# Static Configuration for Traefik # Global Configuration global: checkNewVersion: true sendAnonymousUsage: false # API and Dashboard # Note: insecure: false means API is only accessible via HTTPS (through Traefik itself) # No port 8080 needed - dashboard accessible via HTTPS at traefik.michaelschiemer.de api: dashboard: true insecure: false # Dashboard accessible via HTTPS router (no separate HTTP listener needed) # Entry Points entryPoints: web: address: ":80" # No global redirect - ACME challenges need HTTP access # Redirects are handled per-router via middleware websecure: address: ":443" http: tls: certResolver: letsencrypt domains: - main: michaelschiemer.de sans: - "*.michaelschiemer.de" # TCP entrypoint for Gitea SSH gitea-ssh: address: ":2222" # Certificate Resolvers certificatesResolvers: letsencrypt: acme: email: kontakt@michaelschiemer.de storage: /acme.json caServer: https://acme-v02.api.letsencrypt.org/directory # Use HTTP-01 challenge (requires port 80 accessible) httpChallenge: entryPoint: web # Uncomment for DNS challenge (requires DNS provider) # dnsChallenge: # provider: cloudflare # delayBeforeCheck: 30 # Providers providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false # Network mode is 'host', so we don't specify a network here # Traefik can reach containers directly via their IPs in host network mode watch: true file: directory: /dynamic watch: true # Forwarded Headers Configuration # This ensures Traefik correctly identifies the real client IP forwardedHeaders: trustedIPs: - "127.0.0.1/32" # Localhost - "172.17.0.0/16" # Docker bridge network - "172.18.0.0/16" # Docker user-defined networks insecure: false # Logging log: level: INFO filePath: /logs/traefik.log format: json # Access Logs accessLog: filePath: /logs/access.log format: json bufferingSize: 100 filters: statusCodes: - "400-499" - "500-599" # Metrics metrics: prometheus: addEntryPointsLabels: true addRoutersLabels: true addServicesLabels: true # Ping ping: entryPoint: web