Traefik Proxy¶
| Description / name | Input element |
|---|---|
| Your domain name |
Overview¶
Traefik Proxy is an open-source, dynamic reverse proxy and load balancer designed for modern, distributed, and microservices architectures.
Deployment¶
Saltbox dependency.
sb install traefik
Usage¶
Visit https://dash.iYOUR_DOMAIN_NAMEi.
Role Defaults¶
Variables can be customized using the Inventory. (1)
-
Example override
traefik_name: "custom_value"Avoid overriding variables ending in
_defaultWhen overriding variables that end in
_default(liketraefik_docker_envs_default), you replace the entire default configuration. Future updates that add new default values will not be applied to your setup, potentially breaking functionality.Instead, use the corresponding
_customvariable (liketraefik_docker_envs_custom) to add your changes. Custom values are merged with defaults, ensuring you receive updates.
traefik_name
# Type: string
traefik_name: traefik
traefik_trusted_ips
# Type: string
traefik_trusted_ips: ""
traefik_plugin_cloudflarewarp_enabled
# Type: bool (true/false)
traefik_plugin_cloudflarewarp_enabled: true
traefik_file_watch
# Type: string
traefik_file_watch: "true"
traefik_x_robots
# Type: string
traefik_x_robots: "none,noarchive,nosnippet,notranslate,noimageindex"
traefik_http3
# HTTP3 can cause issues with some apps
# Type: bool (true/false)
traefik_http3: false
traefik_tailscale_enabled
# Type: bool (true/false)
traefik_tailscale_enabled: false
traefik_entrypoint_web_port
# traefik_tailscale_bind_ip: "" # Set to override the WAN IP port binding when server is not connected directly to the Internet.
# traefik_tailscale_bind_ipv6: "" # Same but IPv6
# Type: string
traefik_entrypoint_web_port: "80"
traefik_entrypoint_web_readtimeout
# Type: string
traefik_entrypoint_web_readtimeout: "600"
traefik_entrypoint_web_writetimeout
# Type: string
traefik_entrypoint_web_writetimeout: "0"
traefik_entrypoint_web_idletimeout
# Type: string
traefik_entrypoint_web_idletimeout: "180"
traefik_entrypoint_web_request_maxheaderbytes
# Type: string
traefik_entrypoint_web_request_maxheaderbytes: "1048576"
traefik_entrypoint_websecure_port
# Type: string
traefik_entrypoint_websecure_port: "443"
traefik_entrypoint_websecure_readtimeout
# Type: string
traefik_entrypoint_websecure_readtimeout: "600"
traefik_entrypoint_websecure_writetimeout
# Type: string
traefik_entrypoint_websecure_writetimeout: "0"
traefik_entrypoint_websecure_idletimeout
# Type: string
traefik_entrypoint_websecure_idletimeout: "180"
traefik_entrypoint_websecure_request_maxheaderbytes
# Type: string
traefik_entrypoint_websecure_request_maxheaderbytes: "1048576"
traefik_entrypoint_custom
# Type: dict
traefik_entrypoint_custom: {}
traefik_dns_resolvers
# Format is as follows (address can be empty string "" to bind on every interface):
# Type options are tcp, udp or both.
# traefik_entrypoint_custom:
# tcp-entrypoint:
# address: "IP"
# port: "81"
# tls: false
# type: tcp
# tcp-and-udp-entrypoint-with-tls:
# address: "IP"
# port: "444"
# tls: true
# type: both
# Type: string
traefik_dns_resolvers: "1.1.1.1:53,1.0.0.1:53"
traefik_disable_propagation_check
# Type: bool (true/false)
traefik_disable_propagation_check: false
traefik_enable_http_validation
# Type: string
traefik_enable_http_validation: "{{ traefik_http or (traefik.cert.http_validation | bool) }}"
traefik_enable_zerossl
# Type: bool (true/false)
traefik_enable_zerossl: true
traefik_crowdsec_ban_filepath
# Path is internal to the container, so a host path of /opt/traefik/ban.html becomes /etc/traefik/ban.html
# Type: string
traefik_crowdsec_ban_filepath: "/etc/traefik/ban.html"
traefik_sanitize_path
# Entrypoint Path Sanitization Settings
# Type: bool (true/false)
traefik_sanitize_path: true
traefik_encoded_allow_slash
# Entrypoint Encoded characters settings (applied to all entrypoints)
# Type: bool (true/false)
traefik_encoded_allow_slash: true
traefik_encoded_allow_backslash
# Type: bool (true/false)
traefik_encoded_allow_backslash: true
traefik_encoded_allow_null
# Type: bool (true/false)
traefik_encoded_allow_null: true
traefik_encoded_allow_semicolon
# Type: bool (true/false)
traefik_encoded_allow_semicolon: true
traefik_encoded_allow_percent
# Type: bool (true/false)
traefik_encoded_allow_percent: true
traefik_encoded_allow_question_mark
# Type: bool (true/false)
traefik_encoded_allow_question_mark: true
traefik_encoded_allow_hash
# Type: bool (true/false)
traefik_encoded_allow_hash: true
traefik_role_web_subdomain
# Type: string
traefik_role_web_subdomain: "{{ traefik.subdomains.dash }}"
traefik_role_web_domain
# Type: string
traefik_role_web_domain: "{{ user.domain }}"
traefik_role_metrics_subdomain
# Type: string
traefik_role_metrics_subdomain: "{{ traefik.subdomains.metrics }}"
traefik_role_metrics_domain
# Type: string
traefik_role_metrics_domain: "{{ user.domain }}"
traefik_role_log_level
# Type: string
traefik_role_log_level: "ERROR"
traefik_role_log_file
# Type: bool (true/false)
traefik_role_log_file: true
