Skip to main content
SRW Servicios Rogeliowar

How to set up your own web infrastructure at home with Docker and Traefik: from zero to automatic HTTPS

·4 mins
Docker Traefik Https Infraestructura Homelab
Rogelio Guerra Riverón
Author
Rogelio Guerra Riverón
Building my own web infrastructure from scratch. Here I document each step: servers, networks, containers and everything that comes along.
Table of Contents
Recomendados
Homelab

Raspberry Pi 3 B+

Servidor ligero de bajo consumo para empezar tu homelab

Ver en Amazon →
Homelab

Raspberry Pi 4 (4GB)

La base perfecta para homelab, Docker y monitorización — gama media

Ver en Amazon →
* Enlace de afiliado. Sin coste extra para ti.

Introduction
#

A few months ago I decided to stop using expensive cloud services and set up my own infrastructure at home. The solution I found was combining Docker with Traefik. It works well and now I have several services running under HTTPS without manually touching a certificate. I’ll tell you how I did it.

What you need
#

A server with Docker installed (any Linux machine with 2GB of RAM is enough). Your own domain. A bit of patience with DNS. That’s it.

If you don’t have a dedicated server, you have options depending on budget and power consumption: a Raspberry Pi 3 B+ (affiliate link) is perfect for lightweight services with minimal power consumption. If you need more power, a laptop like the Lenovo V15 (affiliate link) is a very versatile option: besides being a home server, it has the capacity to run industrial software from brands like Siemens (TIA Portal, SIMATIC) or other automation environments that demand real resources. One device, two uses.

The plan
#

I’m going to use Traefik as a reverse proxy. It automatically handles Let’s Encrypt certificates, routes traffic to the correct containers, and serves HTTPS without you having to do anything once it’s configured. It’s clean and it works.

Step 1: Prepare Docker Compose
#

Create a folder for your stack:

mkdir -p ~/docker/traefik
cd ~/docker/traefik

This will be your docker-compose.yml file:

version: '3.8'

services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/traefik.yml
      - ./acme.json:/acme.json
    networks:
      - web

networks:
  web:
    driver: bridge

Create the traefik.yml file:

api:
  insecure: true
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: tu-email@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: web

providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
  file:
    filename: traefik.yml

Create the acme.json file with restrictive permissions:

touch acme.json
chmod 600 acme.json

Step 2: Start Traefik
#

docker-compose up -d

Verify it’s running:

docker-compose logs traefik

Step 3: Configure your domain
#

At your DNS provider, point your domain (and a wildcard) to your server’s public IP:

example.com     A  TU_IP_PUBLICA
*.example.com   A  TU_IP_PUBLICA

Wait for it to propagate (typically 15 minutes).

Step 4: Add your first service
#

I’m going to add a simple example. Modify the docker-compose.yml:

services:
  traefik:
    # ... config anterior

  whoami:
    image: traefik/whoami
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
    networks:
      - web

Redeploy:

docker-compose up -d

Wait 30 seconds and go to https://whoami.example.com. The certificate is generated automatically.

Step 5: Add more services
#

For each new service, just add labels similar to the whoami ones. Traefik takes care of the rest. It’s that simple.

Practical considerations
#

Backup acme.json: It’s your certificates file. Back it up regularly or you’ll lose the certificates.

Firewall: Open ports 80 and 443 on your router pointing to the server.

Dynamic IP: If your ISP changes your IP (common in residential), use a DDNS service.

Dashboard: Traefik has a dashboard at http://localhost:8080 (only from the local machine for security).

Common issues
#

If certificates aren’t being generated, check the logs: docker-compose logs traefik. Usually it’s a DNS or firewall problem.

If a service doesn’t respond, verify that the port label matches the container’s internal port.

Conclusion
#

With this setup I’ve deployed blog, wiki, nextcloud and other services at home without spending on SSL or commercial reverse proxy. Traefik is a beast at this. It’s well worth spending an hour configuring it properly.

Recommended equipment#

Affiliate links. No extra cost to you.