| Property | Value |
|---|---|
| Host VM | VM-RZ-EDGE-01 (10.250.0.101 / 46.4.105.246) |
| Compose path | /opt/traefik/docker-compose.yml |
| Image | traefik:v3.5.4 (RZ EDGE und HM EDGE) plus v3.6.15 auf APP-VMs |
| Container name(s) | traefik |
| External URL | <— (no public dashboard exposure)> |
| Networks | traefik_backend (shared ingress) |
| DB / state | — (stateless; ACME data persisted on disk) |
| Auth | — (no public UI; dashboard if enabled is internal) |
| Backup | PBS image-level via VM-SL-00 (covers ACME storage). |
Single Traefik instance terminates TLS for every public-facing service on RZ and routes inbound HTTPS to the right Docker container by Host header. Auto-discovers backend services via Docker labels and a static file provider for non-Docker upstreams.
Two providers: Docker (auto-discovery via labels) + file (static config). Single Let's Encrypt cert resolver letsencrypt using HTTP-01 challenge. Shared traefik_backend Docker network — every service that wants Traefik ingress joins this network.
Compose at /opt/traefik/docker-compose.yml. ACME storage persisted in /opt/traefik/letsencrypt/acme.json. Dynamic file provider config under /opt/traefik/dynamic/. Default security-headers middleware available for services to chain in.
Listens on :80 and :443 on the public IP. HTTP is auto-redirected to HTTPS via per-router middleware. The Traefik dashboard is not publicly exposed.
— (Traefik itself does not authenticate; downstream services do their own auth.)
/opt/traefik/letsencrypt/acme.json (ACME state); compose dir.
PBS image-level via VM-SL-00. Loss of acme.json triggers a re-issue from Let's Encrypt — annoying, not catastrophic (rate-limit-aware).
cd /opt/traefik && docker compose restartdocker logs --since 1h traefikdocker compose up -d (Traefik supports hot-reload of dynamic config; static config requires a restart).:latest — TODO pin to a specific version + digest.vm-rz-edge-01 (RZ, 10.250.0.101) und vm-hm-edge-01 (HM, 10.150.100.101).policies/acme-challenge, locked 2026-05-02)./services/traefik-hm-edge (geplant).