--- kind: compose metadata: name: Traefik description: |- Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. This template sets up Traefik with automatic HTTPS using Let's Encrypt and can be integrated with Authentik for SSO. ## References - **Project:** https://traefik.io/ - **Documentation:** https://doc.traefik.io/traefik/ - **GitHub:** https://github.com/traefik/traefik version: v3.6.5 author: Christian Lempa date: '2025-12-17' tags: - swarm - volume icon: provider: simpleicons id: traefikproxy draft: false spec: general: vars: service_name: default: traefik ports: vars: ports_dashboard: description: Dashboard port (external) type: int default: 8080 required: true needs: [dashboard_enabled=true] extra: Only used when dashboard is enabled ports_http: default: 80 extra: Maps to entrypoint 'web' ports_https: default: 443 extra: Maps to entrypoint 'websecure' traefik: title: Settings vars: accesslog_enabled: description: Enable Traefik access log type: bool default: false dashboard_enabled: description: Enable Traefik dashboard type: bool default: false extra: 'WARNING: Don''t use in production!' prometheus_enabled: description: Enable Prometheus metrics type: bool default: false security_enabled: description: Create production-ready security headers middleware type: bool default: true extra: Enables HSTS, XSS protection, frame denial, etc. traefik_network: extra: Network that Traefik uses to connect to services traefik_network_external: description: Use existing Docker network (external) type: bool default: false traefik_tls: title: TLS Settings vars: traefik_tls_acme_email: description: Email address for ACME type: str required: true traefik_tls_acme_region: description: AWS Region type: str default: us-east-1 required: true needs: [traefik_tls_certresolver=route53] traefik_tls_acme_resource_group: description: Azure Resource Group type: str required: true needs: [traefik_tls_certresolver=azure] traefik_tls_acme_secret_key: description: DNS provider secret key type: secret required: true needs: ['traefik_tls_certresolver=azure,godaddy,porkbun,route53'] extra: AZURE_CLIENT_SECRET, GODADDY_API_SECRET, PORKBUN_SECRET_API_KEY, or AWS_SECRET_ACCESS_KEY traefik_tls_acme_subscription_id: description: Azure Subscription ID type: str required: true needs: [traefik_tls_certresolver=azure] traefik_tls_acme_tenant_id: description: Azure Tenant ID type: str required: true needs: [traefik_tls_certresolver=azure] traefik_tls_acme_token: description: DNS provider API token type: secret required: true needs: ['traefik_tls_certresolver=cloudflare,digitalocean,godaddy,namecheap,porkbun'] extra: CF_DNS_API_TOKEN, DO_AUTH_TOKEN, GODADDY_API_KEY, NAMECHEAP_API_KEY, or PORKBUN_API_KEY traefik_tls_acme_username: description: Namecheap API username type: str required: true needs: [traefik_tls_certresolver=namecheap] traefik_tls_certresolver: description: ACME DNS challenge provider config: options: [cloudflare, porkbun, godaddy, digitalocean, route53, azure, namecheap] extra: DNS provider for domain validation traefik_tls_enabled: description: Enable HTTPS/TLS with ACME default: false traefik_tls_min_version: description: Minimum TLS version type: enum config: options: [VersionTLS12, VersionTLS13] extra: TLS 1.2 is recommended for compatibility, TLS 1.3 for maximum security traefik_tls_redirect: description: Redirect all HTTP traffic to HTTPS type: bool default: true traefik_tls_secure_ciphers: description: Enable strict cipher suites (recommended) type: bool extra: Enforces modern, secure cipher suites traefik_tls_skipverify: description: Skip TLS verification for backend servers type: bool extra: 'WARNING: Only enable for self-signed certificates in trusted environments'