My configuration for Traefik 2.0, Docker, and LetsEncrypt

This is my pristine production-quality config for deploying Traefik as my front-end proxy and TLS termination server.

My guess is that if you are here then you already know what you are looking for. For the benefit of everyone else, let me give you a quick tldr;


This is my pristine production-quality config for deploying Traefik as my front-end proxy and TLS termination server. It is the outcome of piecing together various bits from the excellent Traefik 2.0 documentation website. In addition to starting Traefik the compose file also spins up a test image so that you can confirm that it works.

The docker-compose, decomposed

see what I did there? yeah...

I use docker-compose for most off my deployments it packs in the configuration and layout nicely. Traefik allows for a full config from command line arguments which obviates the need for traefik.toml files. It does, however, reqire and empty acme.json file prior to starting up.

The command line options under command: for Traefik turn on the api endpoint, enable the Docker provider, configure LetsEncrypt, and open listening ports on 80 (HTTP) and 443 (HTTPS).

The docker labels: tell Traefik to redirect all HTTP to HTTPS

You will also notice the whoami: container. The labels there tell Traefik to route all HTTPS traffic to <YOUR_DOMAIN_NAME> to that container, as well as to manage a TLS LetsEncrypt certificate.

There are also two lines that enable gzip compression on responses.


version: '3'


        container_name: traefik
        image: traefik:v2.0
            - "--api.insecure=true"
            - "--providers.docker=true"
            - "--entryPoints.web.address=:80"
            - "--entryPoints.websecure.address=:443"
            - "<YOUR_EMAIL>"
            - ""
            - "--certificatesResolvers.le.acme.tlsChallenge=true"
            - "--certificatesResolvers.le.acme.httpChallenge=true"
            - "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
        restart: always
            - 80:80
            - 443:443
            - 8080:8080
            - web
            - /var/run/docker.sock:/var/run/docker.sock
            - ./acme.json:/acme.json

            # Redirect all HTTP to HTTPS permanently
            - traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)
            - traefik.http.routers.http_catchall.entrypoints=web
            - traefik.http.routers.http_catchall.middlewares=https_redirect
            - traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
            - traefik.http.middlewares.https_redirect.redirectscheme.permanent=true

        image: "containous/whoami"
        container_name: "simple-service"
        restart: always
            - web
          - traefik.http.routers.whoami.rule=Host(`<YOUR_DOMAIN_NAME>`)
          - traefik.http.routers.whoami.tls=true
          - traefik.http.routers.whoami.tls.certresolver=le
          - traefik.http.middlewares.whoami.compress=true
          - traefik.http.routers.whoami.middlewares=whoami@docker

        external: true

Things to note

Take note of an external network named web. This is an explicit convention I adopted so that I know only web traffic passes over it. This is the network over which Traefik communicates with other containers.



  • February 16, 2019 - Added labels to docker-compose.yml on the whoami container to enable gzip compression on responses.  

Subscribe to Simple CTO

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.