Compose-Examples/examples/traefik/docker-compose-command-config.yml

# This docker compose example configures traefik by command definitions.
# This makes the traefik.yml static configuration obsolete.
# Note that we still reference a dynamic configuration for best practice
services:

  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: always
    command:
      - "--providers.docker=true" # enable docker provider
      - "--providers.docker.network=proxy" # define default network to monitor for docker provider
      - "--providers.docker.endpoint=tcp://socket-proxy:2375" # define socket-proxy as docker socket
      - "--providers.docker.exposedbydefault=false" # do not expose docker hosts per default
      - "--providers.file.watch=true" # monitor file provider for changes
      - "--providers.file.filename=/etc/traefik/fileConfig.yml" # location of the dynamic configuration
      - "--entrypoints.http.address=:80" # entrypoint for unencrypted http
      - "--entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted
      - "--entrypoints.http.http.redirections.entryPoint.to=https" # automatic redirect from http to https
      - "--entrypoints.http.http.redirections.entryPoint.scheme=https" # automatic redirect from http to https
      - "--entrypoints.https.address=:443" # entrypoint for encrypted https
      - "--entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted
      - "--entrypoints.https.http.middlewares=security-headers@file,rate-limit@file" # define default middlewares for all proxy entries
      - "--api.dashboard=true" # enable traefik api dashboard
      - "--api.insecure=true" # expose traefik api dashboard on TCP/8080 without need for router
      ####################################################
      # !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!
      - "--entrypoints.https.http.tls.certresolver=myresolver" # define default cert resolver
      - "--entrypoints.https.http.tls.domains[0].main=example.com" # define main domain, change to your domain
      - "--entrypoints.https.http.tls.domains[0].sans=*.example.com" # define sans domain, change to your domain
      - "--certificatesresolvers.myresolver.acme.email=myemail@domain.tld" # define your email address
      #- "--certificatesresolvers.myresolver.acme.httpchallenge=true" # use http challenge
      #- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http" # define entrypoint for http challenge
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true" # enable dns challenge to obtain wildcard certificates
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare" # define provider for certificates
      - "--certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json" # define acme path for certificate information
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" # define dns servers for your resolver, here cloudflare
      ####################################################
      - "--log.level=INFO" # enable log level
      - "--accesslog=true" # enable access logs
      - "--accesslog.filepath=/logs/traefik.log" # define access log path
      - "--accesslog.format=json" # set access log format to json instead clm
      - "--accesslog.bufferingsize=0" # set access log buffer size to 0
      - "--accesslog.filters.statuscodes=400-599" # only log http errors in logs; alternatively set 200-599 to include successful http requests
      - "--accesslog.fields.headers.defaultmode=drop" # drop all headers
      - "--serversTransport.insecureSkipVerify=true" # set insecureSkipVerify to true to allow self-signed certificates
    labels:
      - traefik.enable=true # enable traefik
      - traefik.http.routers.api.rule=Host(`traefik.example.com`) # define subdomain for the traefik api dashboard
      - traefik.http.routers.api.service=api@internal # enable traefik api dashboard
      - traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only    
    ports:
      - 80:80 # http
      - 443:443 # https
      - 127.0.0.1:8080:8080 # http api dashboard
    expose:
      - 80 # http
      - 443 # https
      - 8080 # http api dashboard
    environment:
      - TZ=Europe/Berlin # define timezone
      - CF_DNS_API_TOKEN=<MY-CF-API-TOKEN> # define your cloudflare api token
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # bind mount volume for persistent traefik data
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs # bind mount volume for persistent traefik logs
    extra_hosts:
      - host.docker.internal:172.17.0.1 # define internal ip; helps traefik to resolve containers running in host network mode
    networks:
      - proxy # define traefik docker network
      - docker-proxynet

  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:1.26.2
    container_name: socket-proxy
    environment:
      - CONTAINERS=1
      - EVENTS=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - docker-proxynet
    restart: always
    read_only: true
    tmpfs:
      - /run

