Documentation Index Fetch the complete documentation index at: https://mintlify.com/traefik/traefik/llms.txt
Use this file to discover all available pages before exploring further.
Docker Provider A Story of Labels & Containers
Attach labels to your Docker containers and let Traefik automatically discover and route traffic to your services. The Docker provider works with Docker standalone Engine and monitors container events in real-time.
Quick Start
Enable Docker Provider
Add Docker provider to your Traefik configuration: traefik.yml
traefik.toml
CLI
providers : docker : endpoint : "unix:///var/run/docker.sock" exposedByDefault : true
Add Labels to Containers
Define routing rules using Docker labels: services : whoami : image : traefik/whoami labels : - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)" - "traefik.http.services.whoami.loadbalancer.server.port=80"
Deploy and Access
Start your services: Traefik automatically detects the container and creates routes! Complete Example docker-compose.yml
traefik.yml
version : '3.8' services : traefik : image : traefik:v3.6 ports : - "80:80" - "443:443" - "8080:8080" volumes : - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./traefik.yml:/etc/traefik/traefik.yml" my-app : image : my-application:latest labels : # Router configuration - "traefik.enable=true" - "traefik.http.routers.my-app.rule=Host(`app.example.com`)" - "traefik.http.routers.my-app.entrypoints=websecure" - "traefik.http.routers.my-app.tls=true" # Service configuration - "traefik.http.services.my-app.loadbalancer.server.port=8080" # Middleware - "traefik.http.routers.my-app.middlewares=my-auth" - "traefik.http.middlewares.my-auth.basicauth.users=admin:$$apr1$$..."
How It Works Port Detection Traefik automatically detects which port to use:
Single exposed port : Traefik uses that portMultiple exposed ports : Traefik uses the lowest port (e.g., 80 over 8080)No exposed ports or manual override needed : Use the label:
labels : - "traefik.http.services.<service-name>.loadbalancer.server.port=8080"
Docker API Access Security Alert : Accessing the Docker socket gives Traefik full control over Docker. Only deploy Traefik in trusted environments.
Traefik requires access to the Docker socket to discover containers. You have several connection options:
services : traefik : image : traefik:v3.6 volumes : - "/var/run/docker.sock:/var/run/docker.sock:ro"
providers : docker : endpoint : "unix:///var/run/docker.sock"
providers : docker : endpoint : "tcp://192.168.1.10:2375"
providers : docker : endpoint : "ssh://traefik@192.168.1.10:22"
Requires Docker 18.09+ and SSH key authentication. Recommended : Use Docker Socket Proxy to limit Traefik’s access to only necessary Docker API endpoints.Provider Configuration endpoint Default: unix:///var/run/docker.sock Docker daemon socket to connect to.
providers : docker : endpoint : "unix:///var/run/docker.sock"
exposedByDefault Default: true Expose all containers by default. Set to false to require explicit traefik.enable=true label.
providers : docker : exposedByDefault : false
Enable Required
Auto-Exposed
# With exposedByDefault: false labels : - "traefik.enable=true" - "traefik.http.routers.app.rule=Host(`example.com`)"
network Default: "" Default Docker network for container connections.
providers : docker : network : "web"
Override per-container:
labels : - "traefik.docker.network=custom-network"
watch Default: true Watch for Docker events and update configuration automatically.
providers : docker : watch : true
constraints Default: "" Filter containers based on label expressions.
Production Only
Multiple Constraints
Regex
providers : docker : constraints : "Label(`environment`, `production`)"
defaultRule Default: Host(`{{ normalize .Name }}`) Default routing rule template for containers without explicit rules.
providers : docker : defaultRule : "Host(`{{ .Name }}.{{ index .Labels \" domain \" }}`)"
useBindPortIP Default: false Use the IP/Port from the container’s port binding instead of the internal IP.
providers : docker : useBindPortIP : true
TLS Configuration Secure connection to Docker daemon:
providers : docker : endpoint : "tcp://docker-host:2376" tls : ca : "/path/to/ca.crt" cert : "/path/to/cert.crt" key : "/path/to/key.key" insecureSkipVerify : false
allowEmptyServices Default: false Allow load balancers with no healthy containers (returns 503 instead of 404).
providers : docker : allowEmptyServices : true
Common Patterns Multi-Domain Application services : app : image : my-app labels : # Main domain - "traefik.http.routers.app.rule=Host(`example.com`)" # API subdomain - "traefik.http.routers.app-api.rule=Host(`api.example.com`)" - "traefik.http.routers.app-api.service=app" # Service port - "traefik.http.services.app.loadbalancer.server.port=3000"
Path-Based Routing labels : - "traefik.http.routers.app.rule=Host(`example.com`) && PathPrefix(`/api`)" - "traefik.http.middlewares.app-stripprefix.stripprefix.prefixes=/api" - "traefik.http.routers.app.middlewares=app-stripprefix"
HTTPS with Let’s Encrypt labels : - "traefik.http.routers.app.rule=Host(`example.com`)" - "traefik.http.routers.app.entrypoints=websecure" - "traefik.http.routers.app.tls.certresolver=letsencrypt"
Load Balancing Multiple Containers services : app : image : my-app deploy : replicas : 3 labels : - "traefik.http.routers.app.rule=Host(`example.com`)" - "traefik.http.services.app.loadbalancer.server.port=8080"
Traefik automatically load balances across all replicas.
Host Networking When using Docker’s host network mode:
services : app : network_mode : host
Traefik resolves the host IP in this order:
host.docker.internalhost.containers.internal (Podman)127.0.0.1
On Linux with Docker < 20.10, add --add-host=host.docker.internal:172.17.0.1 to the Traefik container.
Troubleshooting Service Not Detected
Check exposedByDefault
If exposedByDefault: false, ensure traefik.enable=true label is set.
Verify Docker Socket
docker exec traefik ls -la /var/run/docker.sock
Check Constraints
Ensure container labels match any configured constraints.
Port Issues # Explicitly set the port labels : - "traefik.http.services.myapp.loadbalancer.server.port=8080"
Network Connectivity # Specify the Docker network labels : - "traefik.docker.network=my-network"
Security Best Practices Never expose the Docker socket to untrusted containers. Consider using:
Docker Socket Proxy
SSH connection with key authentication
TCP with TLS client certificates
Next Steps
Routing Configuration Learn about router configuration
Middlewares Explore available middlewares