traefik_role_log_max_size
# Type: string
traefik_role_log_max_size: "10"
traefik_role_log_max_backups
# Type: string
traefik_role_log_max_backups: "3"
traefik_role_log_max_age
# Type: string
traefik_role_log_max_age: "3"
traefik_role_log_compress
# Type: string
traefik_role_log_compress: "true"
traefik_role_access_log
# Type: bool (true/false)
traefik_role_access_log: true
traefik_role_access_buffer
# Type: int
traefik_role_access_buffer: 100
traefik_role_dns_record
# Type: string
traefik_role_dns_record: "{{ lookup('role_var', '_web_subdomain', role='traefik') }}"
traefik_role_dns_zone
# Type: string
traefik_role_dns_zone: "{{ lookup('role_var', '_web_domain', role='traefik') }}"
traefik_role_dns_proxy
# Type: bool (true/false)
traefik_role_dns_proxy: "{{ dns_proxied }}"
traefik_role_metrics_dns_record
# Type: string
traefik_role_metrics_dns_record: "{{ lookup('role_var', '_metrics_subdomain', role='traefik') }}"
traefik_role_metrics_dns_zone
# Type: string
traefik_role_metrics_dns_zone: "{{ lookup('role_var', '_metrics_domain', role='traefik') }}"
traefik_role_metrics_dns_proxy
# Type: bool (true/false)
traefik_role_metrics_dns_proxy: "{{ dns_proxied }}"
Container
traefik_role_docker_container
# Type: string
traefik_role_docker_container: "{{ traefik_name }}"
Image
traefik_role_docker_image_pull
# Type: bool (true/false)
traefik_role_docker_image_pull: true
traefik_role_docker_image_repo
# Type: string
traefik_role_docker_image_repo: "traefik"
traefik_role_docker_image_tag
# Type: string
traefik_role_docker_image_tag: "v3.6"
traefik_role_docker_image
# Type: string
traefik_role_docker_image: "{{ lookup('role_var', '_docker_image_repo', role='traefik') }}:{{ lookup('role_var', '_docker_image_tag', role='traefik') }}"
Ports
traefik_role_docker_ports_default
# Type: list
traefik_role_docker_ports_default:
- "{{ traefik_entrypoint_web_port }}:{{ traefik_entrypoint_web_port }}/tcp"
- "{{ traefik_entrypoint_websecure_port }}:{{ traefik_entrypoint_websecure_port }}/tcp"
- "{{ traefik_entrypoint_websecure_port }}:{{ traefik_entrypoint_websecure_port }}/udp"
traefik_role_docker_ports_tailscale_ipv4_default
# Type: list
traefik_role_docker_ports_tailscale_ipv4_default:
- "{{ lookup('vars', 'traefik_tailscale_bind_ip', default=ip_address_public) + ':' + traefik_entrypoint_web_port }}:{{ traefik_entrypoint_web_port }}/tcp"
- "{{ lookup('vars', 'traefik_tailscale_bind_ip', default=ip_address_public) + ':' + traefik_entrypoint_websecure_port }}:{{ traefik_entrypoint_websecure_port }}/tcp"
- "{{ lookup('vars', 'traefik_tailscale_bind_ip', default=ip_address_public) + ':' + traefik_entrypoint_websecure_port }}:{{ traefik_entrypoint_websecure_port }}/udp"
- "{{ tailscale_ipv4 + ':' + traefik_entrypoint_web_port }}:81/tcp"
- "{{ tailscale_ipv4 + ':' + traefik_entrypoint_websecure_port }}:444/tcp"
- "{{ tailscale_ipv4 + ':' + traefik_entrypoint_websecure_port }}:444/udp"
traefik_role_docker_ports_tailscale_ipv6_default
# Type: list
traefik_role_docker_ports_tailscale_ipv6_default:
- "{{ '[' + lookup('vars', 'traefik_tailscale_bind_ipv6', default=ipv6_address_public) + ']:' + traefik_entrypoint_web_port }}:{{ traefik_entrypoint_web_port }}/tcp"
- "{{ '[' + lookup('vars', 'traefik_tailscale_bind_ipv6', default=ipv6_address_public) + ']:' + traefik_entrypoint_websecure_port }}:{{ traefik_entrypoint_websecure_port }}/tcp"
- "{{ '[' + lookup('vars', 'traefik_tailscale_bind_ipv6', default=ipv6_address_public) + ']:' + traefik_entrypoint_websecure_port }}:{{ traefik_entrypoint_websecure_port }}/udp"
- "{{ '[' + tailscale_ipv6 + ']:' + traefik_entrypoint_web_port }}:81/tcp"
- "{{ '[' + tailscale_ipv6 + ']:' + traefik_entrypoint_websecure_port }}:444/tcp"
- "{{ '[' + tailscale_ipv6 + ']:' + traefik_entrypoint_websecure_port }}:444/udp"
traefik_role_docker_ports_custom
# Type: list
traefik_role_docker_ports_custom: []
Envs
traefik_role_docker_envs_default
# Type: dict
traefik_role_docker_envs_default:
TZ: "{{ tz }}"
traefik_role_docker_envs_custom
# Type: dict
traefik_role_docker_envs_custom: {}
Commands
traefik_role_docker_commands_default
# Type: list
traefik_role_docker_commands_default:
- "--global.sendanonymoususage=false"
- "--providers.file.directory=/etc/traefik"
- "--providers.file.watch={{ traefik_file_watch }}"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.internal.address=:8080"
- "--entrypoints.internal.http.sanitizePath={{ traefik_sanitize_path | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedSlash={{ traefik_encoded_allow_slash | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedBackSlash={{ traefik_encoded_allow_backslash | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedNullCharacter={{ traefik_encoded_allow_null | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedSemicolon={{ traefik_encoded_allow_semicolon | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedPercent={{ traefik_encoded_allow_percent | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedQuestionMark={{ traefik_encoded_allow_question_mark | string | lower }}"
