Version: 3.4.3 Status: ✅ PRODUCTION Network: traefik-net Domain: ai-servicers.com
Traefik is the primary reverse proxy and load balancer for the entire infrastructure, providing:
- HTTPS termination with Let's Encrypt certificates (Cloudflare DNS challenge)
- Automatic service discovery via Docker labels
- Certificate management and auto-renewal
- Multi-domain routing for HTTP/HTTPS and TCP services
- Centralized entry point for all external traffic
# Deploy Traefik
cd /home/administrator/projects/traefik
./deploy.sh
# View logs
docker logs traefik -f
# Check health
docker exec traefik wget -qO- http://localhost:8083/api/version | jq
# View routers
docker exec traefik wget -qO- http://localhost:8083/api/http/routers | jq- traefik: Main reverse proxy
- traefik-certs-dumper: Extracts certificates from acme.json for other services
- traefik-net: Primary network for all web-facing services
| Entry Point | Port | Purpose |
|---|---|---|
| web | 80 | HTTP (redirects to HTTPS) |
| websecure | 443 | HTTPS with Let's Encrypt |
| traefik | 8083 | Dashboard & API |
| metrics | 9100 | Prometheus metrics |
| smtp | 25 | Incoming mail |
| smtps | 465 | SMTP over SSL |
| submission | 587 | Mail submission |
| imaps | 993 | IMAP over SSL |
| File | Purpose |
|---|---|
docker-compose.yml |
Service definitions |
deploy.sh |
Deployment script with validation |
traefik.yml |
Main Traefik configuration |
redirect.yml |
HTTP→HTTPS redirect rules |
acme.json |
Let's Encrypt certificates (chmod 600) |
Location: $HOME/projects/secrets/traefik.env
Required Variables:
TRAEFIK_CONTAINER_NAME=traefik
TRAEFIK_IMAGE=traefik:v3.4.3
TRAEFIK_NETWORK=traefik-net
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS=:443
TRAEFIK_ENTRYPOINTS_TRAEFIK_ADDRESS=:8083
TRAEFIK_ENTRYPOINTS_METRICS_ADDRESS=:9100
TRAEFIK_ENTRYPOINTS_SMTP_ADDRESS=:25
TRAEFIK_ENTRYPOINTS_SMTPS_ADDRESS=:465
TRAEFIK_ENTRYPOINTS_SUBMISSION_ADDRESS=:587
TRAEFIK_ENTRYPOINTS_IMAPS_ADDRESS=:993
TRAEFIK_ACME_FILE_PATH=/home/administrator/projects/traefik/acme.json
TRAEFIK_CERTS_DUMP_PATH=/home/administrator/projects/data/traefik-certs
CERTS_DUMPER_CONTAINER_NAME=traefik-certs-dumper
CERTS_DUMPER_IMAGE=ldez/traefik-certs-dumper:latest
[email protected]
CF_API_KEY=your-cloudflare-api-key- Provider: Cloudflare DNS challenge
- Email: [email protected]
- Storage:
/home/administrator/projects/traefik/acme.json - Dumped Certs:
/home/administrator/projects/data/traefik-certs/
ai-servicers.com(main domain)*.ai-servicers.com(wildcard)- Individual service subdomains
# Check certificates
cat acme.json | jq '.letsencrypt.Certificates[].domain'
# Force renewal
docker restart traefik
# View dumped certificates
ls -la /home/administrator/projects/data/traefik-certs/Add these labels to your docker-compose.yml:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-net"
- "traefik.http.routers.myapp.rule=Host(`myapp.ai-servicers.com`)"
- "traefik.http.routers.myapp.entrypoints=websecure"
- "traefik.http.routers.myapp.tls=true"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
- "traefik.http.services.myapp.loadbalancer.server.port=80"labels:
- "traefik.enable=true"
- "traefik.tcp.routers.myapp.rule=HostSNI(`*`)"
- "traefik.tcp.routers.myapp.entrypoints=myport"
- "traefik.tcp.routers.myapp.service=myapp"
- "traefik.tcp.services.myapp.loadbalancer.server.port=8080"- Dashboard: https://traefik.ai-servicers.com:8083
- API: http://localhost:8083/api/
- Metrics: http://localhost:9100/metrics
docker exec traefik wget -qO- http://localhost:8083/api/version# HTTP routers
docker exec traefik wget -qO- http://localhost:8083/api/http/routers | jq
# TCP routers
docker exec traefik wget -qO- http://localhost:8083/api/tcp/routers | jq
# Services
docker exec traefik wget -qO- http://localhost:8083/api/http/services | jq# Real-time logs
docker logs traefik -f
# Last 100 lines
docker logs traefik --tail 100
# Search for errors
docker logs traefik 2>&1 | grep -i error-
Check container is on traefik-net:
docker inspect myapp | grep -A5 Networks -
Verify Traefik labels:
docker inspect myapp | grep -A20 Labels -
Check if router exists:
docker exec traefik wget -qO- http://localhost:8083/api/http/routers | jq '.[] | select(.name | contains("myapp"))'
-
Review Traefik logs for the service:
docker logs traefik | grep myapp
-
Check acme.json permissions (must be 600):
ls -la acme.json
-
Verify DNS challenge:
docker logs traefik | grep -i challenge -
Check Cloudflare API credentials in
$HOME/projects/secrets/traefik.env -
Manual certificate renewal:
docker restart traefik
# Find what's using the port
sudo netstat -tlnp | grep :80
# Stop conflicting service
sudo systemctl stop apache2 # or nginx, etc.cd /home/administrator/projects/traefik
./deploy.shcd /home/administrator/projects/traefik
docker compose up -dcd /home/administrator/projects/traefik
docker compose down
# Restore previous configuration
docker compose up -dacme.json- Let's Encrypt certificatestraefik.yml- Main configurationredirect.yml- Redirect rules$HOME/projects/secrets/traefik.env- Environment variables
tar -czf traefik-backup-$(date +%Y%m%d).tar.gz \
acme.json \
traefik.yml \
redirect.yml \
$HOME/projects/secrets/traefik.env- All HTTP traffic automatically redirects to HTTPS
- TLS 1.2+ enforced
- Let's Encrypt certificates auto-renewed
- Docker socket mounted read-only
- Dashboard accessible only via HTTPS
- Cloudflare DNS challenge (no port 80 exposure needed)
- Handles 30+ HTTP routers
- TCP passthrough for mail services
- Prometheus metrics on port 9100
- Dashboard for real-time monitoring
- Network Standards:
/home/administrator/projects/AINotes/network.md - Network Topology:
/home/administrator/projects/AINotes/network-detail.md - Project Details:
/home/administrator/projects/traefik/CLAUDE.md
Last Updated: 2025-09-30 Standardized: Phase 1 - Deployment Standardization Status: ✅ Production Ready