Production-ready reverse proxy template with automatic SSL certificate provisioning, security headers, rate limiting, and a monitoring dashboard.
- Automatic HTTPS via Let's Encrypt (ACME HTTP challenge)
- HTTP to HTTPS redirect on all traffic
- Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, etc.)
- Rate limiting (configurable avg/burst)
- Gzip compression for responses
- Traefik dashboard with basic auth protection
- Zero-downtime certificate renewal
Internet
|
+--------+--------+
| Traefik |
| (reverse proxy)|
| |
| :80 -> redirect to :443
| :443 -> TLS termination
| :8080 -> dashboard (auth)
+--------+--------+
|
+------------+------------+
| | |
+----+----+ +----+----+ +----+----+
| Service | | Service | | Service |
| app | | api | | ... |
+---------+ +---------+ +---------+
| | |
+------------+------------+
|
Docker network: web
git clone https://github.com/atendiatec/docker-traefik-ssl-template.git
cd docker-traefik-ssl-template
cp .env.example .envEdit .env with your values:
DOMAIN=example.com
ACME_EMAIL=admin@example.com
DASHBOARD_USER=admin
DASHBOARD_PASSWORD=changemetouch acme.json
chmod 600 acme.jsondocker compose up -dYour app is now live at https://app.example.com and the Traefik dashboard at https://traefik.example.com:8080.
| Variable | Description | Example |
|---|---|---|
DOMAIN |
Your root domain | example.com |
ACME_EMAIL |
Email for Let's Encrypt registration | admin@example.com |
DASHBOARD_USER |
Traefik dashboard username | admin |
DASHBOARD_PASSWORD |
Traefik dashboard password | changeme |
Controls entrypoints, ACME provider, Docker provider, and dashboard settings. Edit this file to change ports, switch ACME challenge type, or enable/disable the dashboard.
Controls middleware (rate limiting, security headers, compression). Edit this file to tune rate limits, add/remove headers, or create new middleware chains.
Add a new service to docker-compose.yml with Traefik labels:
services:
api:
image: your-api-image:latest
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`api.${DOMAIN}`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.services.api.loadbalancer.server.port=3000"
# Apply security middlewares
- "traefik.http.routers.api.middlewares=security-headers@file,rate-limit@file,compress@file"Then restart:
docker compose up -dTraefik will automatically detect the new service, provision an SSL certificate, and start routing traffic.
- Change default dashboard credentials in
.env - Ensure
acme.jsonhas600permissions - Never commit
.envto version control - Review rate limit values in
traefik-dynamic.ymlfor your use case - Consider restricting dashboard access by IP in production
- Keep Traefik image updated to the latest v3 release
- Use Docker secrets for sensitive values in production
.
├── docker-compose.yml # Service definitions with Traefik labels
├── traefik.yml # Traefik static configuration
├── traefik-dynamic.yml # Traefik dynamic configuration (middlewares)
├── .env.example # Environment variable template
├── .gitignore # Ignores .env and acme.json
├── LICENSE # MIT License
└── README.md # This file
MIT License - Copyright (c) 2026 AtendIA Tec
See LICENSE for details.