GB Traefik Setup

This repository contains the configuration files and setup instructions for deploying Traefik, a modern reverse proxy and load balancer.

Configuration files is customized for Gbanyan personal usage.

Prerequisites

• Docker installed on your system
• Docker Compose (if using docker-compose.yml)

Getting Started

1. Clone this repository:

   git clone https://gitea.gbanyan.net/gbanyan/GB-Traefik.git
   cd GB-Traefik
   

2. Update the traefik.yml and docker-compose.yml files as needed for your environment.

3. Start Traefik:

   docker compose up -d
   

4. Access the Traefik dashboard (if enabled) at http://<your-domain-or-ip>:8080.

Configuration

• .env: Cloudflare E-mail and API Token for SSL DNS Challenge
  • Also defines ACME_EMAIL (Let’s Encrypt contact) and CROWDSEC_LAPI_KEY
• Traefik Configuration: Modify traefik.yml, dynamic.yml to customize Traefik's behavior.
• Docker Compose: Use docker-compose.yml to define services and networks.

Detail:

My traefik is split into internal and external entrypoint.

Internal entrypoint is for private and secure service without exposing.

Each entrypoint is binded to different ip address for isolation.

Then, other docker service is attached to different entrypoint guided by label in docker compose

label: 
    - "traefik.http.routers.service-name.entrypoints=websecure"

Besides the entrypoint setup, I add CrowdSec firewall bouncer plus a compression middleware (brotli/gzip/zstd) defined in dynamic.yml. Cloudflare’s IP ranges are injected directly into traefik.yml by a helper script, so no extra plugin middleware is required anymore.

Adding middlewares is also guided by labels:

label: 
    - "traefik.http.routers.service-name.middlewares=crowdsec@file,compress-middleware@file"

The order of middlewares is meaningful.

Traefik has ability to apply SSL certs automatically. Just offer the required DNS API authentication (Like cloudflare).

Please refer the traefik documentation.

The following is an example of a docker service I hosted in its docker-compose.yaml:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ghost.entrypoints=websecure"
      - "traefik.http.routers.ghost.rule=Host(`blog.gbanyan.net`)"
      - "traefik.http.services.ghost.loadbalancer.server.port=2368"
      - "traefik.http.routers.ghost.tls.certresolver=letsencrypt"
      - "traefik.http.routers.ghost.middlewares=crowdsec@file,compress-middleware@file"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.docker.network=traefik_default"

I mount the access.log for crowdsec firewall to read.

PS: Because I access my traefik dashboard through my local network. I commented out the authetication method for dashboard.

Discussion and Changelog

1. Traefik vs Nginx

• Performance: Nginx is still better at high traffic. After all it is written in C. Traefik 3 though claims it has higher 20% performance than before. The latency still showed a little higher than nginx.
• Docker Deployment Ease: Traefik is easier for docker service deployment. In my environment, I can assign each docker stack with labels and then guides the traefik to add Let's encrypt SSL.

2. ChangeLog:

• 2025.4.21 Add the defaulthost rule for container name for lazy writing. But commented out for precision.
• 2025.4.21 Fix the trusted IP settings; later replaced by an internal updater instead of the traefik-plugin-cloudflare.
• 2025.4.18 Add Souin HTTP Cache Middleware (in feature branch, not merge into main)
• 2025.4.18 Temp disable the compression middleware. It has MIME type bugs.

Notes on Host Networking

Traefik currently runs with network_mode: host so it can bind directly to both 10.0.0.225 (public) and 192.168.50.4 (internal) entrypoints. Moving back to bridge mode would break that dual-IP isolation because Docker cannot publish the same container port on two different host interfaces. Host networking also means:

• Traefik reaches app containers like any other host process, ignoring traefik.docker.network labels.
• Linux handles firewalling/routing between the two interfaces; Docker’s conntrack optimizations aren’t used.

If you ever want to switch to bridge networking, you’d need either separate Traefik instances (one per subnet) or an external L4 proxy in front of a single Traefik that listens on generic :80/:443 ports. For now the host-mode trade-off is intentional to keep the internal/external split simple.