Skip to main content

Traefik v1.x

Traefik v1.x

Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ...) and configures itself automatically and dynamically. Pointing Traefik at your orchestrator should be the only configuration step you need. This configuration is A+. Test your setup here at SSLlabs.

Create docker-compose.yml, traefik.toml and acme.json in the same directory or change their paths in the volume section.


Ensure you enable Basic Auth protection for Traefik or disable its Dashboard. Otherwise your Dashboard will be accessible from the internet.

sudo apt install apache2-utils
echo $(htpasswd -nb username mystrongpassword) | sed -e s/\\$/\\$\\$/g

This command automatically escapes all $ inside the password for the YML file. If using an environment file, it does not need the $ escaped since it will not be interpreted by the shell.

Create the docker network for traefik.

sudo docker network create traefik


version: '3.5'
name: traefik
container_name: traefik
image: traefik:v1.7
- traefik
- 80:80
- 443:443
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
traefik.enable: 'true'
traefik.backend: traefik traefik
traefik.port: 8080
traefik.frontend.entryPoints: https
traefik.frontend.passHostHeader: 'true'
traefik.frontend.headers.SSLForceHost: 'true'
traefik.frontend.headers.SSLRedirect: 'true'
traefik.frontend.headers.browserXSSFilter: 'true'
traefik.frontend.headers.contentTypeNosniff: 'true'
traefik.frontend.headers.forceSTSHeader: 'true'
traefik.frontend.headers.STSSeconds: 315360000
traefik.frontend.headers.STSIncludeSubdomains: 'true'
traefik.frontend.headers.STSPreload: 'true'
traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
traefik.frontend.headers.frameDeny: 'true'
traefik.frontend.headers.customFrameOptionsValue: 'allow-from'
# traefik.frontend.auth.basic.users: xxx:xxx
restart: unless-stopped

image: jellyfin/jellyfin
container_name: jellyfin
network_mode: 'host'
- /path/to/config:/config
- /path/to/cache:/cache
- /path/to/media:/media
restart: unless-stopped

This TOML file can't support environment variables, so don't attempt to use variables.


Due to a bug in Traefik, you cannot dynamically route to containers when network_mode=host, so we have created a static route to the docker host ( in traefik.toml. Using host networking (or macvlan) is required to use DLNA or an HdHomeRun as it supports multicast networking.


logLevel = "WARN"
defaultEntryPoints = ["http", "https"]

address = ":80"
entryPoint = "https"
address = ":443"
minVersion = "VersionTLS12"
cipherSuites = [



acmeLogging = true
email = ""
storage = "acme.json"
entryPoint = "https"
provider = "provider"
delayBeforeCheck = "60"

main = "*"

domain = ""
network = "traefik"
exposedbydefault = false

url = ""
backend = "backend-jellyfin"
passHostHeader = true
rule = ""
SSLRedirect = true
SSLHost = ""
SSLForceHost = true
STSSeconds = 315360000
STSIncludeSubdomains = true
STSPreload = true
forceSTSHeader = true
frameDeny = true
contentTypeNosniff = true
browserXSSFilter = true
customResponseHeaders = "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
customFrameOptionsValue = "allow-from"

Finally, create an empty acme.json file to handle the certificate.

touch acme.json
chmod 600 acme.json

Change to your domain name and update the acme.json file with your email address. Let's Encrypt does not require a valid email but will be flagged as fake.

Launch the Traefik and Jellyfin services.

docker-compose up -d

Congratulations, your stack with Traefik and Jellyfin is running!

Go to the domain you used earlier in the config file and your Jellyfin server will be running with HTTPS (AES 256) enabled.