In modern self-hosted environments, you’re often running multiple services — like a photo gallery (e.g., Immich), media server (e.g., Jellyfin), and dashboards. If all these services expose themselves directly on different ports, things quickly get messy. Enter the reverse proxy.

A reverse proxy routes incoming HTTP/HTTPS traffic to the right container based on domain or path. It allows you to:

• Use pretty domain names like photos.example.com
• Enforce HTTPS with Let’s Encrypt
• Route requests internally by hostname instead of IP and port
• Apply access control, rate limits, or basic authentication centrally

And Traefik does all that, automatically, with minimal config.

Why Traefik Over Nginx?

While Nginx is popular and powerful, it’s static by default. Every new service requires you to edit config files and reload.

Traefik, on the other hand:

• Automatically discovers Docker containers
• Supports dynamic routing using Docker labels
• Comes with built-in Let’s Encrypt integration
• Has a web dashboard to visualize routes
• Requires minimal config

Traefik was designed for containerized environments from the start.

How Traefik Works Internally

Traefik is composed of three key concepts:

1. EntryPoints

These define which ports Traefik listens on (e.g., :80, :443). You can think of these as your public gateways.

2. Routers

Routers match incoming requests (host, path, method) and forward them to services. They also define TLS settings and middleware.

3. Services

These are the actual Docker containers (or upstream backends) that respond to the requests.

4. Middlewares (Optional)

These are like plugins: things that transform requests (e.g., strip path, redirect HTTP to HTTPS, basic auth, etc).

Installing Traefik with Docker Compose

Let’s build a fully functional Traefik setup using Docker Compose.

docker-compose.yml
version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    command:
      - --api.dashboard=true
      - --api.insecure=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.email=you@example.com
      - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    environment:
      - CF_API_EMAIL=you@example.com
      - CF_API_KEY=your_cloudflare_api_key
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$6yLkU..."
      - "traefik.http.routers.traefik.middlewares=traefik-auth"

You also need to create the directory ./letsencrypt and touch acme.json with permissions 600.

mkdir letsencrypt
chmod 600 letsencrypt/acme.json

Securing the Dashboard

Never expose the dashboard to the public without auth. Use basic auth like above or restrict access to specific IPs.

Alternative example:

- "traefik.http.routers.traefik.middlewares=dashboard-auth"
- "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/users.htpasswd"

Generate passwords with:

htpasswd -nb admin strongpassword

Deploying a Sample Service Behind Traefik

services:
  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=cloudflare"

Start both containers:

docker compose up -d

Now visit https://whoami.yourdomain.com — you’ll see the container response.

Additional Features to Explore

• Middleware: redirect, stripPrefix, basicAuth
• Rate-limiting
• Retry and load balancing
• Redirect HTTP to HTTPS automatically
• Wildcard TLS certificates
• Forward headers to preserve real IP

Conclusion

Traefik makes deploying, securing, and managing multiple services in Docker easy and dynamic. With a few Docker labels and one compose file, you get:

• Auto-routing by domain
• HTTPS with Let’s Encrypt
• Centralized auth and middleware
• Visibility via dashboard

Traefik replaces hours of nginx tinkering with a declarative, scalable, and elegant solution.

Сообщение Ultimate Guide: Setting Up Traefik as a Reverse Proxy in Docker (with Let’s Encrypt, Cloudflare, and Secure Services) появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Modern web infrastructure demands seamless automation, flexible security, and robust observability across every layer. Traefik, with its dynamic routing and native cloud provider integrations, is a top-tier reverse proxy for cutting-edge self-hosted setups. In this continuation, we explore comprehensive configurations to run Traefik as a production-grade proxy with full automation for SSL, dynamic configuration reloading, and managed service control via systemd inside an LXC container.

Essential Building Blocks

To run a highly available, secure Traefik reverse proxy, you’ll need:

• A registered domain name (be mindful of renewal, not just purchase price)
• External DNS provider: Cloudflare is demonstrated, but Traefik supports many. DNS-based ACME challenges offer automated SSL for any subdomain.
• A public (routable/white) IP address
• Split DNS: Optional but highly recommended to ensure local domain queries stay on-premises.

Tip: Investigate domain renewal costs, not just the initial price—renewals can be significantly higher!

DNS Setup with Cloudflare

• Move your domain to Cloudflare or another supported DNS provider.
• In Cloudflare, generate a custom API token with only the minimum required permissions.
• Store the token securely; you can’t view it again once generated.

Cloudflare might occasionally be blocked in certain regions—consult the official Traefik documentation for alternatives.

