> ## Documentation Index
> Fetch the complete documentation index at: https://testdocs.riad.com.bd/llms.txt
> Use this file to discover all available pages before exploring further.

# Deploy Traefik and Configure with Cloudflare

> A step-by-step guide to deploying Traefik as a reverse proxy and configuring it with Cloudflare for DNS challenge.

## Introduction

In this guide, we will walk through the steps to deploy <Icon icon="https://mintcdn.com/thedailyprothomalo/VtlDC2UXePiaGJvq/icons/Traefik%20Proxy.svg?fit=max&auto=format&n=VtlDC2UXePiaGJvq&q=85&s=a78df8c6adb2cbea5db1be2782f1c608" iconType="solid" width="128" height="128" data-path="icons/Traefik Proxy.svg" />Traefik, a popular open-source reverse proxy and load balancer, and configure it to work with Cloudflare for enhanced security and performance.

<Info>
  ## Prerequisites

  Before we begin, ensure you have the following prerequisites in place:

  * A server or virtual machine with Docker installed.
  * A Cloudflare account with a domain configured.
  * Basic knowledge of Docker and Traefik.
</Info>

## Logical Diagram

```plaintext theme={null}
+-------------------+          +------------------+
|                   |          |                  |
|   Client Browser  +--------->|   Cloudflare     |
|                   |          |                  |
+-------------------+          +--------+---------+
                                        |                     +------------------+
                                        |                     |                  |  
                                        +-------------------->  Traefik Reverse  |      
                                                              |     Proxy        |
                                                              |                  |
                                                              +--------+---------+
                                                                       |
                                                                       |
                                                              +--------v---------+
                                                              |                  |
                                                              |   Backend Apps   |
                                                              |                  |
                                                              +------------------+            
```

## Step 1: Deploy Traefik with Docker

a. Create a `docker-compose.yml` file to define the Traefik service:

```yaml theme={null}
    # Define the services to be run by Docker Compose
    services:
    traefik:
        image: traefik:v3.4  # Use Traefik version 3.4 image
        container_name: traefik  # Name the container "traefik"
        restart: unless-stopped  # Always restart unless explicitly stopped
        security_opt:
        - no-new-privileges:true  # Prevent container from gaining new privileges
        ports:
        - "80:80"    # Expose HTTP on port 80
        - "443:443"  # Expose HTTPS on port 443
        environment:
        - TZ=Asia/Dhaka  # Set timezone
        - CF_API_EMAIL=your-cloudflare-email@example.com  # Cloudflare account email for DNS challenge
        - CF_DNS_API_TOKEN=your-cloudflare-dns-token      # Cloudflare API token for DNS challenge
        volumes:
    - ./traefik-data/acme.json:/acme.json
    # Make sure acme.json exists, is chmod 600, and owned by the Traefik user to avoid permission errors.
    - ./traefik-data/traefik.yml:/etc/traefik/traefik.yml
        - ./traefik-data/traefik.yml:/etc/traefik/traefik.yml  # Traefik static configuration file
        networks:
        - web  # Attach to the external "web" network
        labels:
        - "traefik.enable=true"  # Enable Traefik for this container
        # Dashboard configuration
        - "traefik.http.routers.dashboard.rule=Host(`traefik.your-domain.com`)"  # Dashboard accessible at this domain
        - "traefik.http.routers.dashboard.service=api@internal"  # Use Traefik's internal API service
        - "traefik.http.routers.dashboard.tls=true"  # Enable TLS for the dashboard
        - "traefik.http.routers.dashboard.tls.certresolver=cloudflare"  # Use Cloudflare DNS challenge for certificates
        - "traefik.http.routers.dashboard.entrypoints=websecure"  # Use the "websecure" entrypoint (usually port 443)
        - "traefik.http.routers.dashboard.middlewares=dashboard-auth"  # Protect dashboard with basic auth
        - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$XXXXXXXXXXXXXXX"  # Basic auth user (bcrypt hash)
    networks:
        web:
        external: true  # Use an external network named "web"
```

<Note>
  ## Notes:

  * Replace the placeholder bcrypt hash above with a real hash. You can generate one at [https://bcrypt-generator.com/](https://bcrypt-generator.com/) or using the `htpasswd` tool.
  * Define external network for Traefik to communicate with other services
  * Define the external network for Traefik to communicate with other services
</Note>

b. Create the necessary directories and files and change the directory permission for Traefik configuration:

### Create the directory for Traefik data if it doesn't exist

```bash theme={null}
mkdir -p traefik-data
```

### Create the acme.json file to store TLS certificates

```bash theme={null}
touch traefik-data/acme.json
```

### Set strict permissions so only the owner can read/write (required by Traefik)

```bash theme={null}
chmod 600 traefik-data/acme.json
```

c. Create the `traefik.yml` configuration file inside the `traefik-data` directory:

```yaml theme={null}
api:
dashboard: true # Enable the Traefik dashboard
insecure: false # Disable insecure access to the dashboard

entryPoints: # Define entry points for HTTP and HTTPS
web:
    address: :80 # Listen on port 80 for HTTP
    http: # Configure HTTP settings
    redirections: # Set up redirections
        entryPoint: # Redirect HTTP
        to: websecure # to HTTPS
        scheme: https # Use HTTPS scheme
websecure: # Define HTTPS entry point
    address: :443 # Listen on port 443 for HTTPS

providers: # Define providers for Traefik
docker: # Use Docker as a provider
    exposedByDefault: false # Do not expose all containers by default
    network: web # Use the "web" network for Docker provider

certificatesResolvers: # Define certificate resolvers
cloudflare: # Use Cloudflare DNS challenge
    acme: # ACME configuration
    email: your email address # Your email for Let's Encrypt notifications
    storage: /acme.json # Path to store certificates
    dnsChallenge: # Use DNS challenge for certificate validation
        provider: cloudflare # Use Cloudflare as the DNS provider
        resolvers: # DNS resolvers to use for the challenge
        - "1.1.1.1:53" # Cloudflare DNS
        - "8.8.8.8:53" # Google DNS
log: # Configure logging
level: error # Set log level to error

```

d. Start the Traefik container using Docker Compose:

```bash theme={null}
docker compose -f docker-compose.yml up -d
```

## Step 2: Configure Cloudflare DNS

a. Log in to your Cloudflare account and navigate to the DNS settings for your domain.
b. Add a CNAME record for your Traefik dashboard:

* Type: CNAME
* Name: traefik
* Target: your-server-ip-or-domain
* TTL: Auto
  c. Ensure that the proxy status is enabled (orange cloud icon) for the CNAME record.

## Step 3: Access the Traefik Dashboard

1. Open your web browser and navigate to `https://traefik.your-domain.com`.
2. You should see the Traefik dashboard login prompt. Enter the username and password you configured in the `docker-compose.yml` file.
3. Once logged in, you can monitor and manage your Traefik instance.

## Conclusion

You have successfully deployed Traefik and configured it to work with Cloudflare. You can now take advantage of Traefik's powerful features along with Cloudflare's security and performance enhancements for your
