I’ve been trying to simplify my server’s deployment configuration for a while now. Specifically, I’ve been running nginx on bare metal and all my services in docker. It’s been great and I think there’s value in insulating the web server and reverse proxy from other services.

nginx

nginx is probably a bit too powerful for my needs. I’ve been typically just using it as a reverse proxy and all of my site configurations look pretty much the same.

I wanted to look at other options that would hopefully have simpler configurations or even automated configurations. It would also be nice to have everything in a single docker compose file.

I didn’t realize this at the time, but there are some web servers / reverse proxy managers that automate certificate generation and renewal. I’ve had issues in the past where issues with certbot and custom scripts have led to expired certificates.

Traefik

Traefik seemed to check all the boxes. There were plenty of other options like Caddy, nginx proxy manager etc but I decided to just go with Traefik. Traefik uses docker labels to configure things automatically.

Previous setup

In my previous setup, I had a single docker compose file with a bunch of services and an nginx server that acted as a reverse proxy. Using Nextcloud as an example:

upstream nextcloud_backend {
  server    127.0.0.1:8081;
  keepalive 32;
}

server {
  server_name         nc.example.com;
  location / {
    proxy_pass http://nc_backend;
    #proxy_set_header Host nc.example.com;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_set_header X-Real-IP $remote_addr;
    client_max_body_size 10G;
  }
  location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
  }

  location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /path/to/certs/example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /path/to/certs/example.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
  if ($host = nc.example.com) {
      return 301 https://$host$request_uri;
  }
  server_name         nc.example.com;
  listen 80;
    return 404;
}

As you can probably notice, a lot of the config is just boilerplate. Here’s how my docker compose was configured:

services:
  # Database for nextcloud
  nextcloud_db:
    image: mariadb:10.6
    container_name: nextcloud_db
    restart: unless-stopped
    user: ${PUID}:${PGID}
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - /path/to/configs/nextcloud_db:/var/lib/mysql
    environment:
      - MYSQL_PASSWORD=password
      - MYSQL_ROOT_PASSWORD=rootpassword
      - MYSQL_DATABASE=mysqldb
      - MYSQL_USER=mysqldbuser

  nextcloud:
    image: nextcloud
    container_name: nextcloud
    restart: unless-stopped
    #user: ${PUID}:${PGID}
    links:
      - nextcloud_db
    volumes:
      - /path/to/configs/nextcloud:/var/www/html
      - /path/to/configs/nextcloud/apps:/var/ww/html/custom_apps
      - /path/to/configs/nextcloud/config:/var/ww/html/config
      - /path/to/data/nextcloud:/var/www/html/data
    environment:
      - NEXTCLOUD_TRUSTED_DOMAINS=nc.example.com
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=nextcloud_db
    expose:
      - 80

New setup

The first step was to add Traefik to the docker compose file

traefik:
    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api.debug=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "[email protected]"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
      - ./traefik:/opt/conf
    labels:
      - "traefik.http.routers.api.rule=Host(`dash.example.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

The above sets Traefik up to listen on ports 80 and 443. It also sets up LetsEncrypt to certificate generation and renewal happen automatically. It also exposes a dashboard on port 8080 that allows you to view all the services that have been configured.

Exposing the Nextcloud service is as simple as adding a bunch of labels to the Nextcloud service:

nextcloud:
  image: nextcloud
  container_name: nextcloud
  ...
  labels:
    traefik.enable: true
    traefik.http.routers.nextcloud.rule: Host(`nc.example.com`)
    traefik.http.routers.nextcloud.entrypoints: websecure
    traefik.http.routers.nextcloud.tls.certresolver: letsencrypt

The config exposes Nextcloud on https://nc.example.com.

Traefik is very powerful and has made my configuration a lot simpler. It is a bit difficult to initially get started because simple examples aren’t easy to find but once you get going, it starts to make a bit more sense.