Exporting the Cloudflare Token

Before starting Traefik, declare the token so Traefik’s ACME provider can manage DNS entries for certificate challenges:

export CLOUDFLARE_DNS_API_TOKEN="your-cloudflare-token"

Static Configuration: /etc/traefik/traefik.yaml

A robust static config example:

global:
  checkNewVersion: true
  sendAnonymousUsage: true

api:
  dashboard: true
  insecure: false
  debug: true
  disableDashboardAd: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  metrics:
    address: ":8082"

metrics:
  prometheus:
    entryPoint: metrics

serversTransport:
  insecureSkipVerify: true

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: your-email@example.com
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  level: "INFO"
  filePath: "/var/log/traefik/traefik.log"
  maxSize: 100
  compress: true

accessLog:
  addInternals: true
  filePath: "/var/log/traefik/access.log"
  bufferingSize: 100

The config decouples static and dynamic settings, ensures all HTTP gets redirected to HTTPS, and enables Prometheus metrics and access logging for deep observability.

Dynamic Configuration: /etc/traefik/dynamic/config.yaml

A typical dynamic configuration might enable a protected dashboard and a service like Radarr:

http:
  routers:
    dashboard:
      entryPoints: [websecure]
      rule: "Host(`traefik-dashboard.domain.example`)"
      service: api@internal
      middlewares: [auth]
      tls:
        certResolver: cloudflare

    radarr:
      entryPoints: [websecure]
      rule: "Host(`radarr.domain.example`)"
      middlewares: [default-headers, https-redirect]
      tls:
        certResolver: cloudflare
      service: radarr

  services:
    radarr:
      loadBalancer:
        servers:
          - url: "http://192.168.1.100:7878"
        passHostHeader: true

  middlewares:
    auth:
      basicAuth:
        users:
          - "admin:$apr1$hashedpassword"
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

tls:
  options:
    default:
      minVersion: VersionTLS12
      curvePreferences: [X25519, CurveP256, CurveP384, CurveP521]
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  stores:
    default:
      defaultGeneratedCert:
        resolver: cloudflare
        domain:
          main: domain.example
          sans:
            - "*.domain.example"

Passwords for basicAuth must be hashed, e.g. via:

openssl passwd -1 "your-password"

Launching Traefik as a Systemd Service

To ensure Traefik starts on boot and runs as a managed background service, create /etc/systemd/system/traefik-proxy.service:

[Unit]
Description=Start Traefik Proxy
Documentation=https://doc.traefik.io/traefik/

[Service]
Environment="CLOUDFLARE_DNS_API_TOKEN=your-cloudflare-token"
ExecStart=/usr/local/bin/traefik
Restart=always

[Install]
WantedBy=multi-user.target

• Use systemctl start traefik-proxy to start, systemctl status traefik-proxy to check status, and systemctl disable traefik-proxy to prevent autostart.
• Monitor SSL issuance and proxy logs in /var/log/traefik/.

Key Best Practices and Pitfalls

• Secure your API tokens and config files—exposure can allow attackers to hijack all your domains!
• Log and monitor frequently for certificate renewals and failed ACME challenges.
• Regularly backup your dynamic config and ACME storage—a lost acme.json file means certificate resets.

Conclusion

With this advanced setup, Traefik acts as a true cloud-native gateway, bridging dynamic service discovery, encrypted communication, and full automation inside a lightweight LXC container. Paired with Proxmox, this approach combines resource efficiency, operational security, and enterprise-grade observability. Iterate, expand, and enhance—your infrastructure now has a reverse proxy backbone that’s ready for anything!

Сообщение Running Traefik in an LXC Container (Part 2): Docker Integration & Service Discovery появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Architecting self-hosted environments often means juggling security, automation, and developer productivity. One core element of modern web infrastructure is the reverse proxy—a front-line component that routes, authenticates, and secures all incoming connections. Traefik, praised for its dynamic configurability and seamless container integration, is the tool of choice for many cloud-native enthusiasts.

This in-depth article walks you through deploying Traefik inside a Linux Container (LXC), discussing not only the hands-on how-to, but the broader design logic and key pitfalls to avoid.

Why Traefik in LXC?

Containers offer lightweight, isolated environments for services. Running Traefik within LXC brings multiple advantages:

• Resource Efficiency: LXC containers spin up faster and consume less overhead than classic VMs.
• Isolation: Keep your reverse proxy separate for easier upgrades, failure domains, and maintenance.
• Central Control: Manage SSL, routing, and authentication centrally for all downstream services.

Preparing the LXC Container

Step 1: Create and Secure the LXC

• Spin up a new LXC container using your virtualization platform (Proxmox, for example).
• Assign basic network and storage resources.
• Ensure your container’s OS is up-to-date and hardened:
• apt update && apt upgrade -y

Step 2: Install Docker (Optional)

While LXC is great for most services, Traefik shines when managing Docker-based containers. Installing Docker inside LXC enables dynamic service discovery.

• apt install docker.io -y
• systemctl enable —now docker

Make sure to adjust LXC privileges and kernel modules if Docker faces issues (LXC may require nesting=1 and some cgroups settings).

Traefik: Dynamic Reverse Proxy, Simply Explained

Traefik auto-discovers services and dynamically updates routes as containers go live or shut down. Its key concepts:

• EntryPoints: Which ports Traefik listens to (typically 80/443).
• Routers: Rules for how requests are matched (by host, path, etc.).
• Services: Where traffic gets forwarded.
• Middleware: Request processing rules (JWT authentication, rewrite URLs, add headers).

