Traefik Reverse Proxy: Complete Homelab Guide
Master Traefik reverse proxy for your homelab. Learn automatic SSL, Docker integration, and routing configuration for all your services.
Posted by
Related reading
Private Cloud vs Public Cloud: When to Self-Host and When Not To
Understand when self-hosting makes sense and when public cloud is better. A practical guide to choosing between private cloud homelab and AWS/GCP/Azure services.
Homelab Documentation: Wiki.js vs BookStack for Self-Hosted Wikis
Document your homelab setup with self-hosted wikis. Compare Wiki.js and BookStack for creating searchable documentation of your infrastructure and procedures.
Docker Security Scanning: Trivy and Dockle for Safe Containers
Scan your Docker images for vulnerabilities before deploying. Learn to use Trivy and Dockle to secure your self-hosted homelab container infrastructure.

The Gateway to Your Homelab
A reverse proxy is essential for any serious homelab. It routes traffic to different services based on domain names, handles SSL certificates, and provides a single entry point to your infrastructure.
Traefik is a modern reverse proxy designed for containerized environments. It automatically discovers services and configures routing through Docker labels.
Why Traefik?
- Automatic discovery: Detects new containers and configures routing
- Docker native: Configuration through container labels
- Automatic SSL: Let's Encrypt integration built-in
- Dashboard: Real-time view of routes and services
- Middleware: Authentication, rate limiting, headers
Basic Setup
# docker-compose.yml
services:
traefik:
image: traefik:v3.0
container_name: traefik
command:
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "[email protected]"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
restart: unless-stopped
networks:
- traefik
networks:
traefik:
external: trueCreate the network first: docker network create traefik
Adding Services
Add labels to any service to expose it through Traefik:
services:
nextcloud:
image: nextcloud:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`cloud.yourdomain.com`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
networks:
- traefik
networks:
traefik:
external: trueAuthentication Middleware
Add basic authentication to any service:
# Generate password: htpasswd -nb admin password # Result: admin:$apr1$xyz... labels: - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$xyz..." - "traefik.http.routers.myservice.middlewares=auth"
Common Middlewares
# Redirect HTTP to HTTPS - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https" # Security headers - "traefik.http.middlewares.security.headers.stsSeconds=31536000" - "traefik.http.middlewares.security.headers.browserXssFilter=true" # Rate limiting - "traefik.http.middlewares.ratelimit.ratelimit.average=100" # IP whitelist - "traefik.http.middlewares.local.ipwhitelist.sourcerange=192.168.1.0/24"
Your Traffic Controller
Once Traefik is running, adding new services is as simple as adding labels. No more editing nginx configurations or restarting proxies - Traefik handles it all automatically.
