docker.recipes

Traefik Reverse Proxy Stack

intermediate

Complete Traefik setup with automatic SSL, metrics, and service discovery.

Overview

Traefik is a cloud-native edge router that revolutionizes reverse proxy management through automatic service discovery and dynamic configuration. Originally developed by Containous (now Traefik Labs) in 2015, Traefik eliminates the traditional pain points of manually configuring reverse proxies by automatically detecting Docker containers and Kubernetes services, then routing traffic accordingly. Unlike traditional reverse proxies that require manual configuration updates and service restarts, Traefik continuously monitors your container orchestrator and updates routing rules in real-time. This comprehensive monitoring stack combines Traefik's intelligent routing capabilities with Prometheus metrics collection and Grafana visualization dashboards. Traefik automatically generates Let's Encrypt SSL certificates for all discovered services while exposing detailed metrics about request patterns, response times, and backend health. Prometheus scrapes these metrics along with system-level data, creating a complete observability pipeline that Grafana transforms into actionable dashboards. The whoami service acts as a perfect test target, demonstrating how Traefik automatically discovers services through Docker labels and provisions SSL certificates without manual intervention. This stack is ideal for DevOps teams managing microservices architectures, startups building scalable web applications, and infrastructure engineers who need comprehensive traffic monitoring. The combination provides enterprise-grade load balancing, automatic HTTPS, and production-ready observability in a single deployment. Unlike static reverse proxy solutions that require manual certificate management and configuration updates, this dynamic stack adapts automatically as services scale up or down, making it perfect for modern containerized applications that demand flexibility and reliability.

Key Features

  • Automatic service discovery from Docker containers using label-based configuration
  • Zero-downtime Let's Encrypt SSL certificate provisioning and renewal for all services
  • Real-time Traefik dashboard showing active routes, middleware, and backend health status
  • Prometheus metrics collection with custom buckets for HTTP request duration analysis
  • PromQL-powered alerting and time-series analysis of traffic patterns and errors
  • Grafana visualization with pre-configured dashboards for Traefik proxy metrics
  • Dynamic routing updates without service restarts when containers start or stop
  • Middleware support for authentication, rate limiting, and request transformation

Common Use Cases

  • 1Microservices architecture requiring automatic SSL and service discovery
  • 2Development environments with frequently changing container deployments
  • 3Multi-tenant SaaS platforms needing subdomain routing and SSL automation
  • 4API gateway deployment with comprehensive request monitoring and analytics
  • 5Production workloads requiring zero-downtime certificate renewals and updates
  • 6Container orchestration setups needing detailed traffic metrics and performance monitoring
  • 7Home lab environments running multiple web services with professional SSL certificates

Prerequisites

  • Docker Engine 20.10+ and Docker Compose v2 for container orchestration
  • Minimum 1GB RAM for the complete stack (Traefik 128MB, Prometheus 256MB, Grafana 256MB)
  • Valid domain name with DNS records pointing to your server for Let's Encrypt certificates
  • Ports 80, 443, 8080, and 9090 available and accessible from the internet
  • Basic understanding of Docker labels and Traefik routing concepts
  • Valid email address for ACME Let's Encrypt certificate notifications

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  traefik: 
3    image: traefik:latest
4    ports: 
5      - "80:80"
6      - "443:443"
7      - "8080:8080"
8    command: 
9      - "--api.insecure=true"
10      - "--api.dashboard=true"
11      - "--providers.docker=true"
12      - "--providers.docker.exposedbydefault=false"
13      - "--entrypoints.web.address=:80"
14      - "--entrypoints.websecure.address=:443"
15      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
16      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
17      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
18      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
19      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
20      - "--metrics.prometheus=true"
21      - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
22    volumes: 
23      - /var/run/docker.sock:/var/run/docker.sock:ro
24      - traefik_certs:/letsencrypt
25    networks: 
26      - traefik-net
27    restart: unless-stopped
28    labels: 
29      - "traefik.enable=true"
30      - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`)"
31      - "traefik.http.routers.dashboard.service=api@internal"
32
33  whoami: 
34    image: traefik/whoami:latest
35    labels: 
36      - "traefik.enable=true"
37      - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
38      - "traefik.http.routers.whoami.entrypoints=websecure"
39      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
40    networks: 
41      - traefik-net
42    restart: unless-stopped
43
44  prometheus: 
45    image: prom/prometheus:latest
46    ports: 
47      - "9090:9090"
48    volumes: 
49      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
50      - prometheus_data:/prometheus
51    command: 
52      - '--config.file=/etc/prometheus/prometheus.yml'
53      - '--storage.tsdb.path=/prometheus'
54    networks: 
55      - traefik-net
56    restart: unless-stopped
57
58  grafana: 
59    image: grafana/grafana:latest
60    environment: 
61      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD}
62    volumes: 
63      - grafana_data:/var/lib/grafana
64    labels: 
65      - "traefik.enable=true"
66      - "traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)"
67      - "traefik.http.routers.grafana.entrypoints=websecure"
68      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
69    depends_on: 
70      - prometheus
71    networks: 
72      - traefik-net
73    restart: unless-stopped
74
75volumes: 
76  traefik_certs: 
77  prometheus_data: 
78  grafana_data: 
79
80networks: 
81  traefik-net: 
82    driver: bridge

.env Template

.env
1# Domain Configuration
2DOMAIN=example.com
3ACME_EMAIL=admin@example.com
4
5# Grafana
6GRAFANA_PASSWORD=secure_grafana_password