Traefik’s configuration typically includes a static file (for entryPoints and provider setup) and a dynamic one (to express routers, services, middleware).

Hands-On: Setting Up Traefik in LXC

Step 1: Directory Structure

Establish a directory (e.g., /opt/traefik) for configs, certificates, and logs. Best practice: separate static and dynamic config files for clarity and version control.

Make sure your domain and DNS wildcard are set up correctly (*.yourdomain.com).

Generate acme.json:

touch /etc/traefik/acme.json
chmod 600 /etc/traefik/acme.json

Step 2: Compose Your docker-compose.yml

Here’s a refined example for a Traefik container:

version: '3'

services:
  traefik:
    image: traefik:latest
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config:/etc/traefik
      - ./acme.json:/acme.json"
    networks:
      - proxy

networks:
  proxy:
    external: true

Best practices:

• Least privilege: Mount Docker socket read-only if needed.
• ACME storage: Secure acme.json with proper file permissions!
• External network: Use Docker networks to group all reverse-proxied containers logically.

Step 3: Configure Traefik’s Dashboard and Security

• Enable the Traefik dashboard on a non-public URL or restrict access via middleware and IP whitelisting.
• Always apply HTTPS and, if possible, enable basic or OAuth authentication for dashboard endpoints.

Step 4: Automate SSL and Routing

• Define certificatesResolvers for Let’s Encrypt certificates—Traefik can automate issuance and renewal.
• Use labels in Docker Compose to automatically register new services with
• labels:
• - "traefik.enable=true"
• - "traefik.http.routers.myapp.rule=Host(`myapp.example.com`)"
• - "traefik.http.services.myapp.loadbalancer.server.port=8080"

Step 5: Logging and Monitoring

• Map a logs directory and enable access/error logging in your config files.
• Leverage Prometheus metrics and alerting if running at scale.

Troubleshooting & Expert Tips

• Networking quirks: LXC containers may require custom bridges or NAT rules if you run multi-host clusters.
• Security: Regularly update Traefik for CVE patches; segment your networks tightly.
• Backup: Include your config and certificate stores in regular backups—losing SSL keys can disrupt all access.

Conclusion

Deploying Traefik in an LXC container is a modern, scalable approach to exposing and securing self-hosted services. With Docker integration, dynamic config, and enterprise-grade SSL automation built in, Traefik makes reverse proxying powerful yet accessible.

Whether you’re crafting your home lab or laying the groundwork for production infrastructure, understanding these patterns will put you ahead of the game. Experiment, iterate, and customize—Traefik is as flexible as your architecture requires.

Сообщение Running Traefik in an LXC Container (Part 1): Lightweight Reverse Proxy on Proxmox появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

This guide walks you through deploying Linkwarden with Docker and Traefik, configuring it for SSL, and accessing it from anywhere securely.

Why Use Linkwarden?

• Save links with titles, tags, notes, and screenshots
• Self-hosted = complete data privacy
• Access anywhere with SSL
• Fast full-text search
• Multi-user support
• Automatic page archiving (via browser extension)

Deployment with Docker Compose

Create a directory:

mkdir -p ~/linkwarden && cd ~/linkwarden

Then create a docker-compose.yml file:

version: '3.9'
services:
  linkwarden:
    image: ghcr.io/linkwarden/linkwarden:latest
    container_name: linkwarden
    restart: unless-stopped
    environment:
      - DATABASE_URL=postgres://user:pass@db:5432/linkwarden
    depends_on:
      - db
    ports:
      - 3000:3000
    volumes:
      - ./data:/data

  db:
    image: postgres:15
    environment:
      - POSTGRES_DB=linkwarden
      - POSTGRES_USER=user
      - POSTGRES_PASSWORD=pass
    volumes:
      - ./pgdata:/var/lib/postgresql/data

Setup & Access

1. Start containers:

docker compose up -d

2. Access via http://your-server-ip:3000
3. Register an account
4. (Optional) Install the Linkwarden Chrome/Firefox extension

Securing with HTTPS via Traefik

If you’re already using Traefik (e.g., for other Docker apps), add a label block to your service:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.linkwarden.rule=Host(`links.yourdomain.com`)"
  - "traefik.http.routers.linkwarden.entrypoints=websecure"
  - "traefik.http.routers.linkwarden.tls.certresolver=myresolver"

Use Cases

• Personal bookmarking vault
• Team research archive
• Curated collection of articles, videos, and PDFs
• Save content offline for future reference

Tips & Extras

• Use Plausible or Umami to self-host stats
• Integrate with Nginx Proxy Manager
• Enable auto backups with borg or restic
• Add Redis for performance boost

Conclusion

Linkwarden is a powerful, minimalist bookmark manager that respects your privacy and puts you in control. It’s fast, Docker-friendly, and actively maintained by the open-source community. If you’re serious about decluttering your digital brain — host your own Linkwarden server and keep your internet organized for good.

Сообщение Self-Hosting Linkwarden: Secure Bookmarking on Your Own Server появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.