- "--entrypoints.internal.http.encodedCharacters.allowEncodedHash={{ traefik_encoded_allow_hash | string | lower }}"
- "--entrypoints.web.address=:{{ traefik_entrypoint_web_port }}"
- "{{ ('--entrypoints.web.forwardedheaders.trustedIPs=' + traefik_trusted_ips_template) if (traefik_trusted_ips_template | length > 0) else omit }}"
- "{{ ('--entrypoints.web.proxyprotocol.trustedIPs=' + traefik_trusted_ips_template) if (traefik_trusted_ips_template | length > 0) else omit }}"
- "--entrypoints.web.transport.respondingTimeouts.readTimeout={{ traefik_entrypoint_web_readtimeout }}"
- "--entrypoints.web.transport.respondingTimeouts.writeTimeout={{ traefik_entrypoint_web_writetimeout }}"
- "--entrypoints.web.transport.respondingTimeouts.idleTimeout={{ traefik_entrypoint_web_idletimeout }}"
- "--entrypoints.web.http.maxheaderbytes={{ traefik_entrypoint_web_request_maxheaderbytes }}"
- "--entrypoints.web.http.sanitizePath={{ traefik_sanitize_path | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedSlash={{ traefik_encoded_allow_slash | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedBackSlash={{ traefik_encoded_allow_backslash | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedNullCharacter={{ traefik_encoded_allow_null | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedSemicolon={{ traefik_encoded_allow_semicolon | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedPercent={{ traefik_encoded_allow_percent | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedQuestionMark={{ traefik_encoded_allow_question_mark | string | lower }}"
- "--entrypoints.web.http.encodedCharacters.allowEncodedHash={{ traefik_encoded_allow_hash | string | lower }}"
- "--entrypoints.websecure.address=:{{ traefik_entrypoint_websecure_port }}"
- "{{ ('--entrypoints.websecure.forwardedheaders.trustedIPs=' + traefik_trusted_ips_template) if (traefik_trusted_ips_template | length > 0) else omit }}"
- "{{ ('--entrypoints.websecure.proxyprotocol.trustedIPs=' + traefik_trusted_ips_template) if (traefik_trusted_ips_template | length > 0) else omit }}"
- "--entrypoints.websecure.transport.respondingTimeouts.readTimeout={{ traefik_entrypoint_websecure_readtimeout }}"
- "--entrypoints.websecure.transport.respondingTimeouts.writeTimeout={{ traefik_entrypoint_websecure_writetimeout }}"
- "--entrypoints.websecure.transport.respondingTimeouts.idleTimeout={{ traefik_entrypoint_websecure_idletimeout }}"
- "--entrypoints.websecure.http.maxheaderbytes={{ traefik_entrypoint_websecure_request_maxheaderbytes }}"
- "--entrypoints.websecure.http.sanitizePath={{ traefik_sanitize_path | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedSlash={{ traefik_encoded_allow_slash | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedBackSlash={{ traefik_encoded_allow_backslash | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedNullCharacter={{ traefik_encoded_allow_null | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedSemicolon={{ traefik_encoded_allow_semicolon | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedPercent={{ traefik_encoded_allow_percent | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedQuestionMark={{ traefik_encoded_allow_question_mark | string | lower }}"
- "--entrypoints.websecure.http.encodedCharacters.allowEncodedHash={{ traefik_encoded_allow_hash | string | lower }}"
- "--entrypoints.websecure.http.tls.certResolver={{ traefik_default_certresolver }}"
- "--api.dashboard=true"
- "--api=true"
- "--log.level={{ lookup('role_var', '_log_level', role='traefik') }}"
- "{{ ('--log.filepath=/etc/traefik/traefik.log') if lookup('role_var', '_log_file', role='traefik') else omit }}"
- "{{ ('--log.maxsize=' + lookup('role_var', '_log_max_size', role='traefik')) if lookup('role_var', '_log_file', role='traefik') else omit }}"
- "{{ ('--log.maxbackups=' + lookup('role_var', '_log_max_backups', role='traefik')) if lookup('role_var', '_log_file', role='traefik') else omit }}"
- "{{ ('--log.maxage=' + lookup('role_var', '_log_max_age', role='traefik')) if lookup('role_var', '_log_file', role='traefik') else omit }}"
- "{{ ('--log.compress=' + lookup('role_var', '_log_compress', role='traefik')) if lookup('role_var', '_log_file', role='traefik') else omit }}"
- "{{ '--log.nocolor=true' if lookup('role_var', '_log_file', role='traefik') else omit }}"
- "--accesslog={{ lookup('role_var', '_access_log', role='traefik') }}"
- "--accesslog.fields.names.StartUTC=drop"
- "--accesslog.fields.headers.names.User-Agent=keep"
- "--accesslog.fields.headers.names.Content-Type=keep"
- "--accesslog.filepath=/etc/traefik/access.log"
- "--accesslog.bufferingsize={{ lookup('role_var', '_access_buffer', role='traefik') }}"
- "--certificatesresolvers.cfdns.acme.dnschallenge.provider={{ traefik_challenge_provider }}"
- "{{ ('--certificatesresolvers.cfdns.acme.dnschallenge.resolvers=' + traefik_dns_resolvers) if (traefik_dns_resolvers | length > 0) else omit }}"
