The minimal requirements to enable Traefik on a certain app and allow it to proxy the web UI, we have to simply set a label for Traefik to pick up. Labels are a mechanism for applying metadata to Docker objects. Traefik is able to pick up this metadata and can use it to configure itself. This label will tell Traefik that we want to reverse proxy the application we are adding it to.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field.

   • Copy

     traefik.enable

3. Tell Traefik to reverse proxy this app by simply adding true to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Now we need to add a second label that will ensure that Traefik only allows the app to be proxied over HTTPS. This will prevent any possible vulnerabilities in the future. For example, if the HTTP redirect breaks, it will not be able to proxy the app over HTTP accidentally. Click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.

   • Copy

     traefik.http.routers.app.entryPoints

3. Tell Traefik to only use the secure encrypted entrypoint for this app by simply adding https to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now pick up that the app wants to be routed through the reverse proxy and should automatically set it up for you. It will also only proxy the app over HTTPS and will avoid any possible vulnerabilities or allow the app to be proxied over HTTP. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

Alternate Methods

Securing your App

We can use Organizr as an authentication server, like Authelia but a little more simplistic and less features. You need to have an Organizr container setup for this to work.

Before we can enable Traefik to forward auth requests to Organizr, we need to first reverse proxy the Organizr app through Traefik. To achieve that, we will add the minimum default two labels to the Organizr template, as explained in the Proxying Your First App guide.

traefik.enable = true

traefik.http.routers.organizr.entryPoints = https

To enable Traefik to forward auth requests to Organizr for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

Enable Organizr on the Application

For Unraid, find the app that you would like to protect with Organizr, once you are in the template, scroll to the bottom and click on the “Add another Path, Port, Variable, Label, or Device”. Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this too.

   • traefik.http.routers.app.middlewares

3. Tell Traefik to use the middleware called auth that we will set up in the dynamic config file by adding auth@file in this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Adding Organizr to your dynamic config file

We need to add the following line's to your fileConfig.yml

  middlewares:
    # Organizr server authentication
    auth:
      forwardAuth:
        address: "http://{your organizr docker name here}/api/v2/auth/1"

Enable the redirect in Organizr

In Organizr, go to ⇾setting⇾basic⇾security and enable this

Conclusion

Traefik will now forward all traffic through Organizr to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app. Now, when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

For more info on Organizr server authentication check >here<

Rather than allowing Traefik to use the container name for the app's subdomain, you may want to manually choose the domain/subdomain used. Adding this additional label, you are able to manually override the default docker provider rule.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.
3. To tell Traefik which subdomain to use for this app, simply add the following to this field, replacing app with the subdomain of your choice and also adding in your own domain.
4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now use your preferred subdomain to forward all traffic on to the app correctly.

Reverse Proxying Authelia

Before we can enable Traefik to forward auth requests to Authelia, we need to first reverse proxy the Authelia app through Traefik. In order to do that, we will add the minimum default two labels to the Authelia template, as explained in the guide.

To enable Traefik to forward auth requests to Authelia for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

Enable Authelia on the Application

For Unraid, find the app that you would like to protect with Authelia, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this too.
3. Tell Traefik to use the middleware called auth that we set up in the dynamic config file by adding auth@file in this field.

4. If you are enabling Authelia to protect the Traefik dashboard you need to use this instead. Do not replace api with the container name.
5. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now forward all traffic through Authelia to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

By default, Traefik picks up exposed ports for every app using the default dockerfile. If for some reason the developer did not add this port to the dockerfile or multiple ports are exposed, we may have to tell Traefik which port to use for the web UI.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.
3. Tell Traefik which port to use for this app, simply add the UI port to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

Conclusion

Traefik will now use the port specified to forward all traffic onto the app correctly. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

By default, Traefik connects to applications backend via HTTP. If the application exposes it's WebUI via HTTPS then we will need to tell Traefik to use this protocol.

For Unraid, find the app that you would like to reverse proxy, once you are in the template, scroll to the bottom and click on the "Add another Path, Port, Variable, Label or Device". Select to add a label and fill in the fields as per the screenshot below.

1. Make sure to set this as a Label.

2. Copy and paste the following into the key: field, make sure to swap out app for the app name you are adding this to.

   • Copy

     traefik.http.services.app.loadbalancer.server.scheme

3. Tell Traefik which port to use for this app, simply add https to this field.

4. Click add and then apply to redeploy the app with the new label added to it.

In some cases, you may find that after changing the scheme to HTTPS, you will have to also specify the application's HTTPS port manually. You can do this by following the short guide on "Proxying an App with Multiple Exposed Ports".

Conclusion

Traefik will now use the HTTPS protocol specified to forward all traffic onto the app correctly. Now when you deploy your application, you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).