How to configure the second version of the popular reverse proxy Traefik for Nextcloud in Docker.

Those who run their own Linux server at home and want SSL-protected access to their Nextcloud from the Internet will find Traefik to be a well-functioning and modern reverse proxy. Since the release of version 2.0, the many configuration examples found on the Internet are unfortunately incompatible with the previous version.

In this article I will show you how to configure your Docker and Traefik containers so that SSL certificates are obtained via TLS Challenge. I have also considered all settings that are necessary for the “HTTP Strict Transport Security” mechanism. In my Github repository you can see the complete Docker setup.

The configuration of the Traefik version 2.x container

At this point the general settings of the Traefik container are made and the certificate resolver is configured. It is important to distinguish that the configuration of the offered services is done on the side of the service container and not in the configuration of the Traefik container.

version: "3.3"
services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik2"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
      #- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.mytlschallenge.acme.email=***youremail@here***"
      - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - traefik_proxy
      - default
    logging:
      options:
        max-size: '12m'
        max-file: '5'
      driver: json-file

networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

The configuration of the Nextcloud container

The Nextcloud container needs some labels that define which configuration Traefik offers for this container. Specifically, the router and the middleware, which modifies the HTTP headers, are configured here.

labels:
  - "traefik.enable=true"
  - "traefik.port=80"
  - "traefik.http.routers.cloud.entrypoints=websecure"
  - "traefik.http.routers.cloud.rule=Host(`yourhostname`)"
  - "traefik.http.routers.cloud.tls.certresolver=mytlschallenge"
  - "traefik.http.routers.cloud.middlewares=cloud@docker"
  - "traefik.docker.network=webproxy"
  - "traefik.http.middlewares.cloud.headers.customFrameOptionsValue=SAMEORIGIN"
  - "traefik.http.middlewares.cloud.headers.framedeny=true"
  - "traefik.http.middlewares.cloud.headers.sslredirect=true"
  - "traefik.http.middlewares.cloud.headers.stsIncludeSubdomains=true"
  - "traefik.http.middlewares.cloud.headers.stsPreload=true"
  - "traefik.http.middlewares.cloud.headers.stsSeconds=15552000"

Leave a Reply

Your email address will not be published. Required fields are marked *