traefikletsencryptsslreverse-proxyhttps

Traefik + Let's Encrypt

A production-ready Traefik v3 reverse proxy stack with automatic HTTPS via Let's Encrypt ACME certificate provisioning. Traefik watches the Docker socket for container labels to dynamically configure routing rules, eliminating the need for manual configuration files. HTTP traffic is automatically redirected to HTTPS, and certificates are stored in a named volume for persistence across restarts. A lightweight whoami test service is included to verify that routing and SSL are working correctly out of the box. The Traefik dashboard is optionally accessible for real-time monitoring of routers, services, and middlewares. This stack serves as the ideal entry point for adding SSL-terminated reverse proxying to any Docker-based infrastructure.

Open in Editor All Templates2 services · 1 networks · 2 volumes

Included Services

traefik

traefik:v3.2

restart: unless-stopped

Ports: 80:80, 443:443, 8080:8080

volumes: 3 mounts

Env vars: 3

healthcheck

Environment Variables:

ACME_EMAIL=${ACME_EMAIL:[email protected]}

TRAEFIK_DASHBOARD=${TRAEFIK_DASHBOARD:-true}

TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-INFO}

whoami

traefik/whoami:v1.10

restart: unless-stopped

healthcheck

Generated YAML

# Generated by ComposeHub (composehub.dev)
name: traefik-letsencrypt
services:
  traefik:
    image: traefik:v3.2
    restart: unless-stopped
    command:
      - "--api.dashboard=${TRAEFIK_DASHBOARD:-true}"
      - "--api.insecure=${TRAEFIK_API_INSECURE:-true}"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxy"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL:[email protected]}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--log.level=${TRAEFIK_LOG_LEVEL:-INFO}"
      - "--accesslog=${TRAEFIK_ACCESS_LOG:-true}"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_certs:/letsencrypt
      - traefik_config:/etc/traefik
    environment:
      ACME_EMAIL: ${ACME_EMAIL:[email protected]}
      TRAEFIK_DASHBOARD: ${TRAEFIK_DASHBOARD:-true}
      TRAEFIK_LOG_LEVEL: ${TRAEFIK_LOG_LEVEL:-INFO}
    networks:
      - proxy
    healthcheck:
      test:
        - CMD
        - traefik
        - healthcheck
        - "--ping"
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    deploy:
      resources:
        limits:
          cpus: "1.00"
          memory: 256M
        reservations:
          cpus: "0.10"
          memory: 64M
    labels:
      com.composeforge.description: Traefik v3 reverse proxy with automatic SSL
  whoami:
    image: traefik/whoami:v1.10
    restart: unless-stopped
    networks:
      - proxy
    healthcheck:
      test:
        - CMD-SHELL
        - wget --no-verbose --tries=1 --spider http://localhost:80/ || exit 1
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    deploy:
      resources:
        limits:
          cpus: "0.10"
          memory: 32M
        reservations:
          cpus: "0.02"
          memory: 8M
    labels:
      traefik.enable: "true"
      traefik.http.routers.whoami.rule: Host(`${WHOAMI_DOMAIN:-whoami.localhost}`)
      traefik.http.routers.whoami.entrypoints: websecure
      traefik.http.routers.whoami.tls.certresolver: letsencrypt
      traefik.http.services.whoami.loadbalancer.server.port: "80"
      com.composeforge.description: Whoami test service for verifying Traefik routing
networks:
  proxy:
    driver: bridge
volumes:
  traefik_certs:
    driver: local
  traefik_config:
    driver: local

Quick Info

Services: 2
Networks: 1
Volumes: 2

When to Use

This template is ideal for setting up a traefik + let's encrypt environment. All services are pre-configured with healthchecks, resource limits, and sensible defaults. Customize environment variables before deploying to production.

Tips

Change all default passwords before deploying
Review resource limits for your hardware
Add a reverse proxy for production HTTPS
Configure backup strategies for data volumes

Open in Editor

Traefik + Let's Encrypt

Included Services

traefik

traefik:v3.2

restart: unless-stopped

Ports: 80:80, 443:443, 8080:8080

volumes: 3 mounts

Env vars: 3

healthcheck

Environment Variables:

ACME_EMAIL=${ACME_EMAIL:[email protected]}

TRAEFIK_DASHBOARD=${TRAEFIK_DASHBOARD:-true}

TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-INFO}

whoami

traefik/whoami:v1.10

restart: unless-stopped

healthcheck

Generated YAML

# Generated by ComposeHub (composehub.dev)
name: traefik-letsencrypt
services:
  traefik:
    image: traefik:v3.2
    restart: unless-stopped
    command:
      - "--api.dashboard=${TRAEFIK_DASHBOARD:-true}"
      - "--api.insecure=${TRAEFIK_API_INSECURE:-true}"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxy"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL:[email protected]}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--log.level=${TRAEFIK_LOG_LEVEL:-INFO}"
      - "--accesslog=${TRAEFIK_ACCESS_LOG:-true}"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_certs:/letsencrypt
      - traefik_config:/etc/traefik
    environment:
      ACME_EMAIL: ${ACME_EMAIL:[email protected]}
      TRAEFIK_DASHBOARD: ${TRAEFIK_DASHBOARD:-true}
      TRAEFIK_LOG_LEVEL: ${TRAEFIK_LOG_LEVEL:-INFO}
    networks:
      - proxy
    healthcheck:
      test:
        - CMD
        - traefik
        - healthcheck
        - "--ping"
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    deploy:
      resources:
        limits:
          cpus: "1.00"
          memory: 256M
        reservations:
          cpus: "0.10"
          memory: 64M
    labels:
      com.composeforge.description: Traefik v3 reverse proxy with automatic SSL
  whoami:
    image: traefik/whoami:v1.10
    restart: unless-stopped
    networks:
      - proxy
    healthcheck:
      test:
        - CMD-SHELL
        - wget --no-verbose --tries=1 --spider http://localhost:80/ || exit 1
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    deploy:
      resources:
        limits:
          cpus: "0.10"
          memory: 32M
        reservations:
          cpus: "0.02"
          memory: 8M
    labels:
      traefik.enable: "true"
      traefik.http.routers.whoami.rule: Host(`${WHOAMI_DOMAIN:-whoami.localhost}`)
      traefik.http.routers.whoami.entrypoints: websecure
      traefik.http.routers.whoami.tls.certresolver: letsencrypt
      traefik.http.services.whoami.loadbalancer.server.port: "80"
      com.composeforge.description: Whoami test service for verifying Traefik routing
networks:
  proxy:
    driver: bridge
volumes:
  traefik_certs:
    driver: local
  traefik_config:
    driver: local