- "--certificatesresolvers.cfdns.acme.email={{ user.email }}"
- "--certificatesresolvers.cfdns.acme.storage=/etc/traefik/acme.json"
- "{{ '--certificatesresolvers.cfdns.acme.dnschallenge.propagation.delayBeforeChecks=60s' if traefik_disable_propagation_check else omit }}"
- "{{ '--certificatesresolvers.cfdns.acme.dnschallenge.propagation.disableChecks=true' if traefik_disable_propagation_check else omit }}"
traefik_role_docker_commands_zerossl_acme
# Type: list
traefik_role_docker_commands_zerossl_acme:
- "--certificatesresolvers.zerossl.acme.dnschallenge.provider={{ traefik_challenge_provider }}"
- "{{ '--certificatesresolvers.zerossl.acme.dnschallenge.resolvers=' + traefik_dns_resolvers if (traefik_dns_resolvers | length > 0) else omit }}"
- "--certificatesresolvers.zerossl.acme.email={{ user.email }}"
- "--certificatesresolvers.zerossl.acme.caserver=https://acme.zerossl.com/v2/DV90"
- "--certificatesresolvers.zerossl.acme.eab.kid={{ traefik_zerossl_kid | default('') }}"
- "--certificatesresolvers.zerossl.acme.eab.hmacencoded={{ traefik_zerossl_hmacencoded | default('') }}"
- "--certificatesresolvers.zerossl.acme.storage=/etc/traefik/acme.json"
- "{{ '--certificatesresolvers.zerossl.acme.dnschallenge.propagation.delayBeforeChecks=60s' if traefik_disable_propagation_check else omit }}"
- "{{ '--certificatesresolvers.zerossl.acme.dnschallenge.propagation.disableChecks=true' if traefik_disable_propagation_check else omit }}"
traefik_role_docker_commands_http_validation_acme
# Type: list
traefik_role_docker_commands_http_validation_acme:
- "--certificatesresolvers.httpresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.httpresolver.acme.email={{ user.email }}"
- "--certificatesresolvers.httpresolver.acme.storage=/etc/traefik/acme.json"
traefik_role_docker_commands_http_validation_acme_zerossl
# Type: list
traefik_role_docker_commands_http_validation_acme_zerossl:
- "--certificatesresolvers.zerosslhttp.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.zerosslhttp.acme.email={{ user.email }}"
- "--certificatesresolvers.zerosslhttp.acme.caserver=https://acme.zerossl.com/v2/DV90"
- "--certificatesresolvers.zerosslhttp.acme.eab.kid={{ traefik_zerossl_kid | default('') }}"
- "--certificatesresolvers.zerosslhttp.acme.eab.hmacencoded={{ traefik_zerossl_hmacencoded | default('') }}"
- "--certificatesresolvers.zerosslhttp.acme.storage=/etc/traefik/acme.json"
traefik_role_docker_commands_google_acme
# Type: list
traefik_role_docker_commands_google_acme:
- "--certificatesresolvers.google.acme.dnschallenge.provider={{ traefik_challenge_provider }}"
- "{{ ('--certificatesresolvers.google.acme.dnschallenge.resolvers=' + traefik_dns_resolvers) if (traefik_dns_resolvers | length > 0) else omit }}"
- "--certificatesresolvers.google.acme.email={{ user.email }}"
- "--certificatesresolvers.google.acme.caserver=https://dv.acme-v02.api.pki.goog/directory"
- "--certificatesresolvers.google.acme.eab.kid={{ traefik_google_kid | default('') }}"
- "--certificatesresolvers.google.acme.eab.hmacencoded={{ traefik_google_hmacencoded | default('') }}"
- "--certificatesresolvers.google.acme.storage=/etc/traefik/acme.json"
- "{{ '--certificatesresolvers.google.acme.dnschallenge.propagation.delayBeforeChecks=60s' if traefik_disable_propagation_check else omit }}"
- "{{ '--certificatesresolvers.google.acme.dnschallenge.propagation.disableChecks=true' if traefik_disable_propagation_check else omit }}"
traefik_role_docker_commands_google_acme_http
# Type: list
traefik_role_docker_commands_google_acme_http:
- "--certificatesresolvers.googlehttp.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.googlehttp.acme.email={{ user.email }}"
- "--certificatesresolvers.googlehttp.acme.caserver=https://dv.acme-v02.api.pki.goog/directory"
- "--certificatesresolvers.googlehttp.acme.eab.kid={{ traefik_google_kid | default('') }}"
- "--certificatesresolvers.googlehttp.acme.eab.hmacencoded={{ traefik_google_hmacencoded | default('') }}"
- "--certificatesresolvers.googlehttp.acme.storage=/etc/traefik/acme.json"
traefik_role_docker_commands_metrics
# Type: list
traefik_role_docker_commands_metrics:
- "--metrics.prometheus=true"
- "--metrics.prometheus.addentrypointslabels=true"
- "--metrics.prometheus.addrouterslabels=true"
- "--metrics.prometheus.addserviceslabels=true"
- "--metrics.prometheus.manualrouting=true"
traefik_role_docker_commands_cloudflarewarp_plugin
# Type: list
traefik_role_docker_commands_cloudflarewarp_plugin:
- "--experimental.plugins.cloudflarewarp.modulename=github.com/saltyorg/cloudflarewarp"
- "--experimental.plugins.cloudflarewarp.version=v1.0.0"
traefik_role_docker_commands_themepark_plugin
# Type: list
traefik_role_docker_commands_themepark_plugin:
- "--experimental.plugins.themepark.modulename=github.com/packruler/traefik-themepark"
- "--experimental.plugins.themepark.version=v1.4.2"
traefik_role_docker_commands_http3
# Type: list
traefik_role_docker_commands_http3:
- "--entrypoints.websecure.http3.advertisedport={{ traefik_entrypoint_websecure_port }}"
