I got the Traefik dashboard working through traefik.mydomain.com but I have not been able to access any of my services through the subdomains I've setup with Cloudflare A DNS records. I couldn't access any services by adding tags to the services docker compose file so I also tried adding the routers and services info to the config.yml. I have not been able to get whoami to work either and have tried several different docker-compose.yml examples for whoami. Note the routers and services show up in the Traefik dashboard. Attempting to access whoami.mydomain.com gives me a 404 page not found error. For the other services for example if I type frigate.mydomain.com it will redirect to https://frigate.mydomain.com but just yields an unable to connect error.
The following are the yaml files I'm using:
config.yml
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
homeassistant:
entryPoints:
- "https"
rule: "Host(`homeassistant.mydomain.com`)"
tls: {}
service: homeassistant
frigate:
entryPoints:
- "https"
rule: "Host(`frigate.mydomain.com`)"
tls: {}
service: frigate
services:
homeassistant:
loadBalancer:
servers:
- url: "http://homeassistant-ip:8123"
passHostHeader: true
frigate:
loadBalancer:
servers:
- url: "http://frigate-ip:8971"
passHostHeader: true
Traefik Docker-Compose.yml
secrets:
cf-token:
file: ./cf-token
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
secrets:
- cf-token # the secret at the top of this file
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
# - CF_API_EMAIL=your@email.com # Cloudflare email
# - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /traefik/docker/traefik.yml:/traefik.yaml:ro
- /traefik/docker/acme.json:/acme.json
- /traefik/config.yml:/config.yml:ro
- /traefik/docker/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true # or comment this line to auto create the network
traefik.yml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
certificatesResolvers:
cloudflare:
acme:
# caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
email: my-e-mail@gmail.com # Cloudflare email (or other provider)
storage: acme.json
dnsChallenge:
provider: cloudflare # change as required
# propagation.disableChecks: true # Some people using Cloudflare note this can solve DNS propagation issues.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: proxy
file:
filename: /config.yml # example provided gives A+ rating https://www.ssllabs.com/ssltest/
serversTransport:
insecureSkipVerify: true
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
whoami docker-compose.yml
services:
whoami:
image: traefik/whoami:latest
container_name: whoami
restart: unless-stopped
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.mydomain.com`) || Host(`www.whoami.mydomain.com`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
# next lines are optional to redirect www to non-www
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.routers.mywhoami.middlewares=mywwwredirect
networks:
proxy:
external: true
volumes:
letsencrypt:
name: letsencrypt
There are currently no errors in the logs with the above yaml files. I'm definitely very green as this is my first time using Traefik or pretty much any reverse proxy and I'm sure I did all kinds of stuff wrong so feel free to make fun of me as long as you also are willing to help and tell me how to fix what I did wrong.
Maybe it help to assign the certResolver to the https entrypoint. Check simple Traefik example.
A simple tls: {} on the router will only use custom loaded TLS certs, if they exist.
Thanks for your comment but unfortunately I'm a bit lost. Do you have any details on what I should be looking for? My traefik.yml file call out the certResolver doesn't it? Should I have the following in the docker-compose.yml for the certresolver?
command:
- --certificatesresolvers.myresolver.acme.email=mail@example.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
or the full command section?
You need to create and assign the certResolver (doc):
entryPoints:
websecure:
address: ':443'
http:
tls:
certResolver: myresolver
You can assign it to all routers, or much simpler globally on entrypoint. No need to enable TLS on routers, saving a lot of config.
I tried several different configs with that in it and the following in my traefik.yml allows access to whoami.mydomain.com but now I get 404 page not found for the dashboard at traefik.mydomain.com and I still can't access my other two services. Note for the other two services.
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ':443'
http:
tls:
certResolver: cloudflare
Do I still need the http: entrypoint? Initially I left that in but was getting an error cause both https and websecure were using port 443.
Here are the errors that I'm seeing in the log:
2025-05-15T14:30:32-05:00 ERR EntryPoint doesn't exist entryPointName=http routerName=traefik@docker
2025-05-15T14:30:32-05:00 ERR No valid entryPoint for this router routerName=traefik@docker
2025-05-15T14:30:32-05:00 ERR EntryPoint doesn't exist entryPointName=https routerName=homeassistant@file
2025-05-15T14:30:32-05:00 ERR No valid entryPoint for this router routerName=homeassistant@file
2025-05-15T14:30:32-05:00 ERR EntryPoint doesn't exist entryPointName=https routerName=frigate@file
2025-05-15T14:30:32-05:00 ERR No valid entryPoint for this router routerName=frigate@file
2025-05-15T14:30:32-05:00 ERR EntryPoint doesn't exist entryPointName=https routerName=traefik-secure@docker
2025-05-15T14:30:32-05:00 ERR No valid entryPoint for this router routerName=traefik-secure@docker
2025-05-15T14:30:32-05:00 ERR EntryPoint doesn't exist entryPointName=https routerName=traefik-secure@docker
2025-05-15T14:30:32-05:00 ERR No valid entryPoint for this router routerName=traefik-secure@docker
The following gets me both a working dashboard and a working whoami. Still no acess to the other two services though but at least it's progress.
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
forwardedHeaders:
insecure: true
https:
address: ":443"
http:
tls:
certResolver: cloudflare
@bluepuma77 my dynamic config "config.yml" currently looks like below but I'm not able to access the frigate service at frigate.mydomain.com. I'm not getting any errors. I have the DNS A record for frigate.mydomain.com pointing to the frigate-ip on my network and can see in the acme.json that it's pulling the certificates. I have port forwarding set up for ports 80 and 443 in my router to my traefik host. When I attempt to navigate to http://frigate.mydomain.com it redirects to https://frigate.mydomain.com but I just get "unable to connect" in the browser. I appreciate any input you may have on where I'm going wrong.
edited to add the config.yml below:
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
frigate:
entryPoints:
- "https"
rule: "Host(`frigate.mydomain.com`)"
tls:
certResolver: cloudflare
service: frigate
services:
frigate:
loadBalancer:
servers:
- url: "http://frigate-ip:8971"
passHostHeader: true
Well, if you declare your entrypoint as "websecure" in static config, then you should use that name as reference in dynamic config 
@bluepuma77 per this post above of my current entryPoints config I'm not using websecure. I'm using https. I put both http and https in the routers config but neither work. I also tried web and websecure. Both of those give me errors in my logs stating that the entrypoint doesn't exist.
Share your full Traefik static and dynamic config, and Docker compose file(s) if used.
@bluepuma77 please see below for all my current yaml files. Also in case it's relavent, I do have a cloudflare tunnel currently running on mydomain.xyz but from what I researched it was saying that should not create issues with traefik? My plan is to replace the cloudflare tunnel for that service once traefik is functioning correctly.
traefik.yml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
forwardedHeaders:
insecure: true
https:
address: ":443"
http:
tls:
certResolver: cloudflare
forwardedHeaders:
insecure: true
certificatesResolvers:
cloudflare:
acme:
# caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
email: myemail@email.com # Cloudflare email (or other provider)
storage: acme.json
dnsChallenge:
provider: cloudflare # change as required
# propagation.disableChecks: true # Some people using Cloudflare note this can solve DNS propagation issues.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: proxy
file:
filename: /config.yml # example provided gives A+ rating https://www.ssllabs.com/ssltest/
serversTransport:
insecureSkipVerify: true
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
Config.yml(Dynamic Config)
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
frigate:
entryPoints:
- https #note: I've tried this with https, "https", "http", web, and websecure
rule: "Host(`frigate.mydomain.xyz`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls:
certResolver: cloudflare
service: frigate
services:
frigate:
loadBalancer:
servers:
- url: "http://frigate-ip:8971"
passHostHeader: true
docker-compose.yml
secrets:
cf-token:
file: ./cf-token
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
secrets:
- cf-token # the secret at the top of this file
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
# - CF_API_EMAIL=your@email.com # Cloudflare email
# - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /traefik/docker/traefik.yml:/traefik.yaml:ro
- /traefik/docker/acme.json:/acme.json
- /traefik/config.yml:/config.yml:ro
- /traefik/docker/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.xyz`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.xyz`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.xyz"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.xyz"
- "traefik.http.routers.traefik-secure.service=api@internal"
whoami:
image: traefik/whoami:latest
container_name: whoami
restart: unless-stopped
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.mydomain.xyz`) || Host(`www.whoami.mydomain.xyz`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
# next lines are optional to redirect www to non-www
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.routers.mywhoami.middlewares=mywwwredirect
networks:
proxy:
external: true
volumes:
letsencrypt:
name: letsencrypt
Just start with the basics, see dnsChallenge example. Create the entrypoint with tls, add the domain names (for wildcard) there. Set the default entrypoint to https.
Then every service needs minimal config, no https redirect and no TLS settings there:
whoami:
image: traefik/whoami:v1.10
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
- traefik.http.services.whoami.loadbalancer.server.port=80
@bluepuma77 thanks, unfortunately that was not helpful as I spent 4 hours or so trying to get your simple example to work with even less luck. with that example I can get whoami to work but not the dashboard. Unfortunately after weeks of attempts I guess I'm going to have to put this to the side for the time being. Maybe I'll get it working at some point in the future. Thanks for the input.
Sorry to hear that. The examples worked 100 times, not sure what's the issue with your setup.
When it's about basicauth, be aware that it has to use a hashed password and sometimes (like in labels) it needs to be escaped.