Traefik

Overview
| Field | Value |
|---|---|
| Purpose | Route HTTP/HTTPS traffic and manage TLS |
| Business function | Entry point for published web services |
| Owner | IT Operations |
| Criticality | Critical |
| Image | traefik:v3.7.0 |
Architecture
flowchart LR
Client --> PF["pfSense"]
PF --> T["Traefik :80/:443"]
T --> AP["aproxy network"]
AP --> Services
Traefik reads Docker labels through the mounted Docker socket and routes to containers on aproxy.
Installation
Docker Compose project traefik at /root/traefik/docker-compose.yml.
Configuration
| Item | Path/value |
|---|---|
| Static config | /root/traefik/data/traefik.yml |
| Dynamic config | /root/traefik/data/conf.d |
| Certificates | /root/traefik/data/certs |
| Logs | /root/traefik/data/logs |
| Ports | Host TCP 80 and 443 |
| Restart policy | unless-stopped |
The .env file includes EMAIL, API_KEY, and TRAEFIK_HOME; values are secret and must not be committed.
Operational Procedures
cd /root/traefik
docker compose config
docker compose logs --tail=200 traefik
docker compose restart traefik
docker compose pull traefik
docker compose up -d traefik
Back up data/traefik.yml, data/conf.d, and data/certs before changes. After an update, test one internal and one public route plus certificate validity.
Troubleshooting
404: router rule or service label did not match.502/504: backend is unhealthy, unreachable, or on the wrong network.- Certificate error: inspect ACME logs, DNS, firewall forwarding, and certificate-store permissions.
- No routes: verify Docker socket access and
providers.dockerconfiguration.
Related Systems
References
- Runtime mounts, image, and network captured June 9, 2026