traefik_role_docker_commands_tailscale
# Type: list
traefik_role_docker_commands_tailscale:
- "--entrypoints.tailscale-web.address=:81"
- "--entrypoints.tailscale-web.http.sanitizePath={{ traefik_sanitize_path | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedSlash={{ traefik_encoded_allow_slash | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedBackSlash={{ traefik_encoded_allow_backslash | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedNullCharacter={{ traefik_encoded_allow_null | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedSemicolon={{ traefik_encoded_allow_semicolon | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedPercent={{ traefik_encoded_allow_percent | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedQuestionMark={{ traefik_encoded_allow_question_mark | string | lower }}"
- "--entrypoints.tailscale-web.http.encodedCharacters.allowEncodedHash={{ traefik_encoded_allow_hash | string | lower }}"
- "--entrypoints.tailscale-websecure.address=:444"
- "--entrypoints.tailscale-websecure.http.sanitizePath={{ traefik_sanitize_path | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedSlash={{ traefik_encoded_allow_slash | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedBackSlash={{ traefik_encoded_allow_backslash | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedNullCharacter={{ traefik_encoded_allow_null | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedSemicolon={{ traefik_encoded_allow_semicolon | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedPercent={{ traefik_encoded_allow_percent | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedQuestionMark={{ traefik_encoded_allow_question_mark | string | lower }}"
- "--entrypoints.tailscale-websecure.http.encodedCharacters.allowEncodedHash={{ traefik_encoded_allow_hash | string | lower }}"
traefik_role_docker_commands_crowdsec
# Type: list
traefik_role_docker_commands_crowdsec:
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.5.1"
traefik_role_docker_commands_custom
# Type: list
traefik_role_docker_commands_custom: []
Volumes
traefik_role_docker_volumes_default
# Type: list
traefik_role_docker_volumes_default:
- "/var/run/docker.sock:/var/run/docker.sock"
- "{{ traefik_role_paths_location }}:/etc/traefik"
traefik_role_docker_volumes_custom
# Type: list
traefik_role_docker_volumes_custom: []
Hosts
traefik_role_docker_hosts_default
# Type: dict
traefik_role_docker_hosts_default:
host.docker.internal: "172.19.0.1"
traefik_role_docker_hosts_custom
# Type: dict
traefik_role_docker_hosts_custom: {}
Labels
traefik_role_docker_labels_use_common
# Type: bool (true/false)
traefik_role_docker_labels_use_common: false
traefik_role_docker_labels_default
# Type: dict
traefik_role_docker_labels_default:
traefik.enable: "true"
traefik.http.routers.traefik-internal.rule: "Host(`{{ traefik_name }}`)"
traefik.http.routers.traefik-internal.entrypoints: "internal"
traefik.http.routers.traefik-internal.service: "api@internal"
traefik.http.routers.traefik-http.rule: "Host(`{{ lookup('role_var', '_web_subdomain', role='traefik') }}.{{ lookup('role_var', '_web_domain', role='traefik') }}`)"
traefik.http.routers.traefik-http.entrypoints: "{{ traefik_entrypoint_web }}"
traefik.http.routers.traefik-http.middlewares: "{{ traefik_default_middleware_http }}"
traefik.http.routers.traefik-http.priority: "20"
traefik.http.routers.traefik.rule: "Host(`{{ lookup('role_var', '_web_subdomain', role='traefik') }}.{{ lookup('role_var', '_web_domain', role='traefik') }}`)"
traefik.http.routers.traefik.entrypoints: "{{ traefik_entrypoint_websecure }}"
traefik.http.routers.traefik.tls: "true"
traefik.http.routers.traefik.tls.options: "securetls@file"
traefik.http.routers.traefik.middlewares: "{{ traefik_default_middleware }}"
traefik.http.routers.traefik.priority: "20"
traefik.http.routers.traefik.service: "api@internal"
traefik.http.middlewares.traefik-auth.basicauth.usersfile: "/etc/traefik/auth"
traefik.http.middlewares.gzip.compress: "true"
traefik.http.middlewares.autodetect.contenttype: "true"
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: "https"
traefik.http.middlewares.redirect-to-https.redirectscheme.permanent: "true"
traefik.http.middlewares.authelia.forwardauth.address: "{{ 'http://' + authelia_name + ':9091/api/verify?rd=' + lookup('role_var', '_web_url', role='authelia') + '/'
if authelia_is_master
else lookup('role_var', '_web_url', role='authelia') + '/api/verify?rd=' + lookup('role_var', '_web_url', role='authelia') + '/' }}"
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "{{ lookup('role_var', '_response_headers', role='authelia') | join(',') }}"
traefik.http.middlewares.authelia-basic.forwardauth.address: "{{ 'http://' + authelia_name + ':9091/api/verify?auth=basic&rd=' + lookup('role_var', '_web_url', role='authelia') + '/'
if authelia_is_master
else lookup('role_var', '_web_url', role='authelia') + '/api/verify?auth=basic&rd=' + lookup('role_var', '_web_url', role='authelia') + '/' }}"
traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders: "{{ lookup('role_var', '_response_headers', role='authelia') | join(',') }}"
traefik.http.middlewares.authentik.forwardauth.address: "{{ 'http://' + authentik_name + ':9000/outpost.goauthentik.io/auth/traefik'
if authentik_is_master
else lookup('role_var', '_web_url', role='authentik') + '/outpost.goauthentik.io/auth/traefik' }}"
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: "{{ lookup('role_var', '_response_headers', role='authentik') | join(',') }}"
traefik_role_docker_labels_cloudflare
# Type: dict
traefik_role_docker_labels_cloudflare:
traefik.http.middlewares.cloudflarewarp.plugin.cloudflarewarp.disableDefault: "false"
traefik_role_docker_labels_dns_validation
# Type: dict
traefik_role_docker_labels_dns_validation:
traefik.http.routers.traefik.tls.certresolver: "{{ traefik_default_certresolver }}"
traefik.http.routers.traefik.tls.domains[0].main: "{{ user.domain }}"
traefik.http.routers.traefik.tls.domains[0].sans: "{{ '*.' + user.domain }}"
traefik_role_docker_labels_http_validation
# Type: dict
traefik_role_docker_labels_http_validation:
traefik.http.routers.traefik.tls.certresolver: "{{ traefik_default_certresolver }}"
traefik_role_docker_labels_metrics
# Type: dict
traefik_role_docker_labels_metrics:
traefik.http.routers.metrics-http.rule: "Host(`{{ lookup('role_var', '_metrics_subdomain', role='traefik') }}.{{ lookup('role_var', '_metrics_domain', role='traefik') }}`) && Path(`/prometheus`)"
traefik.http.routers.metrics-http.service: prometheus@internal
traefik.http.routers.metrics-http.entrypoints: "{{ traefik_entrypoint_web }}"
traefik.http.routers.metrics-http.middlewares: "traefik-auth,{{ traefik_default_middleware_http_api }}"
traefik.http.routers.metrics-http.priority: "20"
traefik.http.routers.metrics.rule: "Host(`{{ lookup('role_var', '_metrics_subdomain', role='traefik') }}.{{ lookup('role_var', '_metrics_domain', role='traefik') }}`) && Path(`/prometheus`)"
traefik.http.routers.metrics.service: prometheus@internal
traefik.http.routers.metrics.entrypoints: "{{ traefik_entrypoint_websecure }}"
traefik.http.routers.metrics.tls: "true"
traefik.http.routers.metrics.tls.options: "securetls@file"
traefik.http.routers.metrics.middlewares: "traefik-auth,{{ traefik_default_middleware_api }}"
traefik.http.routers.metrics.priority: "20"
traefik_role_docker_labels_crowdsec
# Type: dict
traefik_role_docker_labels_crowdsec:
traefik.http.middlewares.crowdsec.plugin.bouncer.enabled: "true"
traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey: "{{ traefik_crowdsec_bouncer_key | default('') }}"
traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme: "http"
traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapihost: "172.19.0.1:{{ traefik_crowdsec_port }}"
traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips: "{{ traefik_trusted_ips_template if (traefik_trusted_ips_template | length > 0) else omit }}"
traefik.http.middlewares.crowdsec.plugin.bouncer.banhtmlfilepath: "{{ traefik_crowdsec_ban_filepath }}"
traefik_role_docker_labels_custom
# Type: dict
traefik_role_docker_labels_custom: {}
Hostname
traefik_role_docker_hostname
# Type: string
traefik_role_docker_hostname: "{{ traefik_name }}"
Networks
traefik_role_docker_networks_alias
# Type: string
traefik_role_docker_networks_alias: "{{ traefik_name }}"
traefik_role_docker_networks_default
# Type: list
traefik_role_docker_networks_default: []
traefik_role_docker_networks_custom
# Type: list
traefik_role_docker_networks_custom: []
Restart Policy
traefik_role_docker_restart_policy
# Type: string
traefik_role_docker_restart_policy: unless-stopped
State
traefik_role_docker_state
# Type: string
traefik_role_docker_state: started
The following advanced options are available via create_docker_container but are not defined in the role. See: docker_container module
Resource Limits
traefik_role_docker_blkio_weight
# Type: int
traefik_role_docker_blkio_weight:
traefik_role_docker_cpu_period
# Type: int
traefik_role_docker_cpu_period:
traefik_role_docker_cpu_quota
# Type: int
traefik_role_docker_cpu_quota:
traefik_role_docker_cpu_shares
# Type: int
traefik_role_docker_cpu_shares:
traefik_role_docker_cpus
# Type: string
traefik_role_docker_cpus:
traefik_role_docker_cpuset_cpus
# Type: string
traefik_role_docker_cpuset_cpus:
traefik_role_docker_cpuset_mems
# Type: string
traefik_role_docker_cpuset_mems:
traefik_role_docker_kernel_memory
# Type: string
traefik_role_docker_kernel_memory:
traefik_role_docker_memory
# Type: string
traefik_role_docker_memory:
traefik_role_docker_memory_reservation
# Type: string
traefik_role_docker_memory_reservation:
traefik_role_docker_memory_swap
# Type: string
traefik_role_docker_memory_swap:
traefik_role_docker_memory_swappiness
# Type: int
traefik_role_docker_memory_swappiness:
traefik_role_docker_shm_size
# Type: string
traefik_role_docker_shm_size:
Security & Devices
traefik_role_docker_cap_drop
# Type: list
traefik_role_docker_cap_drop:
