Traefik¶

Traefik is used as my reverse proxy.

Installation¶

bash -c "$(curl -sL https://github.com/community-scripts/ProxmoxVE/raw/main/ct/traefik.sh)"

bash -c "$(curl -sL https://github.com/asylumexp/Proxmox/raw/main/ct/{{ app_name | lower }}.sh)"
bash -c "$(curl -sL https://github.com/asylumexp/Proxmox/raw/main/ct/traefik.sh)"

Config¶

All internal URLs use an l sub domain so that only one certificate is needed from letsencrypt. E.g. https://app.l.nicholaswilde.io/

App¶

1

--8<-- "traefik/traefik.yaml"

--8<-- "traefik/conf.d/config.yaml"

Service¶

Update EnvironmentFile and ExecStart to point to your homelab directories.

cat > /etc/systemd/system/traefik.service <<EOF
--8<-- "traefik/traefik.service"
EOF

curl -Lo /etc/systemd/system/traefik.service https://github.com/nicholaswilde/homelab/raw/refs/heads/main/pve/traefik/traefik.service

--8<-- "traefik/traefik.service"

(
 systemctl enable traefik.service && \
 systemctl start traefik.service && \
 systemctl status traefik.service
) 

Usage¶

1. Create new config for app

   homelab/pve/traefik/conf.d/

   TaskManual

   APP_NAME=AppName task new > appname.yaml
   

   jinja2 -D APP_NAME=AppName .template.yaml.j2 > appname.yaml
   

2. Edit config file.

   Update http.routers.<app_name>.rule and services.<app_name>.loadBalancer.servers.url[0]

   homelab/pve/traefik/conf.d/mcp-server.yaml

   --8<-- "traefik/conf.d/mcp-server.yaml"
   

3. Restart traefik

   homelab/pve/traefik/conf.d/

   TaskManual

   task restart
   

   systemctl restart traefik.service
   

   1. Test URL in browser.

4. Comment out middleware in config file.

   homelab/pve/traefik/conf.d/mcp-server.yaml

   ---
   http:
    #region routers 
     routers:
       mcp-server:
         entryPoints:
           - "websecure"
         rule: "Host(`mcp-server.l.nicholaswilde.io`)"
         middlewares:
           - default-headers@file
           - https-redirectscheme@file
         tls: {}
         service: mcp-server
   #endregion
   #region services
     services:
       mcp-server:
         loadBalancer:
           servers:
             - url: "http://192.168.2.177:8080"
           passHostHeader: true
   #endregion
     # middlewares:
       # https-redirectscheme:
         # redirectScheme:
           # scheme: https
           # permanent: true
       # default-headers:
         # headers:
           # frameDeny: true
           # browserXssFilter: true
           # contentTypeNosniff: true
           # forceSTSHeader: true
           # stsIncludeSubdomains: true
           # stsPreload: true
           # stsSeconds: 15552000
           # customFrameOptionsValue: SAMEORIGIN
           # customRequestHeaders:
             # X-Forwarded-Proto: https
   #
       # default-whitelist:
         # ipAllowList:
           # sourceRange:
           # - "10.0.0.0/8"
           # - "192.168.0.0/16"
           # - "172.16.0.0/12"
   #
       # secured:
         # chain:
           # middlewares:
           # - default-whitelist
           # - default-headers
   

5. Restart traefik

6. Test URL

7. Remove middleware or uncomment middleware

   homelab/pve/traefik/conf.d/mcp-server.yaml

   ---
   http:
    #region routers 
     routers:
       mcp-server:
         entryPoints:
           - "websecure"
         rule: "Host(`mcp-server.l.nicholaswilde.io`)"
         middlewares:
           - default-headers@file
           - https-redirectscheme@file
         tls: {}
         service: mcp-server
   #endregion
   #region services
     services:
       mcp-server:
         loadBalancer:
           servers:
             - url: "http://192.168.2.177:8080"
           passHostHeader: true
   #endregion
   

8. Restart traefik

Logs¶

task logs

tail -n10 /var/log/traefik/traefik.log

Follow¶

task watch

tail -f /var/log/traefik/traefik.log

Task List¶

--8<-- "traefik/task-list.txt"

References¶