Skip to main content

Traefik

Install (static binary) + systemd

# get latest version URL from https://github.com/traefik/traefik/releases
export VER=v3.5.2
curl -L "https://github.com/traefik/traefik/releases/download/${VER}/traefik_${VER#v}_linux_amd64.tar.gz" \
  -o /tmp/traefik.tgz
sudo tar -C /usr/local/bin -xzf /tmp/traefik.tgz traefik
sudo useradd -r -s /usr/sbin/nologin traefik || true
sudo mkdir -p /etc/traefik /var/lib/traefik
sudo chown -R traefik:traefik /etc/traefik /var/lib/traefik

Create /etc/systemd/system/traefik.service:

[Unit]
Description=Traefik Proxy
After=network-online.target
Wants=network-online.target

[Service]
User=traefik
Group=traefik
ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yml
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

Enable it:

sudo systemctl daemon-reload
sudo systemctl enable --now traefik

(You can also install via packages/Helm/K8s; we’re using a local binary here.)

Static config: entrypoints + ACME

Create /etc/traefik/traefik.yml:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@example.com
      storage: /var/lib/traefik/acme.json
      httpChallenge:
        entryPoint: web

providers:
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true

log:
  level: INFO

entryPoints define the ports Traefik listens on; ACME config enables Let’s Encrypt with HTTP-01 and persists certs to acme.json (create it as an empty file with chmod 600).

sudo touch /var/lib/traefik/acme.json
sudo chown traefik:traefik /var/lib/traefik/acme.json
sudo chmod 600 /var/lib/traefik/acme.json

Dynamic config: router + HTTPS redirect + service

Create /etc/traefik/dynamic.yml:

http:
  routers:
    to-myapp:
      rule: Host(`example.com`)
      entryPoints: ["websecure"]
      service: myapp
      tls:
        certResolver: letsencrypt

    redirect-web-to-websecure:
      entryPoints: ["web"]
      rule: Host(`example.com`)
      middlewares: ["https-redirect"]
      service: noop@internal

  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

  services:
    myapp:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000"

Reload:

sudo systemctl restart traefik
journalctl -u traefik -n 100 --no-pager

Notes