traefik_role_docker_cgroupns_mode
# Type: string
traefik_role_docker_cgroupns_mode:
traefik_role_docker_device_cgroup_rules
# Type: list
traefik_role_docker_device_cgroup_rules:
traefik_role_docker_device_read_bps
# Type: list
traefik_role_docker_device_read_bps:
traefik_role_docker_device_read_iops
# Type: list
traefik_role_docker_device_read_iops:
traefik_role_docker_device_requests
# Type: list
traefik_role_docker_device_requests:
traefik_role_docker_device_write_bps
# Type: list
traefik_role_docker_device_write_bps:
traefik_role_docker_device_write_iops
# Type: list
traefik_role_docker_device_write_iops:
traefik_role_docker_devices
# Type: list
traefik_role_docker_devices:
traefik_role_docker_groups
# Type: list
traefik_role_docker_groups:
traefik_role_docker_privileged
# Type: bool (true/false)
traefik_role_docker_privileged:
traefik_role_docker_security_opts
# Type: list
traefik_role_docker_security_opts:
traefik_role_docker_user
# Type: string
traefik_role_docker_user:
traefik_role_docker_userns_mode
# Type: string
traefik_role_docker_userns_mode:
Networking
traefik_role_docker_dns_opts
# Type: list
traefik_role_docker_dns_opts:
traefik_role_docker_dns_search_domains
# Type: list
traefik_role_docker_dns_search_domains:
traefik_role_docker_dns_servers
# Type: list
traefik_role_docker_dns_servers:
traefik_role_docker_domainname
# Type: string
traefik_role_docker_domainname:
traefik_role_docker_exposed_ports
# Type: list
traefik_role_docker_exposed_ports:
traefik_role_docker_hosts_use_common
# Type: bool (true/false)
traefik_role_docker_hosts_use_common:
traefik_role_docker_ipc_mode
# Type: string
traefik_role_docker_ipc_mode:
traefik_role_docker_links
# Type: list
traefik_role_docker_links:
traefik_role_docker_network_mode
# Type: string
traefik_role_docker_network_mode:
traefik_role_docker_pid_mode
# Type: string
traefik_role_docker_pid_mode:
traefik_role_docker_uts
# Type: string
traefik_role_docker_uts:
Storage
traefik_role_docker_keep_volumes
# Type: bool (true/false)
traefik_role_docker_keep_volumes:
traefik_role_docker_mounts
# Type: list
traefik_role_docker_mounts:
traefik_role_docker_storage_opts
# Type: dict
traefik_role_docker_storage_opts:
traefik_role_docker_tmpfs
# Type: list
traefik_role_docker_tmpfs:
traefik_role_docker_volume_driver
# Type: string
traefik_role_docker_volume_driver:
traefik_role_docker_volumes_from
# Type: list
traefik_role_docker_volumes_from:
traefik_role_docker_volumes_global
# Type: bool (true/false)
traefik_role_docker_volumes_global:
traefik_role_docker_working_dir
# Type: string
traefik_role_docker_working_dir:
Monitoring & Lifecycle
traefik_role_docker_auto_remove
# Type: bool (true/false)
traefik_role_docker_auto_remove:
traefik_role_docker_cleanup
# Type: bool (true/false)
traefik_role_docker_cleanup:
traefik_role_docker_force_kill
# Type: string
traefik_role_docker_force_kill:
traefik_role_docker_healthcheck
# Type: dict
traefik_role_docker_healthcheck:
traefik_role_docker_healthy_wait_timeout
# Type: int
traefik_role_docker_healthy_wait_timeout:
traefik_role_docker_init
# Type: bool (true/false)
traefik_role_docker_init:
traefik_role_docker_kill_signal
# Type: string
traefik_role_docker_kill_signal:
traefik_role_docker_log_driver
# Type: string
traefik_role_docker_log_driver:
traefik_role_docker_log_options
# Type: dict
traefik_role_docker_log_options:
traefik_role_docker_oom_killer
# Type: bool (true/false)
traefik_role_docker_oom_killer:
traefik_role_docker_oom_score_adj
# Type: int
traefik_role_docker_oom_score_adj:
traefik_role_docker_output_logs
# Type: bool (true/false)
traefik_role_docker_output_logs:
traefik_role_docker_paused
# Type: bool (true/false)
traefik_role_docker_paused:
traefik_role_docker_recreate
# Type: bool (true/false)
traefik_role_docker_recreate:
traefik_role_docker_restart_retries
# Type: int
traefik_role_docker_restart_retries:
traefik_role_docker_stop_signal
# Type: string
traefik_role_docker_stop_signal:
traefik_role_docker_stop_timeout
# Type: int
traefik_role_docker_stop_timeout:
Other Options
traefik_role_docker_capabilities
# Type: list
traefik_role_docker_capabilities:
traefik_role_docker_cgroup_parent
# Type: string
traefik_role_docker_cgroup_parent:
traefik_role_docker_create_timeout
# Type: int
traefik_role_docker_create_timeout:
traefik_role_docker_entrypoint
# Type: string
traefik_role_docker_entrypoint:
traefik_role_docker_env_file
# Type: string
traefik_role_docker_env_file:
traefik_role_docker_read_only
# Type: bool (true/false)
traefik_role_docker_read_only:
traefik_role_docker_runtime
# Type: string
traefik_role_docker_runtime:
traefik_role_docker_sysctls
# Type: list
traefik_role_docker_sysctls:
traefik_role_docker_ulimits
# Type: list
traefik_role_docker_ulimits:
traefik_role_autoheal_enabled
# Enable or disable Autoheal monitoring for the container created when deploying
# Type: bool (true/false)
traefik_role_autoheal_enabled: true
traefik_role_depends_on
# List of container dependencies that must be running before the container start
# Type: string
traefik_role_depends_on: ""
