers:
    # Homeassistant routing
    homeassistant:
      entryPoints:
        - https
      rule: 'Host(`homeassistant.YOURDOMAIN.COM`)'
      service: homeassistant
      middlewares:
        - "auth"  
  ## SERVICES ##
  services:
    # Homeassistant service
    homeassistant:
      loadBalancer:
        servers:
          - url: http://192.168.60.5:8123/

Middleware

Now we are going to be adding middlewares that you can manually add to each service.

There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

Middlewares that use the same protocol can be combined into chains to fit every scenario. We are going to use these to do many things including adjusting headers to secure the app or even forward requests to Authelia.

IpWhitelist

The IpWhitelist middleware accepts / refuses requests based on the client IP. This can be handy when you have a public domain and only want some apps being accessed by certain networks.

  ## MIDDLEWARES ##
  middlewares:
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange: 
          - 127.0.0.1/32 # localhost
          - 192.168.1.1/24 # LAN Subnet

In the example above you will see 2 ranges, the 127.0.0.1/32 range is used by the machine that's running Traefik and needs to stay. The 192.168.1.1/24 range is a local network one make sure to check your desired network ranges and add them accordingly. You can also add a single IP to the list, not only ranges

Forward Auth

The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed. Otherwise, the response from the authentication server is returned.

We will be using the "auth" middleware to forward requests to Authelia to make sure that the user visiting the service is verified and is authorised to visit the app. In this middleware, we will also be adding a few headers to forward on authorisation information to the app that we are visiting. Some apps allow you to forward on auth requests and allow you to login without having to add your details twice (too Authelia and then also the app).

You will have to replace AUTHELIA_CONTAINER_NAME with your Authelia container name and AUTHELIA_SUBDOMAIN with the subdomain you chose for your Authelia portal.

    auth:
      forwardauth:
        address: http://AUTHELIA_CONTAINER_NAME:9091/api/verify?rd=https://AUTHELIA_SUBDOMAIN.YOURDOMAIN.COM/
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

    # Authelia basic auth guard
    auth-basic:
      forwardauth:
        address: http://auth:9091/api/verify?auth=basic
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-EmailHeaders

The Headers middleware manages the headers of requests and responses. Below is the "securityHeaders" middleware. We will be using this to add secure headers to all requests. Using the below headers we are able to take our SSL score up to an A+ without compromising functionality of our apps. This will help towards keeping your apps secure.

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

Proxying Your First App

Reverse Proxying Authelia

To enable Traefik to forward auth requests to Authelia for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

Enable Authelia on the Application

For Unraid, find the app that you would like to protect with Authelia, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this too.
3. Tell Traefik to use the middleware called auth that we set up in the dynamic config file by adding auth@file in this field.

4. If you are enabling Authelia to protect the Traefik dashboard you need to use this instead. Do not replace api with the container name.
5. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now forward all traffic through Authelia to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

The world’s most popular cloud-native application proxy that helps developers and operations teams build, deploy and run modern microservices applications quickly and easily.

Assumptions

What is Traefik?

What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.

With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real-time (no restarts, no connection interruptions). With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state."

Unraid Docker

If you are using Unraid to create your containers then you should follow this guide.

Docker-Compose

If you are using docker-compose to create your containers then you should follow this guide.

Final Words

Support Us

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!

By default, Traefik picks up exposed ports for every app using the default dockerfile. If for some reason the developer did not add this port to the dockerfile or multiple ports are exposed, we may have to tell Traefik which port to use for the web UI.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.
3. Tell Traefik which port to use for this app, simply add the UI port to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now use the port specified to forward all traffic onto the app correctly. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field.

   • Copy

     traefik.enable

3. Tell Traefik to reverse proxy this app by simply adding true to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Now we need to add a second label that will ensure that Traefik only allows the app to be proxied over HTTPS. This will prevent any possible vulnerabilities in the future. For example, if the HTTP redirect breaks, it will not be able to proxy the app over HTTP accidentally. Click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.

   • Copy

     traefik.http.routers.app.entryPoints

3. Tell Traefik to only use the secure encrypted entrypoint for this app by simply adding https to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now pick up that the app wants to be routed through the reverse proxy and should automatically set it up for you. It will also only proxy the app over HTTPS and will avoid any possible vulnerabilities or allow the app to be proxied over HTTP. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Alternate Methods

Securing your App

Rather than allowing Traefik to use the container name for the app's subdomain, you may want to manually choose the domain/subdomain used. Adding this additional label, you are able to manually override the default docker provider rule.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.

   • Copy

     traefik.http.routers.app.rule

3. To tell Traefik which subdomain to use for this app, simply add the following to this field, replacing app with the subdomain of your choice and also adding in your own domain.

   • Copy

     Host(`app.YOURDOMAIN.COM`)

4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now use your preferred subdomain to forward all traffic on to the app correctly.

Now if we were to put everything together into our static Traefik config file, it would look something like the below. Use your favourite method for adding/editing the file and paste in the below. In our example we will use the simple command line file editor nano. Anywhere you see YOURDOMAIN.COM or YOUR@EMAIL.COM, make sure to change that out for your own information.

nano /mnt/user/appdata/traefik/traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true

entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    forwardedHeaders:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIps
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: letsencrypt
        domains:
          - main: YOURDOMAIN.COM
            sans:
              - '*.YOURDOMAIN.COM'
      middlewares:
        - securityHeaders@file

providers:
  providersThrottleDuration: 2s

  # File provider for connecting things that are outside of docker / defining middleware
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true

  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: proxy    # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.YOURDOMAIN.COM`)"    # Replace with your domain
    swarmModeRefreshSeconds: 15s #comment out or remove this line if using traefik v3
    exposedByDefault: false
    #endpoint: "tcp://dockersocket:2375" # Uncomment if you are using docker socket proxy

# Enable traefik ui
api:
  dashboard: true
  insecure: true

# Log level INFO|DEBUG|ERROR
log:
  level: INFO

# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: YOUR@EMAIL.COM
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

To avoid manual intervention you can use a plugin to manage the Cloudflare IPs instead:

curl https://api.cloudflare.com/client/v4/ips | sed 's/\\//g' | yq '.result.ipv4_cidrs + .result.ipv6_cidrs' -P

By default, Traefik connects to applications backend via HTTP. If the application exposes it's WebUI via HTTPS then we will need to tell Traefik to use this protocol.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.

   • Copy

     traefik.http.services.app.loadbalancer.server.scheme

3. Tell Traefik which port to use for this app, simply add https to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now use the HTTPS protocol specified to forward all traffic onto the app correctly. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Now if we were to put everything together into our static Traefik config file, it would look something like the below. Use your favourite method for adding/editing the file and paste it below. In our example, we will use the simple command-line file editor nano. Anywhere you see YOURDOMAIN.COM or YOUR@EMAIL.COM, make sure to change that out for your own information.

nano /opt/appdata/traefik/traefik.yml

Docker Compose Template

For those of you running Linux servers or if you use docker-compose then you can install Traefik using our docker-compose.yml file example.

First, ensure that you have created a custom docker network, we will talk about why this is the preferred method further into the guide (see video here if you are unsure). For this example, we will use the custom docker network called "proxy".

Let's create the folder to add this compose file too, you might save your app's data in another location so just add your path to this command.

Traefik needs a file called acme.json to store the SSL certificate information too and this needs to be secure. So, we will create this file and change the permissions to suit.

Now let's create the docker-compose file with the nano text editor

Paste in the following and edit line 15 to add your domain, line 21 with your Cloudflare credentials. If you have already created your own docker network, then you will have to change lines 13 and 27 and replace proxy with your own network name. In our example, we are going to use /opt/appdata as the default location to store the application's data. If you would like to store your app's data in another location, then you can adjust this on line 11.

Use the template Edit zone DNS.

Change to the following settings, click Continue to Summary and then Create Token.

• Zone - Zone Settings - Read

• Zone - Zone - Read

• Zone - DNS - Edit

• Zone Resources - Include - All Zones

Option A - Using Docker Socket Proxy (More Secure)

Giving docker API access to a publicly accessible docker container is a security liability, and so it would be preferred to try to limit the amount of access this container has to the API. We can achieve this by using a proxy container that allows limited access to the Docker API and only allow through what we need to make things work.

Option B - Exposing /var/run/docker.sock (Less Secure)

Deploy the Container

Close and save this file by pressing ctrl + x, type "y" and then press enter.

Now we want to start up the Traefik container.

If you are in the same directory as the compose file, you can run the following.

If you are in another directory, then you will need to specify the compose file with the -f argument.

Required Config Files

Adding Applications to Traefik

By default, Traefik picks up exposed ports for every app using the default dockerfile. If for some reason the developer did not add this port to the dockerfile or multiple ports are exposed, we may have to tell Traefik which port to use for the web UI.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.services.app.loadbalancer.server.port: 8080

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.services.adminer.loadbalancer.server.port: 8080
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now use the port specified to forward all traffic to the app correctly.

At start up, Traefik looks for a file names Traefik.yml. This is the first and key config file that will be mainly setting up Traefik, telling it where any other files might be and also what domains to use and how to get certificates for them. This is a static file, which means that any changes to this file require a restart of Traefik to load in those changes.

Global Parameters

In the config file snippet below, we are setting a few global parameters. We are telling Traefik to check for new versions and then within the logs, it will tell us that a newer version is available. We are also opting out of sending anonymous usage information to the developers of Traefik. If you would like to support the project, then we suggest that you enable this by changing the default value from false to true.

global:
  checkNewVersion: true
  sendAnonymousUsage: false

The setting below is to allow insecure backend connections. Usually, these backend connections are either via the internal docker network or over a secure LAN. This setting allows for Traefik to connect to a that use HTTPS by default but maybe do not have a valid certificate. Allowing for this insecure backend connection allows Traefik to connect to the app and give it a secure frontend connection.

serversTransport:
  insecureSkipVerify: true

EntryPoints

EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP. This configuration is basically telling Traefik where and how to accept incoming connections. For the HTTP incoming request, we are telling Traefik to accept them on the default port 80. You can also see that we have added a redirection rule to forward it by default to the HTTPS EntryPoint.

Added to this section is all of Cloudflare's IP ranges as trusted IP's. Using the forwardHeaders: and trustedIPs: arguments, this will allow HTTP requests to forward their real IP's through Traefik.

Next we are telling Traefik to accept HTTPS requests on the default port 443. For HTTPS requests, we are going to need valid certificates. In this configuration here we are telling Traefik to use lets encrypt to make the certificates and we are also telling Traefik to create those certificates for not only just the root domain but also all of the subdomains too with a wildcard variable.

For all HTTPS requests, we are able to set a few middlewares to use by default. In our example we will just be using the one for secure headers (securityHeaders@file) which will be explained further in the guide. If you would like any other middlewares to be loaded by default for all requests, this is where you will add them. As an example, you could add the Authelia middleware (auth@file) to this location, and then every request will be sent to Authelia first.

entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    forwardedHeaders:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIps
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: letsencrypt
        domains:
          - main: YOURDOMAIN.COM
            sans:
              - '*.YOURDOMAIN.COM'
      middlewares:
        - securityHeaders@file

Providers

Providers discover the services that live on your infrastructure. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.

The next setting is one of the clever features of Traefik and allows us to dynamically and automatically add new apps to Traefik by only adding a few labels to the app. The docker settings below tell Traefik to watch the docker network for new apps. Once it detects a new app, it will look for certain labels (which we will cover later in the guide) and will then use those labels to dynamically create routes to the app. We are telling Traefik which network to monitor (in our example it's proxy) and to also check it every 15 seconds for changes. For new docker containers we have given it a clever rule to take the app name, and add it as a subdomain and to proxy the app with that. Make sure to add your root domain to this rule for it to work correctly.

providers:
  providersThrottleDuration: 2s

  # File provider for connecting things that are outside of docker / defining middleware
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true

  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: proxy # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.YOURDOMAIN.COM`)"
    swarmModeRefreshSeconds: 15s #comment out or remove this line if using traefik v3
    exposedByDefault: false

    endpoint: "tcp://dockersocket:2375"

// Some code
swarmModeRefreshSeconds

Traefik Dashboard

Traefik exposes a good deal of information through an API handler, such as the configuration of all routers, services, middlewares, etc. The dashboard is the central place that shows you the current active routes handled by Traefik. Below we are simply enabling the Traefik dashboard but leaving it insecure as we are going to secure it with let's encrypt certs and Authelia. If you do not think you will use these features, then simply set the dashboard: to false.

# Enable traefik ui
api:
  dashboard: true
  insecure: true

Logs

Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). Here we are setting the log level for Traefik. If you are having issues getting it set up or proxying an app, then it is a good idea to set this to DEBUG and restart the app. You will now see much more detail in the logs. By default, the logs are written to the standard output. You can configure a file path instead using the filePath option.

# Log level INFO|DEBUG|ERROR
log:
  level: INFO

Certificate Resolver

This is where we are going to set up the cert creation. Below, we are telling Traefik here to use let's encrypt to generate certificates for our domain. To make sure that let's encrypt is able to generate certificates, we need to give it some information. You will need to add your email so that you can be notified if your cert is ever going to run out. Traefik by default renews these certificates for you, but if there is ever an issue then you will be emailed notifying you.

