Abel Garcia

How to Use Traefik as a Reverse Proxy with Docker

This Traefik tutorial shows how to use Traefik as a reverse proxy with Docker, configure routing, enable HTTPS, and deploy a containerized web service.

Introduction

Deploying and exposing Dockerized applications securely is a core challenge in modern development. Enter Traefik, a powerful cloud-native reverse proxy that dynamically manages traffic routing to your services. Whether you’re hosting APIs, dashboards, or microservices, Traefik offers seamless Docker integration, automatic HTTPS via Let’s Encrypt, and smart routing logic out of the box.

In this Traefik tutorial, you’ll learn how to set up Traefik as a reverse proxy with Docker using a real-world example. We’ll cover HTTPS, routers, services, middlewares, and troubleshooting tips—everything you need to get started confidently.

Table of Contents

What is Traefik and Why Use It

Traefik is a modern reverse proxy and load balancer designed to manage microservices and containerized environments. Unlike traditional proxies like NGINX, Traefik dynamically discovers services and updates its configuration without a restart. This feature is crucial for environments that change frequently, such as during deployments or scaling events.

Traefik acts as a gateway between your clients and services, intelligently routing HTTP(S) requests to the correct backend. It is especially powerful in DevOps setups where automation, scalability, and observability are priorities.

Benefits of Traefik as a Reverse Proxy

Here’s why Traefik stands out for Docker-based projects:

  • Dynamic Service Discovery: Automatically updates routes as containers start and stop.
  • Docker-Native: Reads labels on containers to configure routers, services, and TLS.
  • Let’s Encrypt Support: Automatically provisions and renews SSL certificates.
  • Extensible Middlewares: Supports redirect rules, authentication, rate limiting, and more.
  • Lightweight and Fast: Minimal configuration with a fast Go-based runtime.
  • Dashboard UI: Visualize services, routers, and errors in real-time.

For teams adopting infrastructure-as-code, Traefik provides a robust, secure, and developer-friendly solution.

Step-by-Step Setup Using Docker Compose

Let’s walk through a basic Docker Compose setup that includes Traefik and a demo container using labels for routing.

File Structure

.
├── docker-compose.yml
└── traefik
    ├── traefik.yml
    └── acme.json

docker-compose.yml

services:
  traefik:
    image: traefik:v3.4.0-rc1
    command:
      - --configFile=/etc/traefik/traefik.yml
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./traefik/acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.enable=true"

  whoami:
    image: traefik/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

traefik.yml

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false

certificatesResolvers:
  myresolver:
    acme:
      email: your-email@example.com
      storage: /acme.json
      httpChallenge:
        entryPoint: web

Make sure to create the acme.json file with correct permissions:

touch traefik/acme.json
chmod 600 traefik/acme.json

Configure Routers, Services, and Middlewares

Traefik works using the following core concepts:

  • Routers match incoming requests based on domain or path.
  • Services define which container or backend receives the request.
  • Middlewares modify requests or add features like redirection or auth.

Here’s how to force HTTPS using middleware:

labels:
  - "traefik.http.routers.myapp.rule=Host(`myapp.localhost`)"
  - "traefik.http.routers.myapp.entrypoints=web"
  - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  - "traefik.http.routers.myapp.middlewares=redirect-to-https"

This configuration catches insecure HTTP requests and forwards them to HTTPS before routing to the backend.

Enable HTTPS with Let’s Encrypt

To enable HTTPS automatically:

  1. Set up an ACME resolver in traefik.yml.
  2. Add tls.certresolver=myresolver to the router.
  3. Ensure ports 80 and 443 are exposed and reachable.
  4. Use valid domains or map *.localhost in /etc/hosts.

Once set up, Traefik handles certificate requests and renewals transparently.

Traefik Docker Example Project

This example launches Traefik and a demo app behind HTTPS. Run the following:

docker-compose up -d

Then, in your browser, go to:

https://whoami.localhost

You should see a simple response from the whoami container with request metadata. Verify the SSL certificate via your browser to confirm HTTPS is active.

Common Mistakes and Troubleshooting Tips

  • Permission denied on acme.json: Fix with chmod 600 traefik/acme.json.
  • Domain not resolving: Add 127.0.0.1 whoami.localhost to /etc/hosts.
  • Certs not issued: Ensure port 80 is open and email is correct.
  • Container unreachable: Check Docker labels and service names.
  • Dashboard not visible: Enable with --api.dashboard=true and expose port 8080.

Use docker logs traefik for real-time feedback and inspect router status in the dashboard.

Conclusion and Next Steps

You’ve now configured Traefik as a reverse proxy with Docker, enabling automatic HTTPS and dynamic service routing. Traefik simplifies deployment and enhances the security and observability of your Docker-based services.

What’s Next?

  • Integrate with production domains and DNS providers
  • Use Traefik middlewares for rate limiting or OAuth2
  • Deploy Traefik with Kubernetes using CRDs
  • Connect with Keycloak for identity-aware routing

References