networks:
  proxy:
    external: true
  docker-proxynet:
    internal: true
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`# This docker compose example configures traefik by command definitions.`
			`# This makes the traefik.yml static configuration obsolete.`
			`# Note that we still reference a dynamic configuration for best practice`
			`services:`
fix: remove deprecated compose version tag 2024-11-04 12:08:51 +00:00
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`traefik:`
chore: upgrade traefik to 3.3 2025-01-07 23:46:38 +00:00			`image: traefik:v3.3`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`container_name: traefik`
fix: remove deprecated compose version tag 2024-11-04 12:08:51 +00:00			`restart: always`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`command:`
chore: use socket-proxy for traefik 2025-02-19 15:13:51 +00:00			`- "--providers.docker=true" # enable docker provider`
			`- "--providers.docker.network=proxy" # define default network to monitor for docker provider`
			`- "--providers.docker.endpoint=tcp://socket-proxy:2375" # define socket-proxy as docker socket`
			`- "--providers.docker.exposedbydefault=false" # do not expose docker hosts per default`
			`- "--providers.file.watch=true" # monitor file provider for changes`
			`- "--providers.file.filename=/etc/traefik/fileConfig.yml" # location of the dynamic configuration`
			`- "--entrypoints.http.address=:80" # entrypoint for unencrypted http`
			`- "--entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted`
			`- "--entrypoints.http.http.redirections.entryPoint.to=https" # automatic redirect from http to https`
			`- "--entrypoints.http.http.redirections.entryPoint.scheme=https" # automatic redirect from http to https`
			`- "--entrypoints.https.address=:443" # entrypoint for encrypted https`
			`- "--entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted`
			`- "--entrypoints.https.http.middlewares=security-headers@file,rate-limit@file" # define default middlewares for all proxy entries`
			`- "--api.dashboard=true" # enable traefik api dashboard`
			`- "--api.insecure=true" # expose traefik api dashboard on TCP/8080 without need for router`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`####################################################`
			`# !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!`
chore: use socket-proxy for traefik 2025-02-19 15:13:51 +00:00			`- "--entrypoints.https.http.tls.certresolver=myresolver" # define default cert resolver`
			`- "--entrypoints.https.http.tls.domains[0].main=example.com" # define main domain, change to your domain`
			`- "--entrypoints.https.http.tls.domains[0].sans=*.example.com" # define sans domain, change to your domain`
			`- "--certificatesresolvers.myresolver.acme.email=myemail@domain.tld" # define your email address`
			`#- "--certificatesresolvers.myresolver.acme.httpchallenge=true" # use http challenge`
			`#- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http" # define entrypoint for http challenge`
			`- "--certificatesresolvers.myresolver.acme.dnschallenge=true" # enable dns challenge to obtain wildcard certificates`
			`- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare" # define provider for certificates`
			`- "--certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json" # define acme path for certificate information`
			`- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" # define dns servers for your resolver, here cloudflare`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`####################################################`
chore: use socket-proxy for traefik 2025-02-19 15:13:51 +00:00			`- "--log.level=INFO" # enable log level`
			`- "--accesslog=true" # enable access logs`
			`- "--accesslog.filepath=/logs/traefik.log" # define access log path`
			`- "--accesslog.format=json" # set access log format to json instead clm`
			`- "--accesslog.bufferingsize=0" # set access log buffer size to 0`
			`- "--accesslog.filters.statuscodes=400-599" # only log http errors in logs; alternatively set 200-599 to include successful http requests`
			`- "--accesslog.fields.headers.defaultmode=drop" # drop all headers`
			`- "--serversTransport.insecureSkipVerify=true" # set insecureSkipVerify to true to allow self-signed certificates`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`labels:`
			`- traefik.enable=true # enable traefik`
			- traefik.http.routers.api.rule=Host(`traefik.example.com`) # define subdomain for the traefik api dashboard
			`- traefik.http.routers.api.service=api@internal # enable traefik api dashboard`
			`- traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only`
			`ports:`
			`- 80:80 # http`
			`- 443:443 # https`
fix: remove deprecated compose version tag 2024-11-04 12:08:51 +00:00			`- 127.0.0.1:8080:8080 # http api dashboard`
			`expose:`
			`- 80 # http`
			`- 443 # https`
			`- 8080 # http api dashboard`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00			`environment:`
			`- TZ=Europe/Berlin # define timezone`
			`- CF_DNS_API_TOKEN=<MY-CF-API-TOKEN> # define your cloudflare api token`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only`
			`- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # bind mount volume for persistent traefik data`
			`- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs # bind mount volume for persistent traefik logs`
			`extra_hosts:`
Update docker-compose-command-config.yml use generic comments 2023-08-17 12:35:51 +00:00			`- host.docker.internal:172.17.0.1 # define internal ip; helps traefik to resolve containers running in host network mode`
fix: remove deprecated compose version tag 2024-11-04 12:08:51 +00:00			`networks:`
			`- proxy # define traefik docker network`
chore: use socket-proxy for traefik 2025-02-19 15:13:51 +00:00			`- docker-proxynet`

			`socket-proxy:`
			`image: lscr.io/linuxserver/socket-proxy:1.26.2`
			`container_name: socket-proxy`
			`environment:`
			`- CONTAINERS=1`
			`- EVENTS=1`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock:ro`
			`networks:`
			`- docker-proxynet`
			`restart: always`
			`read_only: true`
			`tmpfs:`
			`- /run`
Create docker-compose-command-config.yml add traefik example with command definitions 2023-07-20 14:51:02 +00:00
			`networks:`
			`proxy:`
			`external: true`
chore: use socket-proxy for traefik 2025-02-19 15:13:51 +00:00			`docker-proxynet:`
			`internal: true`