Set Up Traefik with Docker: Secure, Smart HTTPS Routing

Sarthak Varshney
5h
134
0
1

Article

Suppose you’ve ever tried hosting multiple Docker containers and exposing them to the web. In that case, you know the struggle — ports everywhere, SSL certificate hassles, endless configuration edits… and every time a container restarts, you’re back fixing routes.

That’s where Traefik comes in — a cloud-native reverse proxy designed to make container routing automatic, secure, and smart.

In this article, we’ll walk you through the entire setup process, deploying Traefik with Docker, enabling HTTPS (either self-signed or Let’s Encrypt), and auto-redirecting HTTP traffic to HTTPS.

By the end, you’ll have a fully working Traefik environment with two public endpoints — a test app and the Traefik dashboard — both running securely.

What is Traefik?

Traefik (pronounced “traffic”) is an open-source reverse proxy and load balancer built for modern microservice environments.

Instead of manually configuring Nginx or Apache for every new container, Traefik automatically detects containers, reads their metadata, and routes requests to them — all without restarts.

Think of it as a traffic cop for your Docker ecosystem:

It listens for containers.
It assigns routes based on labels.
It manages SSL certificates automatically.
It redirects HTTP to HTTPS by default.

No more port juggling or certificate headaches.

Why Use Traefik?

When I first started deploying containerized apps, I spent hours writing and editing Nginx configs — and even longer troubleshooting SSL renewals. Traefik completely changed that experience.

Here’s why developers and DevOps engineers love it:

Feature	Description
Automatic Service Discovery	Traefik connects to Docker and auto-detects containers.
Built-in HTTPS	Self-signed or Let’s Encrypt certificates with zero hassle.
Dynamic Configuration	No need to restart when services start or stop.
Visual Dashboard	Monitor routes, certificates, and traffic visually.
Cloud-Native Integration	Works with Docker, Kubernetes, ECS, and more.

Our Setup

We’ll deploy:

Traefik (reverse proxy + dashboard)
Whoami (test container to confirm routing)
Automatic HTTP → HTTPS redirect

Your environment will include:

https://traefik.sarthakvarshney.in → test service
https://traefik-dashboard.sarthakvarshney.in → dashboard

Step 1: Directory Structure

Create a folder for your setup:

mkdir traefik-docker
cd traefik-docker

Then create these files:

traefik-docker/
├── docker-compose.yml
├── traefik.yml
└── dynamic/  (optional for extra configs)

Step 2: Final `traefik.yml` (HTTP → HTTPS Redirect)

This is your Traefik configuration file, which defines entry points, redirection rules, and Docker provider access.

api:dashboard: trueinsecure: true

entryPoints:web:
    address: ":80"
    # HTTP to HTTPS Redirection
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

providers:docker:
    exposedByDefault: false

What’s Happening Here:

dashboard: true → Enables Traefik’s built-in dashboard.
web and websecure → Define HTTP and HTTPS entry points.
Redirection → All HTTP traffic automatically goes to HTTPS.
Docker provider → Lets Traefik auto-detect containers and labels.

Step 3: Final `docker-compose.yml` (Your Working Setup)

This file launches Traefik and the test container (whoami).

version: "3.8"

services:traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: always
    command:
      # Use the traefik.yml file
      - --configFile=/etc/traefik/traefik.yml
      # Explicitly enable API/dashboard
      - --api.dashboard=true
      - --api.insecure=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # Mount the Docker socket for provider access
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the traefik.yml config file
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      # Volume for dynamic configuration
      - ./dynamic:/etc/traefik/dynamic
    networks:
      - web
    labels:
      # Route for the Traefik Dashboard (via HTTPS)
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik-dashboard.sarthakvarshney.in`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.service=api@internal"

  whoami:
    image: traefik/whoami
    container_name: simple-service
    networks:
      - web
    labels:
      # Router for the whoami service (via HTTPS)
      - "traefik.enable=true"
      - "traefik.http.routers.myapp.rule=Host(`traefik.sarthakvarshney.in`)"
      - "traefik.http.routers.myapp.entrypoints=websecure"
      - "traefik.http.routers.myapp.tls=true"  # Self-signed certificate
      - "traefik.http.services.myapp.loadbalancer.server.port=80"

networks:web:
    external: false

What This File Does

Exposes ports 80 and 443 for HTTP/HTTPS.
Mounts the Docker socket for real-time container discovery.
Defines two routes:
- Dashboard → https://traefik-dashboard.sarthakvarshney.in
- Whoami Test → https://traefik.sarthakvarshney.in
Automatically redirects HTTP → HTTPS.

traefik-dashboard.sarthakvarshney.in_dashboard_

Step 4: Run Traefik

Now it’s time to bring everything to life:

docker compose down
docker compose up -d

You’ll see logs similar to:

traefik  | Configuration loaded from file: /etc/traefik/traefik.yml
traefik  | Starting provider *docker
traefik  | Server listening on :80 and :443

Step 5: Access Your Services

Test your setup:

Service	URL	Purpose
Traefik Dashboard	`https://traefik-dashboard.sarthakvarshney.in`	Visual monitor
Whoami Service	`https://traefik.sarthakvarshney.in`	Confirms routing

Expected behavior:

Visiting http://traefik.sarthakvarshney.in redirects automatically to HTTPS.
You’ll see a header-style response from the Whoami service (showing IP, headers, etc.).
The dashboard opens at its subdomain.

You may see a “connection not private” warning — this is normal for self-signed certificates.

Bonus: Enable Let’s Encrypt (Optional for Production)

If you want real, trusted HTTPS certificates:

Add this block to traefik.yml:

certificatesResolvers:letsencrypt:
    acme:
      email: [email protected]
      storage: acme.json
      httpChallenge:
        entryPoint: web

Update router labels:

- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"

Create the ACME storage file:
```
touch acme.json
chmod 600 acme.json
```
Restart Traefik:
```
docker compose up -d
```

Once the certificate is issued, you’ll have a fully secure HTTPS setup — perfect for production.

Quick Troubleshooting Tips

Problem	Fix
“Connection not private” warning	Expected for self-signed HTTPS. Add Let’s Encrypt resolver for real SSL.
Dashboard not loading	Check your domain DNS record or router label.
Port already in use	Ensure ports 80 and 443 are not used by another service (like Nginx).
No route found	Verify the container labels and that `traefik.enable=true`is set.

Final Thoughts

With Traefik running alongside Docker, you now have a powerful, flexible reverse proxy that:

Auto-discovers containers
Handles SSL for you
Provides a built-in dashboard
Keeps your networking clean and manageable

Whether you’re hosting internal tools, microservices, or client projects, Traefik will simplify your life — no manual configs, no restart loops, just automated, dynamic routing.

It’s one of those tools that feels like magic the first time you use it — and now, you’ve got it running on your own infrastructure.