How to configure the second version of the popular reverse proxy Traefik for Nextcloud in Docker.

Those who run their own Linux server at home and want SSL-protected access to their Nextcloud from the Internet will find Traefik to be a well-functioning and modern reverse proxy. Since the release of version 2.0, the many configuration examples found on the Internet are unfortunately incompatible with the current version.

In this article I will show you how to configure your Docker and Traefik containers so that SSL certificates are obtained via TLS Challenge. I have also considered all settings that are necessary for the “HTTP Strict Transport Security” mechanism. In my Github repository you can see the complete Docker setup.

The configuration of the Traefik version 2.x container

At this point the general settings of the Traefik container are made and the certificate resolver is configured. It is important to distinguish that the configuration of the offered services is done on the side of the service container and not in the configuration of the Traefik container.

version: "3.3"
services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik2"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
      #- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.mytlschallenge.acme.email=***youremail@here***"
      - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - traefik_proxy
      - default
    logging:
      options:
        max-size: '12m'
        max-file: '5'
      driver: json-file

networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

The configuration of the Nextcloud container

The Nextcloud container needs some labels that define which configuration Traefik offers for this container. Specifically, the router and the middleware, which modifies the HTTP headers, are configured here.

labels:
  - "traefik.enable=true"
  - "traefik.port=80"
  - "traefik.http.routers.cloud.entrypoints=websecure"
  - "traefik.http.routers.cloud.rule=Host(`yourhostname`)"
  - "traefik.http.routers.cloud.tls.certresolver=mytlschallenge"
  - "traefik.http.routers.cloud.middlewares=cloud@docker"
  - "traefik.docker.network=webproxy"
  - "traefik.http.middlewares.cloud.headers.customFrameOptionsValue=SAMEORIGIN"
  - "traefik.http.middlewares.cloud.headers.framedeny=true"
  - "traefik.http.middlewares.cloud.headers.sslredirect=true"
  - "traefik.http.middlewares.cloud.headers.stsIncludeSubdomains=true"
  - "traefik.http.middlewares.cloud.headers.stsPreload=true"
  - "traefik.http.middlewares.cloud.headers.stsSeconds=15552000"

Please check my Github repository for complete docker-compose-files: https://github.com/bedawi/liberty-server

4 Comments

  1. Great work!! It works!!
    Could you explain middleware labels please?
    Most of these parameters are out of my knowledge..

  2. I’m new to docker and Traefik and I’m having a hard time getting this to work. For the nextcloud site firefox tells me “SSL_ERROR_INTERNAL_ERROR_ALERT”. Can’t for the life of me tell where ive messed up my configs.

    1. Sorry my dear, without more details I cannot help. Did you clone my repo? ( https://github.com/bedawi/liberty-server ) How do your docker-compose files look like? Have you had a look into the log-file of traefik? Do you have a firewall / web application firewall installed in front of your machine? What messages does the journal of your distribution throw? ( $ journalctl -f )
      Hint: Install Portainer ( https://www.portainer.io/installation/ ) and look into the log files of traefik and nextcloud.

Leave a Reply

Your email address will not be published. Required fields are marked *