traefik_role_depends_on_delay
# Delay in seconds before starting the container after dependencies are ready
# Type: string (quoted number)
traefik_role_depends_on_delay: "0"
traefik_role_depends_on_healthchecks
# Enable healthcheck waiting for container dependencies
# Type: string ("true"/"false")
traefik_role_depends_on_healthchecks:
traefik_role_diun_enabled
# Enable or disable Diun update notifications for the container created when deploying
# Type: bool (true/false)
traefik_role_diun_enabled: true
traefik_role_dns_enabled
# Enable or disable automatic DNS record creation for the container
# Type: bool (true/false)
traefik_role_dns_enabled: true
traefik_role_docker_controller
# Enable or disable Saltbox Docker Controller management for the container
# Type: bool (true/false)
traefik_role_docker_controller: true
traefik_role_docker_networks_alias_custom
# Type: list
traefik_role_docker_networks_alias_custom:
traefik_role_docker_volumes_download
# Type: bool (true/false)
traefik_role_docker_volumes_download:
traefik_role_themepark_addons
# Type: string
traefik_role_themepark_addons:
traefik_role_themepark_app
# Type: string
traefik_role_themepark_app:
traefik_role_themepark_theme
# Type: string
traefik_role_themepark_theme:
traefik_role_traefik_api_endpoint
# Type: dict/omit
traefik_role_traefik_api_endpoint:
traefik_role_traefik_api_middleware
# Type: string
traefik_role_traefik_api_middleware:
traefik_role_traefik_api_middleware_http
# Type: string
traefik_role_traefik_api_middleware_http:
traefik_role_traefik_autodetect_enabled
# Enable Traefik autodetect middleware for the container
# Type: bool (true/false)
traefik_role_traefik_autodetect_enabled: false
traefik_role_traefik_certresolver
# Type: string
traefik_role_traefik_certresolver:
traefik_role_traefik_crowdsec_enabled
# Enable CrowdSec middleware for the container
# Type: bool (true/false)
traefik_role_traefik_crowdsec_enabled: false
traefik_role_traefik_error_pages_enabled
# Enable custom error pages middleware for the container
# Type: bool (true/false)
traefik_role_traefik_error_pages_enabled: false
traefik_role_traefik_gzip_enabled
# Enable gzip compression middleware for the container
# Type: bool (true/false)
traefik_role_traefik_gzip_enabled: false
traefik_role_traefik_middleware_http
# Type: string
traefik_role_traefik_middleware_http:
traefik_role_traefik_middleware_http_api_insecure
# Type: bool (true/false)
traefik_role_traefik_middleware_http_api_insecure:
traefik_role_traefik_middleware_http_insecure
# Type: bool (true/false)
traefik_role_traefik_middleware_http_insecure:
traefik_role_traefik_priority
# Type: string
traefik_role_traefik_priority:
traefik_role_traefik_robot_enabled
# Enable robots.txt middleware for the container
# Type: bool (true/false)
traefik_role_traefik_robot_enabled: true
traefik_role_traefik_tailscale_enabled
# Enable Tailscale-specific Traefik configuration for the container
# Type: bool (true/false)
traefik_role_traefik_tailscale_enabled: false
traefik_role_traefik_wildcard_enabled
# Enable wildcard certificate for the container
# Type: bool (true/false)
traefik_role_traefik_wildcard_enabled: true
traefik_role_web_api_http_port
# Type: string (quoted number)
traefik_role_web_api_http_port:
traefik_role_web_api_http_scheme
# Type: string ("http"/"https")
traefik_role_web_api_http_scheme:
traefik_role_web_api_http_serverstransport
# Type: dict/omit
traefik_role_web_api_http_serverstransport:
traefik_role_web_api_port
# Type: string (quoted number)
traefik_role_web_api_port:
traefik_role_web_api_scheme
# Type: string ("http"/"https")
traefik_role_web_api_scheme:
traefik_role_web_api_serverstransport
# Type: dict/omit
traefik_role_web_api_serverstransport:
traefik_role_web_fqdn_override
# Override the Traefik fully qualified domain name (FQDN) for the container
# Type: list
traefik_role_web_fqdn_override:
Example Override
traefik_role_web_fqdn_override:
- "{{ traefik_host }}"
- "traefik2.{{ user.domain }}"
- "traefik.otherdomain.tld"
Note: Include {{ traefik_host }} to preserve the default FQDN alongside your custom entries
traefik_role_web_host_override
# Override the Traefik web host configuration for the container
# Type: string
traefik_role_web_host_override:
Example Override
traefik_role_web_host_override: "Host(`{{ traefik_host }}`) || Host(`{{ 'traefik2.' + user.domain }}`)"
Note: Use {{ traefik_host }} to include the default host configuration in your custom rule
traefik_role_web_http_port
# Type: string (quoted number)
traefik_role_web_http_port:
traefik_role_web_http_scheme
# Type: string ("http"/"https")
traefik_role_web_http_scheme:
traefik_role_web_http_serverstransport
# Type: dict/omit
traefik_role_web_http_serverstransport:
traefik_role_web_scheme
# URL scheme to use for web access to the container
# Type: string ("http"/"https")
traefik_role_web_scheme:
traefik_role_web_serverstransport
# Type: dict/omit
traefik_role_web_serverstransport: