The minimal requirements to enable Traefik on a certain app and allow it to proxy the web UI, we have to simply set a label for Traefik to pick up. Labels are a mechanism for applying metadata to Docker objects. Traefik is able to pick up this metadata and can use it to configure itself. This label will tell Traefik that we want to reverse proxy the application we are adding it to.

If you are using docker-compose then you simply need to add these lines to the compose files under labels:

The traefik.enable: true simply tells traefik that you want to proxy this app and the traefik.http.routers.app.entryPoints: https only allows the app to be proxied over HTTPS. This will prevent any possible vulnerabilities in the future. For example, if the HTTP redirect breaks, it will not be able to proxy the app over http accidentally.

    labels:
      traefik.enable: true
      traefik.http.routers.app.entryPoints: https

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now pick up that the app wants to be routed through the reverse proxy and should automatically set it up for you.

Alternate Methods

Securing your App

By default, Traefik connects to the application's backend via HTTP. If the application exposes it's WebUI via HTTPS, then we will need to tell Traefik to use this protocol.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.services.app.loadbalancer.server.scheme: https

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.services.adminer.loadbalancer.server.scheme: https
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

In some cases, you may find that after changing the scheme to HTTPS, you will have to also specify the application's HTTPS port manually. You can do this by following the short guide on "Proxying an App with Multiple Exposed Ports".

Conclusion

Traefik will now use the HTTPS protocol specified to forward all traffic on to the app correctly.

Rather than allowing Traefik to use the container name for the app's subdomain, you may want to manually choose the domain/subdomain used. Adding this additional label, you are able to manually override the default docker provider rule.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.routers.app.rule: Host(`app.YOURDOMAIN.COM`)

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.routers.adminer.rule: Host(`adminer.YOURDOMAIN.COM`)
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now, when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now use your preferred subdomain to forward all traffic on to the app correctly.

By default, Traefik picks up exposed ports for every app using the default dockerfile. If for some reason the developer did not add this port to the dockerfile or multiple ports are exposed, we may have to tell Traefik which port to use for the web UI.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.services.app.loadbalancer.server.port: 8080

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.services.adminer.loadbalancer.server.port: 8080
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Conclusion

Traefik will now use the port specified to forward all traffic to the app correctly.

Before we can enable Traefik to forward auth requests to Authelia, we need to first reverse proxy the Authelia app through Traefik. In order to do that, we will add the minimum default two labels to proxy any app.

    labels:
      traefik.enable: true
      traefik.http.routers.app.entryPoints: https

To show how this would look in your Authelia docker-compose.yml file, below is an example:

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

To enable Traefik to forward auth requests to Authelia for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.routers.app.middlewares: auth@file

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.routers.adminer.middlewares: auth@file
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

## bypass rule
        - domain: 
        - "auth.domain.com"
      policy: bypass

Conclusion

Traefik will now forward all traffic through Authelia to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app.