Documentation Index
Fetch the complete documentation index at: https://docs.riad.com.bd/llms.txt
Use this file to discover all available pages before exploring further.
Introduction
In this guide, we will walk through the steps to deploy 
Traefik, a popular open-source reverse proxy and load balancer, and configure it to work with Cloudflare for enhanced security and performance.
Prerequisites
Before we begin, ensure you have the following prerequisites in place:
- A server or virtual machine with Docker installed.
- A Cloudflare account with a domain configured.
- Basic knowledge of Docker and Traefik.
Logical Diagram
+-------------------+ +------------------+
| | | |
| Client Browser +--------->| Cloudflare |
| | | |
+-------------------+ +--------+---------+
| +------------------+
| | |
+--------------------> Traefik Reverse |
| Proxy |
| |
+--------+---------+
|
|
+--------v---------+
| |
| Backend Apps |
| |
+------------------+
Step 1: Deploy Traefik with Docker
a. Create a docker-compose.yml file to define the Traefik service:
# Define the services to be run by Docker Compose
services:
traefik:
image: traefik:v3.4 # Use Traefik version 3.4 image
container_name: traefik # Name the container "traefik"
restart: unless-stopped # Always restart unless explicitly stopped
security_opt:
- no-new-privileges:true # Prevent container from gaining new privileges
ports:
- "80:80" # Expose HTTP on port 80
- "443:443" # Expose HTTPS on port 443
environment:
- TZ=Asia/Dhaka # Set timezone
- CF_API_EMAIL=your-cloudflare-email@example.com # Cloudflare account email for DNS challenge
- CF_DNS_API_TOKEN=your-cloudflare-dns-token # Cloudflare API token for DNS challenge
volumes:
- ./traefik-data/acme.json:/acme.json
# Make sure acme.json exists, is chmod 600, and owned by the Traefik user to avoid permission errors.
- ./traefik-data/traefik.yml:/etc/traefik/traefik.yml
- ./traefik-data/traefik.yml:/etc/traefik/traefik.yml # Traefik static configuration file
networks:
- web # Attach to the external "web" network
labels:
- "traefik.enable=true" # Enable Traefik for this container
# Dashboard configuration
- "traefik.http.routers.dashboard.rule=Host(`traefik.your-domain.com`)" # Dashboard accessible at this domain
- "traefik.http.routers.dashboard.service=api@internal" # Use Traefik's internal API service
- "traefik.http.routers.dashboard.tls=true" # Enable TLS for the dashboard
- "traefik.http.routers.dashboard.tls.certresolver=cloudflare" # Use Cloudflare DNS challenge for certificates
- "traefik.http.routers.dashboard.entrypoints=websecure" # Use the "websecure" entrypoint (usually port 443)
- "traefik.http.routers.dashboard.middlewares=dashboard-auth" # Protect dashboard with basic auth
- "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$XXXXXXXXXXXXXXX" # Basic auth user (bcrypt hash)
networks:
web:
external: true # Use an external network named "web"
Notes:
- Replace the placeholder bcrypt hash above with a real hash. You can generate one at https://bcrypt-generator.com/ or using the
htpasswd tool.
- Define external network for Traefik to communicate with other services
- Define the external network for Traefik to communicate with other services
Create the directory for Traefik data if it doesn’t exist
Create the acme.json file to store TLS certificates
touch traefik-data/acme.json
Set strict permissions so only the owner can read/write (required by Traefik)
chmod 600 traefik-data/acme.json
traefik.yml configuration file inside the traefik-data directory:
api:
dashboard: true # Enable the Traefik dashboard
insecure: false # Disable insecure access to the dashboard
entryPoints: # Define entry points for HTTP and HTTPS
web:
address: :80 # Listen on port 80 for HTTP
http: # Configure HTTP settings
redirections: # Set up redirections
entryPoint: # Redirect HTTP
to: websecure # to HTTPS
scheme: https # Use HTTPS scheme
websecure: # Define HTTPS entry point
address: :443 # Listen on port 443 for HTTPS
providers: # Define providers for Traefik
docker: # Use Docker as a provider
exposedByDefault: false # Do not expose all containers by default
network: web # Use the "web" network for Docker provider
certificatesResolvers: # Define certificate resolvers
cloudflare: # Use Cloudflare DNS challenge
acme: # ACME configuration
email: your email address # Your email for Let's Encrypt notifications
storage: /acme.json # Path to store certificates
dnsChallenge: # Use DNS challenge for certificate validation
provider: cloudflare # Use Cloudflare as the DNS provider
resolvers: # DNS resolvers to use for the challenge
- "1.1.1.1:53" # Cloudflare DNS
- "8.8.8.8:53" # Google DNS
log: # Configure logging
level: error # Set log level to error
docker compose -f docker-compose.yml up -d
- Type: CNAME
- Name: traefik
- Target: your-server-ip-or-domain
- TTL: Auto
c. Ensure that the proxy status is enabled (orange cloud icon) for the CNAME record.
Step 3: Access the Traefik Dashboard
- Open your web browser and navigate to
https://traefik.your-domain.com.
- You should see the Traefik dashboard login prompt. Enter the username and password you configured in the
docker-compose.yml file.
- Once logged in, you can monitor and manage your Traefik instance.
Conclusion
You have successfully deployed Traefik and configured it to work with Cloudflare. You can now take advantage of Traefik’s powerful features along with Cloudflare’s security and performance enhancements for your
