dsync89 Wiki

Appearance

Part 5: Summary ​

The following is the complete summary or workflow to expose a service to Traefik, all using Labels instead of modifying Traefik configuration file.

Add the following labels for each unRAID container service that you want to handle by Traefik.

Add Labels to unRAID Container Template ​

This is needed so that Traefik will intercept any hostname that matches and route through it via Authelia authentication and authorization.

Add the following FOUR labels to unRAID container templates. Then click Apply to restart the container.

For automatically adding the route to the service to Traefik. ​

Label 1:

  • Name: Enable Traefik
  • Key: traefik.enable
  • Value: true

Label 2:

  • Name: https entrypoint
  • Key: traefik.http.routers.<APP_NAME>.entryPoints
  • Value: https

Label 3:

  • Name: traefik.http.routers.<APP_NAME>.rule
  • Key: traefik.http.routers.<APP_NAME>.rule
  • Value: Host(`<APP_NAME>.DOMAIN.COM`)

For automatically adding the route to Cloudflare DNS server via docker-traefik-cloudflare-companion service. ​

Label 4:

  • Name: traefik.constraint
  • Key: traefik.constraint
  • Value: proxy-public

Forward traffic to Authelia to authenticate and authorize user before reaching the final service. ​

Label 5:

  • Name: Traefik Authelia Forward Auth
  • Key: traefik.http.routers.<APP_NAME>.middlewares
  • Value: auth@file

Specify custom port ​

By default Traefik will use the first exposed port for the target service picked up from the dockerfile. In case there are multiple ports exposed by a service, you can specify a specific port for that target service. See https://docs.ibracorp.io/traefik/master/unraid/proxying-your-first-app/proxying-an-app-with-multiple-exposed-ports for more info.

Label:

  • Name: Traefik Target Service Port
  • Key: traefik.http.services.<APP_NAME>.loadbalancer.server.port
  • Value: 8096

Congratulations for completing this tutorial! You now have a secure gateway to access your unRAID services!

What's Next? ​

If you are very paranoid, you can even create an additional layer or authentication that took place before the traffic even reaches the cloudflared tunnel or Authelia. This would enable a stagerring FOUR layer authentication that any malicious attacker must bypass! See my post here on creating Google OAuth using CloudFlare policy.

  1. Google OAuth (limited to only a selected emails)
  2. Authelia 1-factor auth: username + password
  3. Authelia 2-factor auth: TOTP (6 digits)
  4. Final service auth (if any)