Usage Notes

  1. 1Traefik dashboard at http://localhost:8080
  2. 2Auto SSL via Let's Encrypt
  3. 3Add labels to services for automatic discovery
  4. 4Create prometheus.yml with Traefik scrape target

Individual Services(4 services)

Copy individual services to mix and match with your existing compose files.

traefik
traefik:
  image: traefik:latest
  ports:
    - "80:80"
    - "443:443"
    - "8080:8080"
  command:
    - "--api.insecure=true"
    - "--api.dashboard=true"
    - "--providers.docker=true"
    - "--providers.docker.exposedbydefault=false"
    - "--entrypoints.web.address=:80"
    - "--entrypoints.websecure.address=:443"
    - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
    - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
    - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
    - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
    - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    - "--metrics.prometheus=true"
    - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - traefik_certs:/letsencrypt
  networks:
    - traefik-net
  restart: unless-stopped
  labels:
    - traefik.enable=true
    - traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`)
    - traefik.http.routers.dashboard.service=api@internal
whoami
whoami:
  image: traefik/whoami:latest
  labels:
    - traefik.enable=true
    - traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)
    - traefik.http.routers.whoami.entrypoints=websecure
    - traefik.http.routers.whoami.tls.certresolver=letsencrypt
  networks:
    - traefik-net
  restart: unless-stopped
prometheus
prometheus:
  image: prom/prometheus:latest
  ports:
    - "9090:9090"
  volumes:
    - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
    - prometheus_data:/prometheus
  command:
    - "--config.file=/etc/prometheus/prometheus.yml"
    - "--storage.tsdb.path=/prometheus"
  networks:
    - traefik-net
  restart: unless-stopped
grafana
grafana:
  image: grafana/grafana:latest
  environment:
    - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD}
  volumes:
    - grafana_data:/var/lib/grafana
  labels:
    - traefik.enable=true
    - traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)
    - traefik.http.routers.grafana.entrypoints=websecure
    - traefik.http.routers.grafana.tls.certresolver=letsencrypt
  depends_on:
    - prometheus
  networks:
    - traefik-net
  restart: unless-stopped

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  traefik:
5    image: traefik:latest
6    ports:
7      - "80:80"
8      - "443:443"
9      - "8080:8080"
10    command:
11      - "--api.insecure=true"
12      - "--api.dashboard=true"
13      - "--providers.docker=true"
14      - "--providers.docker.exposedbydefault=false"
15      - "--entrypoints.web.address=:80"
16      - "--entrypoints.websecure.address=:443"
17      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
18      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
19      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
20      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
21      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
22      - "--metrics.prometheus=true"
23      - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
24    volumes:
25      - /var/run/docker.sock:/var/run/docker.sock:ro
26      - traefik_certs:/letsencrypt
27    networks:
28      - traefik-net
29    restart: unless-stopped
30    labels:
31      - "traefik.enable=true"
32      - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`)"
33      - "traefik.http.routers.dashboard.service=api@internal"
34
35  whoami:
36    image: traefik/whoami:latest
37    labels:
38      - "traefik.enable=true"
39      - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
40      - "traefik.http.routers.whoami.entrypoints=websecure"
41      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
42    networks:
43      - traefik-net
44    restart: unless-stopped
45
46  prometheus:
47    image: prom/prometheus:latest
48    ports:
49      - "9090:9090"
50    volumes:
51      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
52      - prometheus_data:/prometheus
53    command:
54      - '--config.file=/etc/prometheus/prometheus.yml'
55      - '--storage.tsdb.path=/prometheus'
56    networks:
57      - traefik-net
58    restart: unless-stopped
59
60  grafana:
61    image: grafana/grafana:latest
62    environment:
63      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD}
64    volumes:
65      - grafana_data:/var/lib/grafana
66    labels:
67      - "traefik.enable=true"
68      - "traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)"
69      - "traefik.http.routers.grafana.entrypoints=websecure"
70      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
71    depends_on:
72      - prometheus
73    networks:
74      - traefik-net
75    restart: unless-stopped
76
77volumes:
78  traefik_certs:
79  prometheus_data:
80  grafana_data:
81
82networks:
83  traefik-net:
84    driver: bridge
85EOF
86
87# 2. Create the .env file
88cat > .env << 'EOF'
89# Domain Configuration
90DOMAIN=example.com
91ACME_EMAIL=admin@example.com
92
93# Grafana
94GRAFANA_PASSWORD=secure_grafana_password
95EOF
96
97# 3. Start the services
98docker compose up -d
99
100# 4. View logs
101docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/traefik-full-stack/run | bash

Troubleshooting

  • Let's Encrypt certificate generation fails: Ensure ports 80/443 are accessible from internet and DNS records point to your server
  • Traefik dashboard shows 'No route found' errors: Verify Docker labels are correct and containers are on the same Docker network
  • Prometheus cannot scrape Traefik metrics: Check that prometheus.yml includes Traefik endpoint at traefik:8080/metrics
  • Grafana dashboards show no data: Confirm Prometheus data source is configured correctly with URL http://prometheus:9090
  • Services not automatically discovered: Ensure traefik.enable=true label is set and Docker socket is mounted correctly
  • SSL redirect loops occurring: Verify entrypoint configuration and check if services are properly configured for HTTPS

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

traefikwhoamiprometheusgrafana

Tags

#traefik#reverse-proxy#ssl#lets-encrypt#load-balancer

Category

DevOps & CI/CD

Related Recipes

Ad Space