I have a working instance of traefik. It's running on a Intel Nuc Celeron J4005 2.0GHz (4M Cache, up to 2.70 GHz) Dual Core CPU, 8GB ram and at least a 5400rpm hdd.

When accessing my traefik dashboard it loads very very slowly, taking several minutes to load. And sometimes won't even load the assets but still act like it resolved (title and logo in firefox, no warning sign next to the https).

This is my docker-compose file.
https://gist.github.com/y2klol/47f6b00d80c02a3251f14d2359191d58

This is my middlewares.toml

[http.middlewares]
[http.middlewares.middlewares-basic-auth]
[http.middlewares.middlewares-basic-auth.basicAuth]

username=user, password=mystrongpassword (listed below after hashing)

users = [

"",

]

  realm = "Traefik2 Basic Auth"
  usersFile = "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml

[http.middlewares.middlewares-rate-limit]
[http.middlewares.middlewares-rate-limit.rateLimit]
average = 100
burst = 50
[http.middlewares.middlewares-secure-headers]
[http.middlewares.middlewares-secure-headers.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlMaxAge = 100
hostsProxyHeaders = ["X-Forwarded-Host"]
sslRedirect = true
stsSeconds = 63072000
stsIncludeSubdomains = true
stsPreload = true
forceSTSHeader = true

frameDeny = true #overwritten by customFrameOptionsValue

  customFrameOptionsValue = "allow-from https:example.xyz" #CSP takes care of this but may be needed for organizr. 
  contentTypeNosniff = true 
  browserXssFilter = true 

sslForceHost = true # add sslHost to all of the services

sslHost = "example.xyz"

  referrerPolicy = "same-origin" 

Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.

the below line also breaks some apps due to 'none' - sonarr, radarr, etc.

contentSecurityPolicy = "frame-ancestors '.example.xyz:';object-src 'none';script-src 'none';"

  featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 
  [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
    X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
    server = ""

and my middleware-chains.toml

[http.middlewares]
[http.middlewares.chain-no-auth]
[http.middlewares.chain-no-auth.chain]
middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers"]

[http.middlewares.chain-basic-auth]
[http.middlewares.chain-basic-auth.chain]
middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth"]

Nothing in the logs looks odd only that it won't issue certificates for nextcloud. In addition, my firewall was been temporary disabled and still the same results.

This is gonna be really hard to troubleshoot with how much you have going on in your compose and config files. My Traefik compose has zero commands: and like three labels: Everything else is in traefik.yml and ./configurations/

You may want to try cleaning things up a bit to have a better handle on what is going on with your instance.

Maybe check out how they are doing things in the two guides (basic and advanced) from containeroo on medium.com

I'm opening to changing my config, but I'm while trying the containeroo article config, I couldn't get https to work. Is there a guide that is good with dns method?

If I get some time I will try to post the relevant items from my config. You may want to try their guide again though and comb your stuff for errors on spelling or spacing/indentation in the .yml files. That was the guide I followed, to get my basic setup and it worked well to start from.

Thanks for your reply. Looking though containeroo's medium account it appears they have a tutorial on wildcard and dns cert, they also use cloudflare. Following the three traefik tutorials I was able to get a working traefik instance with https signed by let's encrypt.

However it's very very slow and won't actually connect (it will load the title, redirect to traefik.example.xyz/dashboard/, etc) but it won't resolve.
Eventually, I thought to turn off the firewall. After doing that it loaded instantly and with the let's encrypt cert.

So that's where I'm at. I have a working instance with https encryption but it required me to turn off my ufw firewall. I don't know enough about security but I feel this might be a bad thing?

Ok so that means that your UFW firewall is hindering the process and not Traefik itself it sounds like. The thing is, for a home server that only has exposure to the internet through Traefik port 80 and 443, I wouldn't worry about the UFW software firewall much BUT it's not really best practice in general to run the OS without a firewall. It would also be good practice to troubleshoot the issue. That said, I don't have a software firewall on my Ubuntu server, currently. shrug

Check this github page out.