We are telling Traefik that we want to use Cloudflare to make the DNS challenge request and also to use Cloudflare as the DNS resolver for these requests. Earlier in the guide when setting up the template for Traefik we already added the Cloudflare API token and email as a global environment variable and so Traefik will be able to pick those credentials up when making these requests.

# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: YOUR@EMAIL.COM  # change to your provider account email address.
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

This is a dynamic file, meaning that if we make any changes to the file, Traefik will pick them up and load them in automatically. We will use this file to manage all the middlewares and also add any external services like VM's. In the example below, we will be adding Homeassistant.

Routers & Services

The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.

To add an external application we need to give Traefik a router which tells Traefik how to route the requests and which middleware to use along the way and then a matching service which tells Traefik where to point the requests.

http:
    ## EXTERNAL ROUTING ##
  routers:
    # Homeassistant routing
    homeassistant:
      entryPoints:
        - https
      rule: 'Host(`homeassistant.YOURDOMAIN.COM`)'
      service: homeassistant
      middlewares:
        - "auth"  
  ## SERVICES ##
  services:
    # Homeassistant service
    homeassistant:
      loadBalancer:
        servers:
          - url: http://192.168.60.5:8123/

Middleware

Now we are going to be adding middlewares that you can manually add to each service.

There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

Middlewares that use the same protocol can be combined into chains to fit every scenario. We are going to use these to do many things including adjusting headers to secure the app or even forward requests to Authelia.

IpWhitelist

The IpWhitelist middleware accepts / refuses requests based on the client IP. This can be handy when you have a public domain and only want some apps being accessed by certain networks.

  ## MIDDLEWARES ##
  middlewares:
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange: 
          - 127.0.0.1/32 # localhost
          - 192.168.1.1/24 # LAN Subnet

In the example above you will see 2 ranges, the 127.0.0.1/32 range is used by the machine that's running Traefik and needs to stay. The 192.168.1.1/24 range is a local network, one make sure to check your desired network ranges and add them accordingly. You can also add a single IP to the list, not only ranges

Forward Auth

The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed. Otherwise, the response from the authentication server is returned.

We will be using the "auth" middleware to forward requests to Authelia to make sure that the user visiting the service is verified and is authorised to visit the app. In this middleware, we will also be adding a few headers to forward on authorisation information to the app that we are visiting. Some apps allow you to forward on auth requests and allow you to login without having to add your details twice (too Authelia and then also the app).

You will have to replace AUTHELIA_CONTAINER_NAME with your Authelia container name and AUTHELIA_SUBDOMAIN with the subdomain you chose for your Authelia portal.

  ## MIDDLEWARES ##
  middlewares:
  # Authelia guard
    auth:
      forwardauth:
        address: http://AUTHELIA_CONTAINER_NAME:9091/api/verify?rd=https://AUTHELIA_SUBDOMAIN.YOURDOMAIN.COM/
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

    # Authelia basic auth guard
    auth-basic:
      forwardauth:
        address: http://auth:9091/api/verify?auth=basic
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

Headers

The Headers middleware manages the headers of requests and responses. Below is the "securityHeaders" middleware. We will be using this to add secure headers to all requests. Using the below headers we are able to take our SSL score up to an A+ without compromising functionality of our apps. This will help towards keeping your apps secure.

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
        sslProxyHeaders:
          X-Forwarded-Proto: https
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        customResponseHeaders:
          X-Forwarded-Proto: "https"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

Proxying Your First App

Now, if we were to put everything together into our dynamic Traefik config file, it would look something like the below. Use your favourite method for adding/editing the file and paste it below. In our example, we will use the simple command-line file editor nano. Anywhere you see YOURDOMAIN.COM, make sure to change that out for your own domain.

nano /opt/appdata/traefik/fileConfig.yml

We can use Organizr as an authentication server, like Authelia but a little more simplistic and less features. You need to have an Organizr container setup for this to work.

To enable Traefik to forward auth requests to Organizr for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

Enable Organizr on the Application

For Unraid, find the app that you would like to protect with Organizr, once you are in the template, scroll to the bottom and click on the “Add another Path, Port, Variable, Label, or Device”. Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this too.

   • traefik.http.routers.app.middlewares

3. Tell Traefik to use the middleware called auth that we will set up in the dynamic config file by adding auth@file in this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Adding Organizr to your dynamic config file

We need to add the following line's to your fileConfig.yml

Enable the redirect in Organizr

In Organizr, go to ⇾setting⇾basic⇾security and enable this

Conclusion

Traefik will now forward all traffic through Organizr to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app. Now, when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Announcement Blog

Traefik Hub Page

Acknowledgments

Future Features

• Use your own domain.

