Traefik v3 Reverse Proxy: Complete Setup Guide with Docker, SSL, and Auth
Learn how to set up Traefik v3 as a reverse proxy for Docker with automatic SSL, middleware chains, forward authentication, and routing for 20+ services...
Why Traefik for Docker
Traefik is the best reverse proxy for Docker-based infrastructure. Unlike Nginx or Caddy, Traefik automatically discovers services via Docker labels — no config file updates needed when you add or remove containers.
A reverse proxy terminates TLS, routes requests by hostname, and load-balances across backend services.
At TechSaaS, our single Traefik instance routes traffic to 50+ containers across 30+ subdomains with zero manual configuration.
Architecture Overview
Internet → Cloudflare Tunnel → Traefik:80 → Docker Containers
↓
Authelia (auth check)
Docker Compose Setup
services:
traefik:
image: traefik:v3.6
container_name: traefik
restart: unless-stopped
command:
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --providers.file.directory=/etc/traefik/dynamic
- --entrypoints.web.address=:80
- --api.dashboard=true
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/dynamic:/etc/traefik/dynamic:ro
networks:
- app-net
mem_limit: 128m
Get more insights on Tutorials
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
Docker Compose defines your entire application stack in a single YAML file.
Adding Services Via Labels
Every Docker service gets Traefik routing via labels:
services:
my-app:
image: my-app:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-app.rule=Host(`app.example.com`)"
- "traefik.http.routers.my-app.entrypoints=web"
- "traefik.http.services.my-app.loadbalancer.server.port=3000"
That's it. No Traefik restart needed. It discovers the labels automatically.
Forward Authentication with Authelia
The real power comes from middleware chains. We protect every service with Authelia SSO:
# traefik/dynamic/authelia.yml
http:
middlewares:
authelia:
forwardAuth:
address: http://authelia:9091/api/authz/forward-auth
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
Then add the middleware to any service:
labels:
- "traefik.http.routers.my-app.middlewares=authelia@file"
Path-Based Routing
For complex applications like Plane (project management), we use path-based routing on a single domain:
# API backend
- "traefik.http.routers.plane-api.rule=Host(`pm.example.com`) && PathPrefix(`/api`)"
# Web frontend
- "traefik.http.routers.plane-web.rule=Host(`pm.example.com`)"
Docker Compose brings up your entire stack with a single command.
Free Resource
Free Cloud Architecture Checklist
A 47-point checklist covering security, scalability, cost optimization, and disaster recovery for production cloud environments.
Common Gotchas
authelia-basic@file silently drops routes: If the middleware name doesn't match exactly, Traefik drops the entire router without errors. Always verify middleware names.
Docker socket permissions: Mount as read-only (
:ro) and restrict access.Health checks matter: Traefik only routes to healthy containers by default.
API services need auth bypass: APIs with their own auth (Vaultwarden, Ntfy) should bypass Authelia forward-auth or their native clients break.
TechSaaS provides complete Traefik setup as part of our platform engineering services. Contact [email protected].
Related Service
Cloud Solutions
Let our experts help you build the right technology strategy for your business.
Need help with tutorials?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.