Traefik Setup

🔄 Traefik Setup

Configure Traefik as your reverse proxy for unified access to all services.

---

Overview

Traefik provides:

• 🔐 Automatic HTTPS via Let's Encrypt
• 🏷️ Docker Integration - Auto-discovery via labels
• 🌐 Subdomains - radarr.example.com, sonarr.example.com
• 📊 Dashboard - Monitor routes and services
• 🔌 Middleware - Authentication, headers, rate limiting

---

Quick Setup

1. Add Traefik

From App Manager, add Traefik to your stack.

2. Set Domain

Configure your domain in ~/.config/easiarr/.env:

CLOUDFLARE_DNS_ZONE=example.com

3. Regenerate Compose

Main Menu → Generate docker-compose.yml

4. Start Stack

cd ~/.config/easiarr
docker compose up -d

---

📁 Configuration Files

easiarr generates Traefik configuration in ~/.config/easiarr/config/traefik/:

traefik/
├── traefik.yml           # Static configuration
├── dynamic/              # Dynamic configuration
│   └── config.yml
└── letsencrypt/          # Certificates
    └── acme.json

traefik.yml (Static Config)

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: your@email.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/dynamic

---

🏷️ Docker Labels

easiarr automatically adds Traefik labels to services:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.radarr.rule=Host(`radarr.example.com`)"
  - "traefik.http.routers.radarr.entrypoints=websecure"
  - "traefik.http.routers.radarr.tls.certresolver=letsencrypt"
  - "traefik.http.services.radarr.loadbalancer.server.port=7878"

Label Breakdown

Label	Purpose
traefik.enable=true	Enable Traefik for this container
traefik.http.routers.<name>.rule	Routing rule (hostname)
traefik.http.routers.<name>.entrypoints	HTTP or HTTPS
traefik.http.routers.<name>.tls.certresolver	Certificate resolver
traefik.http.services.<name>.loadbalancer.server.port	Service port

---

🔐 Authentication

Basic Auth

easiarr can configure basic authentication:

labels:
  - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$..."
  - "traefik.http.routers.radarr.middlewares=auth"

This uses GLOBAL_USERNAME and GLOBAL_PASSWORD when Cloudflare Access is not configured.

Forward Auth (Authentik)

For SSO via Authentik:

# Dynamic config
http:
  middlewares:
    authentik:
      forwardAuth:
        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups

---

📊 Dashboard

Access the Traefik dashboard:

http://localhost:8083

Dashboard Features

• HTTP Routers - View all configured routes
• Services - Backend services and health
• Middlewares - Applied middlewares
• Entrypoints - HTTP/HTTPS listeners

Securing Dashboard

In production, protect the dashboard:

# Dynamic config
http:
  routers:
    dashboard:
      rule: Host(`traefik.example.com`)
      service: api@internal
      middlewares:
        - auth

---

🔒 HTTPS Configuration

Let's Encrypt (Default)

easiarr configures automatic HTTPS via Let's Encrypt:

certificatesResolvers:
  letsencrypt:
    acme:
      email: your@email.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

Cloudflare DNS Challenge

For wildcard certificates or when port 80 is blocked:

certificatesResolvers:
  cloudflare:
    acme:
      email: your@email.com
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"

Environment:

CF_API_EMAIL=your@email.com
CF_API_KEY=your-global-api-key

---

🌐 Routing Examples

Subdomain Routing

# radarr.example.com → radarr:7878
- "traefik.http.routers.radarr.rule=Host(`radarr.example.com`)"

Path-Based Routing

# example.com/radarr → radarr:7878
- "traefik.http.routers.radarr.rule=Host(`example.com`) && PathPrefix(`/radarr`)"
- "traefik.http.middlewares.radarr-strip.stripprefix.prefixes=/radarr"
- "traefik.http.routers.radarr.middlewares=radarr-strip"

Multiple Hostnames

- "traefik.http.routers.radarr.rule=Host(`radarr.example.com`) || Host(`movies.example.com`)"

---

🔧 Middleware

Common Middlewares

Rate Limiting

http:
  middlewares:
    ratelimit:
      rateLimit:
        average: 100
        burst: 50

Headers

http:
  middlewares:
    secure-headers:
      headers:
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true

IP Whitelist

http:
  middlewares:
    local-only:
      ipWhiteList:
        sourceRange:
          - "192.168.0.0/16"
          - "10.0.0.0/8"

---

🔀 Architecture

With Cloudflare Tunnel

Internet → Cloudflare → Cloudflared → Traefik → Services

Direct Access

Internet → Router (Port 80/443) → Traefik → Services

Local Only

LAN → Traefik → Services

---

❌ Troubleshooting

Certificate Issues

1. Check ACME logs:

   docker logs traefik 2>&1 | grep -i acme

2. Verify domain DNS points to your server

3. Check rate limits - Let's Encrypt has rate limits

Route Not Working

1. Check labels on container
2. Verify container is running
3. Check Traefik dashboard for route status
4. View Traefik logs:

   docker logs traefik

502 Bad Gateway

1. Service not healthy - Check app container
2. Wrong port in labels
3. Network connectivity - Ensure same Docker network

404 Not Found

1. Route not matched - Check Host rule
2. Traefik not enabled for container
3. Wrong entrypoint (HTTP vs HTTPS)

---

🔗 Related

• Infrastructure#traefik - Traefik container reference
• Cloudflare-Tunnel-Setup - Cloudflare integration
• Configuration - Configuration reference