You will need to make a subdirectory ./log and put blank files access.log and traefik.log in it for traefik and also put a file named acme.json in ./data for traefik. That file needs a chmod 600 applied to it before starting Traefik.

I don't have the traefik interface itself behind the proxy but you would add that with these labels to its docker-compose:

- traefik.enable=true
- traefik.http.routers.traefik-secure.entrypoints=websecure
- traefik.http.routers.traefik-secure.rule=(Host(`traefik.$DOMAINNAME`)) || (Host(`$DOMAINNAME`) && Path(`/traefik`))
- traefik.http.routers.traefik-secure.middlewares=chain-basic-auth@file

That would give basic auth uisng traefik.domain.com or domain.com/traefik as the pointer. You'll also need to do a docker network create proxy

My nextcloud config stripped of credentials is in there too. the config.php and default file will mostly populate on the first run. You would just need to go into them and edit the files like mine with the trusted proxy in config.php and take out the https redirect in default

I spoke to soon, even without the firewall, it's still quite slow. Bitwarden wont even load. I've updated my files

I can't figure out what makes it slow. Because without the certificate it'll load instantly but with it it usually takes a long time.

Try attaching your cert stuff to router traefik-secure and take it off the http router

Also try commenting out

"traefik.http.routers.traefik.tls=true"

and

" "traefik.http.routers.traefik.service=api@internal""

I don't think you need to define either of these things twice.

Put basic-auth on secure instead of non, too.

The only router or service you should have for Traefik (non-secure) is the https redirect, I believe.

With all that said, I don't know if any of this will fix the slow page load as I never experienced that. I did experience weirdness of all types when I had my first setup similar to yours though so maybe one of these suggestions will fix your issue.

"Try attaching your cert stuff to router traefik-secure and take it off the http router"

Sorry, I'm new to traefik and I depend on guides and their explanations to get by. Could you explain to me how to do this?

Put basic-auth on secure instead of non, too.

Do you mean the line with my user:password?

Try these labels:

  - "traefik.enable=true"
  - "traefik.http.routers.traefik.entrypoints=http"
  - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`)"
  - "traefik.http.middlewares.traefik-auth.basicauth.users=user:password"
  - "traefik.http.routers.traefik.middlewares=https-redirect"
  - "traefik.http.routers.traefik-secure.entrypoints=https"
  - "traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAINNAME}`)"
  - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
  - "traefik.http.routers.traefik-secure.tls=true"
  - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
  - "traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAINNAME}"
  - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${DOMAINNAME}"
  - "traefik.http.routers.traefik.service=api@internal"

As far as I know you don't need TLS set for both HTTP and HTTPS. I also took off your middleware definition for the https redirect and changed your call to the middleware as you have it defined on the backend already as "https-redirect" in config.yml

If that doesn't work try it without auth stuff:

  - "traefik.enable=true"
  - "traefik.http.routers.traefik.entrypoints=http"
  - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`)"
  - "traefik.http.routers.traefik.middlewares=https-redirect"
  - "traefik.http.routers.traefik-secure.entrypoints=https"
  - "traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAINNAME}`)"
  - "traefik.http.routers.traefik-secure.tls=true"
  - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
  - "traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAINNAME}"
  - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${DOMAINNAME}"
  - "traefik.http.routers.traefik.service=api@internal"

Thanks for your reply.

I had "better luck" with the second set of labels, suggesting it might be middleswares that's the issue?

Also, by "better luck" I get a 404 page for traefik.mydoamin.com. It is signed however.

Did you set a variable for ${DOMAINNAME} or manually plug in your domain after the period?

Hi y2klol,

Just a personal experience - I use bcrypt to setup BasicAuth. I've tested created creds with different number of cycles for compute time (-C argument). By increasing this to a very high value, it's more secure, but also makes the time to load the page longer. At values above 17 or so, the page does not load with my server.

Are you using bcrypt with a high value set for -C / compute time?

I found the issue. Since I am self hosting this my router doesn't support hairpinning/NAT loopback very well which is why I was experiencing super slow times across the board.

EDIT: router is a Archer C3150