In this tutorial, we'll learn how to install and configure Traefik on AlmaLinux 10.
What is Traefik?
Traefik is a modern, cloud-native reverse proxy and load balancer that automatically manages network traffic for web applications. It sits in front of our services and routes incoming requests to the right container or server.
Unlike traditional reverse proxies like Nginx or HAProxy, Traefik integrates directly with platforms such as Docker, Kubernetes, and systemd — detecting new services automatically. It also handles automatic SSL certificates through Let’s Encrypt, meaning our sites can run securely over HTTPS without any manual setup or renewal.
In short, Traefik makes managing web traffic simple, automated, and ready for production environments.
Prerequisites
Before we begin, ensure we have the following:
- An AlmaLinux 10 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
- A domain name pointing A record to server IP.
Install and Configure Traefik on AlmaLinux 10
1. Update the server
Before anything, ensure that server is updated:
sudo dnf update -y
2. Install Docker on AlmaLinux 10
We want to run Traefik via Docker, so first install Docker. These commands are compatible with AlmaLinux 10. Based on recent info.
sudo dnf install -y dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo systemctl enable --now docker
docker --version # confirm
If everything works, Docker’s ready.
3. Create network and directories for Traefik
To keep things clean:
sudo docker network create web
sudo mkdir -p /opt/traefik/{config,certs,logs}
cd /opt/traefik
sudo touch acme.json
sudo chmod 600 acme.json
- We created a Docker network named web (so services will connect to it and Traefik will listen on it).
- We created a config directory to hold Traefik’s static config.
acme.jsonwill store certificate data for automatic SSL.
4. Traefik Static Configuration
We’ll create traefik.yml (or traefik.yml / traefik.yaml) for static config for Traefik. We put it into /opt/traefik/config/traefik.yml
Here’s a minimal example adapted for automatic SSL via Let’s Encrypt (ACME), listening on ports 80 & 443:
nano /opt/traefik/config/traefik.yml
Add following content:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
api:
dashboard: true
insecure: false # disable insecure access in production (we’ll secure it)
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
network: web
exposedByDefault: false
certificatesResolvers:
letsencrypt:
acme:
email: "admin@example.com"
storage: "/acme.json"
httpChallenge:
entryPoint: web
Notes:
- We listen on HTTP (port 80) and redirect to HTTPS (port 443).
- We enable a certificate resolver named letsencrypt.
- The acme.json file stores certificates (we set permission earlier).
- We use the Docker provider: Traefik can inspect Docker containers for routing rules.
- Use your real email in email: field.
/acme.jsoninside container must map to our host’s acme.json.
5. Start Traefik container
In /opt/traefik, create a docker-compose.yml (if you’re comfortable with Docker Compose) or run docker run manually. Here’s a compose
nano /opt/traefik/docker-compose.yml
Add following content:
services:
traefik:
image: traefik:v3.5
container_name: traefik
restart: always
command:
- "--configFile=/etc/traefik/traefik.yml"
ports:
- "80:80"
- "443:443"
- "8080:8080" # dashboard
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
networks:
web:
external: true
Then run:
cd /opt/traefik
sudo docker compose up -d
Check logs:
sudo docker logs traefik
Look for messages indicating certificates being obtained and entrypoints active.
6. Configure firewall
We need to add HTTP and HTTPS port in firewall.
firewall-cmd --add-port={80,445}/tcp --permanent
firewall-cmd --reload
7. Deploying a sample service behind Traefik (for proof)
Let’s test. We’ll run a simple “whoami” service behind Traefik to verify routing & SSL.
Create /opt/traefik/whoami/docker-compose.yml:
mkdir whoami && cd whoami
Create docker compose file:
nano docker-compose.yml
Add following content:
services:
whoami:
image: traefik/whoami
container_name: whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
networks:
- web
networks:
web:
external: true
Now execute following command:
sudo docker compose up -d
Make sure DNS for whoami.ourdomain.com points to this server. Visit https://whoami.example.com in browser — should load and show the whoami response.
Add More Websites
To add another site, simply add a new service block to the docker-compose.yml like this:
myapp:
image: nginx
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(`myapp.example.com`)"
- "traefik.http.routers.myapp.entrypoints=websecure"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
networks:
- web
Then run:
docker compose up -d
Traefik will detect it and create a new SSL certificate automatically.
8. Additional tips & considerations
- Always pin the Traefik image version (e.g., traefik:v3.5.3) instead of using latest, to avoid unexpected upgrades.
- Monitor renewal status of certificates. Traefik handles Let’s Encrypt renewals automatically but logs need watching.
- Consider adding rate-limit, IP-whitelist, or other middlewares if exposing many services.
- Backup the acme.json file — contains certificates and keys. Loss means re-issuance.
- If you have multiple domains/sub-domains behind Traefik, ensure each has proper DNS A/AAAA record pointing to the server.
- Use TLS options (minimum version, cipher suites) by defining them in config if you need stricter security.
- Ensure log rotation is in place for logs if you enable high verbosity.
- Use firewall rules or SELinux checks if things don’t work (AlmaLinux will have SELinux enabled by default).
- For production usage, consider letting Traefik run non-root or use minimal priviliges; map volumes carefully.
Summary
We’ve installed Docker on AlmaLinux 10, created a secure network for services, set up Traefik as a reverse proxy with automatic Let’s Encrypt SSL, deployed a sample service, and secured the dashboard. With this setup in place we now have a flexible, modern reverse proxy setup that can host multiple services behind one server, each with full HTTPS and minimal fuss.
