Here’s a docker-compose.yml example from my own server setup on a single-board computer. I focus on key settings and explain how to use Traefik for secure traffic management and routing in containerized apps.

Example docker-compose.yml

services:
  traefik:
    image: traefik:v2.4
    restart: unless-stopped
    command:
      - "--certificatesresolvers.{your-resolver-name}.acme.email={your-email}"
      - "--certificatesresolvers.{your-resolver-name}.acme.storage=/etc/traefik/acme.json"
      - "--certificatesresolvers.{your-resolver-name}.acme.tlschallenge=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.permanent=true"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--providers.docker=true"
    ports:
      - "{http-port}:80"
      - "{https-port}:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "{your-directory}:/etc/traefik"

  grafana:
    image: grafana/grafana-oss:8.3.4
    restart: unless-stopped
    user: {user-with-sufficient-permission}
    volumes:
      - {your-directory}:/var/lib/grafana
    labels:
      - "traefik.http.routers.grafana.rule=Host(\"{your-domain}\")"
      - "traefik.http.routers.grafana.tls=true"
      - "traefik.http.routers.grafana.tls.certresolver={your-resolver-name}"
      - "traefik.http.routers.grafana.tls.domains[0].main={your-domain}"

Breaking Down the Configuration

What Traefik Does

Traefik is a reverse proxy and load balancer that integrates smoothly with Docker. It dynamically discovers running services and routes traffic to them based on rules, allowing SSL certificates to be automatically generated using Let’s Encrypt.

Ports 80 and 443

In the ports setting, 80 is the default HTTP port, while 443 is for HTTPS. Mapping these in Traefik enables HTTP traffic to redirect automatically to HTTPS, securing connections without user input.

Why There Are Two Numbers in Port Settings

Each port entry has two numbers: the first specifies the port on the host, and the second specifies the container’s internal port. Here, "{http-port}:80" binds the host’s HTTP traffic to port 80 inside the Traefik container, and "{https-port}:443" does the same for HTTPS.

Volumes for Traefik

Volumes allow Traefik to access the Docker socket and store SSL certificate data. "/var/run/docker.sock:/var/run/docker.sock" is necessary for Traefik to detect services, while {your-acme-directory}:/etc/traefik ensures SSL certificates persist in acme.json. Mounting volumes to /etc/traefik allows Traefik to find configuration at startup. Traefik searches for static configuration in a file named traefik.yml or traefik.toml in

• /etc/traefik/
• $XDG_CONFIG_HOME/
• $HOME/.config/
• . (the working directory).

source: https://doc.traefik.io/traefik/getting-started/configuration-overview/

Here’s an example of the equivalent configuration:

entryPoints:
  web:
    address: ":80"
    http:
        redirections:
          entryPoint:
            permanent: true
            to: websecure
            scheme: https
  websecure:
    address: ":443"

certificatesResolvers:
  your-resolver-name:
    acme:
      email: your-email
      storage: /etc/traefik/acme.json
      tlsChallenge: {}

providers:
  docker: {}

Docker Settings

• restart: unless-stopped: Ensures both containers restart unless stopped manually, improving availability.
• Labels for Traefik Routing: The labels section in grafana defines rules for Traefik, such as routing to the domain specified by {your-domain} and using TLS for secure connections.

This configuration provides a robust foundation for securely hosting services with Traefik and Docker, handling SSL management and traffic routing automatically.