• More authorization techniques

• More to come!

Important Notes

• Free tier limited bandwidth (1gb per month)

• Free tier limited published service (10 apps)

• Pricing for increased limits (Price unknown)

Installing your Traefik Hub agent

First, create your account.

Next, click “Install my first Traefik Hub Agent”.

Pick the platform that suits you; for this guide, we will be using Docker as it creates the network for you.

Here we will follow the simple commands by copying and pasting each one into the terminal.

docker network create traefik-hub

docker run -d \
--name traefik \
--network traefik-hub \
traefik:v2.7 \
--experimental.hub=true \
--hub.tls.insecure=true \
--metrics.prometheus.addrouterslabels=true

# Launch the Hub Agent for Traefik
docker run -d  --volume /var/run/docker.sock:/var/run/docker.sock \
--restart="on-failure” \
--network traefik-hub \
--name=hub-agent ghcr.io/traefik/hub-agent-traefik:v0.3.0 run \
--auth-server.advertise-url=http://hub-agent \
--hub.token=YOUR-SECURE-TOKEN-HERE \
--traefik.host=traefik \
--traefik.tls.insecure=true  

Now go back to the Hub website, copy the token and click “finish configuration”. You can now rename your Agent.

Currently, it only allows lower case and dashes, and numbers but not at the start.

Adding a service to your Traefik Hub account

You can now click “Go to the Agent Details” to view your new dashboard.

Now, to test Traefik Hub, we are going to use a basic web server docker container.

docker run -d --network traefik-hub tutum/hello-world

As soon as the container starts up, it shows up in the Traefik Hub dashboard.

Now we want to publish our app, so let's click on the running app to open the configuration.

Now click “Publish the service”.

Now simply click “Save and Publish” and your application will be published.

Your app will now be deployed through the Traefik hub service.

Your application is now deployed on the URL provided

Let's click the link and check that the app is working!

Like magic, without opening any ports, your application is available publicly!

If you open your service in the Traefik Hub, you will now be able to monitor the stats.

Access Control

If you like to add a layer of security, you can now edit the service to add basic auth.

Click the “Edit” button on your service and then click “Create new ACP”.

We can now give our new access control policy a username and password.

Click “save”, then click “save and publish”. Now, when you try to go to the app, it will require basic auth.

It will now apply the update for you.

Fill in your username and password, and it will now allow you access!

Removing a service

Click on your published service and then click the “Edit” button.

At the bottom of the window, you will find a dialogue box called “Danger Zone”, this will be where you can now remove your published service.

Copy and paste the confirmation phrase into the text field, and then click on the “Unpublish” button. Your app will no longer be public or accessible.

If you are using docker-compose then you simply need to add these lines to the compose files under labels:

The traefik.enable: true simply tells traefik that you want to proxy this app and the traefik.http.routers.app.entryPoints: https only allows the app to be proxied over HTTPS. This will prevent any possible vulnerabilities in the future. For example, if the HTTP redirect breaks, it will not be able to proxy the app over http accidentally.

    labels:
      traefik.enable: true
      traefik.http.routers.app.entryPoints: https

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now pick up that the app wants to be routed through the reverse proxy and should automatically set it up for you.

Alternate Methods

Securing your App

By default, Traefik connects to the application's backend via HTTP. If the application exposes it's WebUI via HTTPS, then we will need to tell Traefik to use this protocol.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.services.app.loadbalancer.server.scheme: https

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.services.adminer.loadbalancer.server.scheme: https
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now use the HTTPS protocol specified to forward all traffic on to the app correctly.

Rather than allowing Traefik to use the container name for the app's subdomain, you may want to manually choose the domain/subdomain used. Adding this additional label, you are able to manually override the default docker provider rule.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now, when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now use your preferred subdomain to forward all traffic on to the app correctly.

Before we can enable Traefik to forward auth requests to Authelia, we need to first reverse proxy the Authelia app through Traefik. In order to do that, we will add the minimum default two labels to proxy any app.

    labels:
      traefik.enable: true
      traefik.http.routers.app.entryPoints: https

To show how this would look in your Authelia docker-compose.yml file, below is an example:

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

To enable Traefik to forward auth requests to Authelia for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.routers.app.middlewares: auth@file

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.routers.adminer.middlewares: auth@file
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

## bypass rule
        - domain: 
        - "auth.domain.com"
      policy: bypass

Conclusion

Traefik will now forward all traffic through Authelia to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app.